diff --git a/configure.ac b/configure.ac
index 613eec79..253158ae 100644
--- a/configure.ac
+++ b/configure.ac
@@ -409,6 +409,7 @@ AC_DEFINE_UNQUOTED([EDNS_COOKIE_OPCODE], [10], [The edns cookie option code.])
 AC_DEFINE_UNQUOTED([EDNS_COOKIE_ROLLOVER_TIME], [(24 * 60 * 60)], [How often the edns client cookie is refreshed.])
 
 AC_DEFINE_UNQUOTED([MAXIMUM_UPSTREAM_OPTION_SPACE], [3000], [limit for dynamically-generated DNS options])
+AC_DEFINE_UNQUOTED([EDNS_PADDING_OPCODE], [65461], [The experimental edns padding option code.])
 
 my_with_libunbound=1
 AC_ARG_ENABLE(stub-only, AC_HELP_STRING([--enable-stub-only], [Restricts resolution modes to STUB (which will be the default mode).  Removes the libunbound dependency.]))
diff --git a/src/stub.c b/src/stub.c
index 0698e0eb..c08e93e4 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -1138,6 +1138,7 @@ stub_tls_write(getdns_upstream *upstream, getdns_tcp_state *tcp,
 	uint16_t        query_id;
 	intptr_t        query_id_intptr;
 	SSL* tls_obj = upstream->tls_obj;
+	uint16_t        padding_sz;
 
 	int q = tls_connected(upstream);
 	if (q != 0)
@@ -1173,6 +1174,17 @@ stub_tls_write(getdns_upstream *upstream, getdns_tcp_state *tcp,
 			if (netreq->owner->edns_client_subnet_private)
 				if (attach_edns_client_subnet_private(netreq))
 					return STUB_OUT_OF_OPTIONS;
+			if (netreq->owner->tls_query_padding_blocksize > 1) {
+				pkt_len = netreq->response - netreq->query;
+				pkt_len += 4; /* this accounts for the OPTION-CODE and OPTION-LENGTH of the padding */
+				padding_sz = pkt_len % netreq->owner->tls_query_padding_blocksize;
+				if (padding_sz)
+					padding_sz = netreq->owner->tls_query_padding_blocksize - padding_sz;
+				if (_getdns_network_req_add_upstream_option(netreq,
+									    EDNS_PADDING_OPCODE,
+									    padding_sz, NULL))
+					return STUB_OUT_OF_OPTIONS;
+			}
 		}
 
 		pkt_len = netreq->response - netreq->query;