IETF Logo Mail Archive

Re: [Add] Communicating DNS blocks (was Re: A thought -- Move the policy decisions outside the application.)

Mark Nottingham <mnot@mnot.net> Wed, 28 August 2019 01:26 UTC

Return-Path: <mnot@mnot.net>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8AA511200C1 for <add@ietfa.amsl.com>; Tue, 27 Aug 2019 18:26:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b=lSfLQgdM; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=IYWpVazF
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vyY1vPHyxb8x for <add@ietfa.amsl.com>; Tue, 27 Aug 2019 18:26:57 -0700 (PDT)
Received: from wout4-smtp.messagingengine.com (wout4-smtp.messagingengine.com [64.147.123.20]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8A1D12081D for <add@ietf.org>; Tue, 27 Aug 2019 18:26:57 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id 076A54FA; Tue, 27 Aug 2019 21:26:56 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Tue, 27 Aug 2019 21:26:57 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=fm3; bh=M fetFtmDJdISpUTjXNm63Cc8z+kfNGfssnlpAG1l/O8=; b=lSfLQgdMotVSfljo1 +8YCRwW+IZTOnP5CGn5flwHtPhxKy5FyYnBCGfFCiVmrpX7/g+YPKxFOROo7aP3l wiCphcxVH3huYMpsa7FtPwd6ohZKQxjEflXrdXQDJ7P9B6lecy2WdWy3vW2uyM4s OH208Y2TgVW6RRkUWZiOSwpmMk7WP6NBFadH5GN69zYnx778j28+BGYlBzQA8ZkV G7OFa0CfB3QeBbLvM31nwVfW8rzvOdOS6MDfEMkDuJnqtvegqG+PC/ZAejcu/phf szotYN8uxBr+NJ4en2NtpUiwIb3o4uBx7E+2piSnXCFQHa+A9/JrIKxZmfn+8Gkn f8YUw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=MfetFtmDJdISpUTjXNm63Cc8z+kfNGfssnlpAG1l/ O8=; b=IYWpVazF1r+rLszIFWatmwx7ynVcP17Yt3VrWTZ+Z4VkUcpHuhbFsc5cB KRKs34OgiYuNbgpo6GRPVcVDMxhQbWEPhFqul3B27YNIhlb8S1V7tHBEesNC5lCJ zWp/PQOfc0fpHrAKqtF3AOErufBvpwzDUIB40uKsIatwaI8rLRuTIkkyfqgrAnRZ lmhSWXK8/86LsM303eVZWJe7NgejxtCNwHoq6ZfFn5N+OrWz1t2M9izN2LbrerTf kTa1mSnGEpaMmwF5iH/CnUqKlVTe4zdjl3sY5GzoqFnhcm3tnl2ho4J3P73zzdbS ckGOhaifPZTj6MJt4nMhXMgGR/HTA==
X-ME-Sender: <xms:X9hlXRGmTQtp7YBmPGgSwb002GFyxES80kFQwoybsCXM7DVVNkDPdA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduvddrudehledggeeiucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurheptggguffhrfgjfffgkfhfvffosehtqhhmtdhhtddvnecuhfhrohhmpeforghr khcupfhothhtihhnghhhrghmuceomhhnohhtsehmnhhothdrnhgvtheqnecuffhomhgrih hnpehivghtfhdrohhrghdpmhhnohhtrdhnvghtnecukfhppeegledrvdehhedrudelledr udehtdenucfrrghrrghmpehmrghilhhfrhhomhepmhhnohhtsehmnhhothdrnhgvthenuc evlhhushhtvghrufhiiigvpedt
X-ME-Proxy: <xmx:X9hlXdvAQ6Js6w6BqiXgDMcaUcvjG15PzVrIYmEu0EounEAkKZnDXQ> <xmx:X9hlXfIscRwfhZDCDkj2G-qE3ynb4rrU7WlAzUBTgTj44dF8Ck44sw> <xmx:X9hlXQskLwnuvFOmRNnaOjh-rzO--j7f5P2VxyfOdkmWTG6E__zGdQ> <xmx:YNhlXVPD7vlLFXP_zAZTY4cmQw-ShO-9qYyBlCzOigLuNDOVHvn7Yw>
Received: from [172.16.8.215] (unknown [49.255.199.150]) by mail.messagingengine.com (Postfix) with ESMTPA id 83BF78005C; Tue, 27 Aug 2019 21:26:54 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Mark Nottingham <mnot@mnot.net>
X-Priority: 3
In-Reply-To: <1098628263.7014.1566896822696@appsuite-gw2.open-xchange.com>
Date: Wed, 28 Aug 2019 11:26:51 +1000
Cc: Ted Lemon <mellon@fugue.com>, "add@ietf.org" <add@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <3B94868F-435F-4C8F-986D-C5F71D3E80AA@mnot.net>
References: <1444D5E7-DEA7-437C-B12B-6C31FEA563DD@sky.uk> <11f9dfe2-ab05-2227-7643-e53da95ec717@nostrum.com> <18798.1566571840@dooku.sandelman.ca> <a2593a9b-a131-ac49-a286-642ba6cdc19c@nic.cz> <15520.1566839640@localhost> <F28F71C0-1728-43EF-9EDA-1F1A70800AFA@fugue.com> <1098628263.7014.1566896822696@appsuite-gw2.open-xchange.com>
To: Vittorio Bertola <vittorio.bertola@open-xchange.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/sQRChv_rX_cREo4F1_nRG3BqtD4>
X-Mailman-Approved-At: Wed, 28 Aug 2019 06:30:50 -0700
Subject: Re: [Add] Communicating DNS blocks (was Re: A thought -- Move the policy decisions outside the application.)
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2019 01:26:59 -0000

Hi Vittorio,

> On 27 Aug 2019, at 7:07 pm, Vittorio Bertola <vittorio.bertola=40open-xchange.com@dmarc.ietf.org> wrote:
> 
> For example, rather than having to alter the response (and break DNSSEC) to redirect the user to a meaningful explanation page, a filtering resolver could just return the "blocked" or "censored" error code and add the altered IP address / explanation URL somewhere in an extra field - the "extra-text" of Warren's draft or something more specific - which the client could then use to show the resolver's message to the user. This would require client support, while old clients would just get the error rather than the altered response, so we'd have to think whether this could actually work in all use cases, but still, once widely implemented, this would provide a cleaner architecture and a better user experience in the basic "web filter" cases. 

Similar things have been proposed in the past, at other layers; e.g., 
  https://www.ietf.org/archive/id/draft-nottingham-proxy-explanation-00.txt

There's a bigger issue than figuring out how to make it backwards-compatible. Without trying to speak for them, the impression I got is that the browser vendors are less than enthusiastic about exposing untrusted content to users, even if it's heavily constrained (as is the case in the proposal above), as it's a potential attack vector. 

While technical people (like those on this list) might be able to interpret such a message safely and productively, many users of the Internet don't have that skill; for similar reasons, browsers have substantially changed the user experience of security for TLS over the last few years, and are continuing to do so, so that it's "safe by default", even in the face of user ignorance / apathy. 

Cheers,

--
Mark Nottingham   https://www.mnot.net/

v2.23.0 | Report a Bug | By Email