IETF Logo Mail Archive

Re: [dns-privacy] [EXTERNAL] Re: Trying to understand DNS resolver 'discovery'

"Winfield, Alister" <Alister.Winfield@sky.uk> Mon, 02 December 2019 14:20 UTC

Return-Path: <Alister.Winfield@sky.uk>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDA7D12006D for <dns-privacy@ietfa.amsl.com>; Mon, 2 Dec 2019 06:20:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sky.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R7wBEmu-MGIB for <dns-privacy@ietfa.amsl.com>; Mon, 2 Dec 2019 06:20:19 -0800 (PST)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00045.outbound.protection.outlook.com [40.107.0.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09FAF12000F for <dns-privacy@ietf.org>; Mon, 2 Dec 2019 06:20:18 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=d2vK+poq465L14ZXKpLBKWP64+7DI5XrIh5sCTvlk4Ap0LR+mWTgXpgz6YpwNz34jYENFOAaSWtkKl4cn6+KQuoKlXzQexg5wynhH+M4RSSUgQVKCU+Xv7KowBqn1/IMQ9NUFl2vnJBjelQ5YL1X3i+9RvZMf8Ptx7gS4EGweBftasVNKoHveh/nL5RDxu3GhkNcPr531mMs5qaptgwyx1Q1XC0FvYWHuf+RqgX4aXJ+I5LHvQBUrAxc0c2Mkvq+2CqR3fESPSxayxYAl/GcDrs7654moFJP77OhaAp6QP/8z23Xu91Nn+0V/roHAU9S1CJJU99vJ/H8gUMbjSUeWw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XtVPMnjXaw26BFoxPX2NEQoJimFh2FH9xt2v1HR8K6o=; b=LnqHc573oeYYAkaUU9SFS60qf5iASo1KHm7DSUMlk2eZUH6E2oWgmGq4DDWEsWjOHwY5a3k/2Wvb+utDcFeQ3vGZhoWea/xV1u9Fcg8cIOGD7UpouKC7i3YcIZlo11h9yr3E0HLIj4owM+Au0drF9TcsYIF2y52P478G6i4pw5M6gRP70HTEueKy9tMkeavj2K01I1qsIn/lz98EpZAGVDJYvv1pZp2EMYIgWbqXhKGwc4VfcML4OlA1n9nnaj12yyWwhXwQ3BoRwwBPflRDCTGaTtLd/Qxy4t6qElFgAbC4tYFw/4xg4FwJVd7DgQpM1bwRCzf1eyzMgJfWuH2uYA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=sky.uk; dmarc=pass action=none header.from=sky.uk; dkim=pass header.d=sky.uk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sky.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XtVPMnjXaw26BFoxPX2NEQoJimFh2FH9xt2v1HR8K6o=; b=UHBVb3/1kluHTjaimyXOyA7hwZ+sKgi4WNOQLR16KCEprHempk8uPMs4uMG7tW4eAecfpu3COmGPxdO/zpvvAu5W4TVz/GtHS3rbqVfQvq1ycNoL6hyx2UN7I4agVzzyvdzEvS7ms7phxucI4gBiiKlcRGd1+Wz1E6CFBj0Vs3o=
Received: from DB6PR0601MB2184.eurprd06.prod.outlook.com (10.168.51.153) by DB6PR0601MB2503.eurprd06.prod.outlook.com (10.168.81.9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2495.21; Mon, 2 Dec 2019 14:20:16 +0000
Received: from DB6PR0601MB2184.eurprd06.prod.outlook.com ([fe80::8dc9:ec61:bb07:286c]) by DB6PR0601MB2184.eurprd06.prod.outlook.com ([fe80::8dc9:ec61:bb07:286c%6]) with mapi id 15.20.2495.014; Mon, 2 Dec 2019 14:20:16 +0000
From: "Winfield, Alister" <Alister.Winfield@sky.uk>
To: Vittorio Bertola <vittorio.bertola@open-xchange.com>, Kenji Baheux <kenjibaheux=40google.com@dmarc.ietf.org>, "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@mcafee.com>
CC: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Thread-Topic: [EXTERNAL] Re: [dns-privacy] Trying to understand DNS resolver 'discovery'
Thread-Index: AQHVpTyZbgP6WUI8N0KblnWC71LCyKeflBEAgADY3YCAAOPggIAFddWAgAAmIAA=
Date: Mon, 02 Dec 2019 14:20:16 +0000
Message-ID: <D205CCCE-DF07-460F-B1EB-D8419E4C7AF5@sky.uk>
References: <CAMm+Lwig+90Riqav6BT6D-0n4pZJFgAr3p996Q+qXJSPt0kqBQ@mail.gmail.com> <20191126180441.GA4452@sources.org> <CY4PR1601MB125470ADE243F60FB710E8C7EA440@CY4PR1601MB1254.namprd16.prod.outlook.com> <20191127142842.GA18601@nic.fr> <716ED073-F71D-412C-A54B-D060DDC6F469@cable.comcast.com> <LO2P265MB05736FAB2D38226EB21D9C72C2440@LO2P265MB0573.GBRP265.PROD.OUTLOOK.COM> <CY4PR1601MB1254A759EC4EA55D3B11603EEA470@CY4PR1601MB1254.namprd16.prod.outlook.com> <CADWWn7WavXNU0jN_dKTjHGyhGoe+UDPxVF0NACJHRitCdvM=2A@mail.gmail.com> <480149195.32229.1575288229166@appsuite-gw1.open-xchange.com>
In-Reply-To: <480149195.32229.1575288229166@appsuite-gw1.open-xchange.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1f.0.191110
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Alister.Winfield@sky.uk;
x-originating-ip: [90.216.150.239]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ea609411-7835-4355-d6a0-08d77732c10c
x-ms-traffictypediagnostic: DB6PR0601MB2503:
x-microsoft-antispam-prvs: <DB6PR0601MB25034AC8218A1CED217270B2E3430@DB6PR0601MB2503.eurprd06.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0239D46DB6
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(396003)(376002)(346002)(136003)(366004)(52084003)(199004)(189003)(14454004)(81166006)(478600001)(36756003)(71190400001)(6116002)(71200400001)(6506007)(5024004)(186003)(3846002)(76176011)(229853002)(14444005)(102836004)(446003)(11346002)(76116006)(2616005)(66446008)(66556008)(33656002)(66066001)(91956017)(66946007)(64756008)(606006)(6246003)(4326008)(6512007)(6306002)(54896002)(86362001)(236005)(26005)(66476007)(966005)(99286004)(81156014)(8936002)(8676002)(2906002)(5660300002)(53546011)(256004)(25786009)(7736002)(6486002)(58126008)(6436002)(316002)(110136005); DIR:OUT; SFP:1101; SCL:1; SRVR:DB6PR0601MB2503; H:DB6PR0601MB2184.eurprd06.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:0; MX:1;
received-spf: None (protection.outlook.com: sky.uk does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: /C9priKdBKlAC1TPHyUdHnSDg9ejyNCSPHSIomsTKSDSD42WWRcSnsga0R2iNvShgdTwj+Xq/YBajMWG7PP/3ilLaRhNuAxkeP5kA+9uX/J8rLjAQ/OLTsNf3ONnQeHwzENo85zU7obiSo+zjs7rGjt4wvuy462AnMaqbresxVCpXLzfO7jp/g70njGVtnVe0ZVb/eJ+75/kWQN4LA32rpownK8CrsvkSUUdkk2W/mcJKAW475OgrEUeaRGOi/X/gxsCs0KAK+//lbbvUgaKuEjacvlSw1ouYkGJKhYz5FcCCBsVnos14VtgSxViqXsEzKkcY/Y4O6GbS9uSkFVptg8IepnHOhV9tlBMcDUF93AZcM/ssqoT5VLbM3XZWFtuCb6VoN+OBJiaLRJZwNcLopgYc/WSIqjVJwq2dAc0AVQD+42Pd0Pn4DQ5ubjYkRnmYQy3YOyduVvgz7aXIMD6llejUe0xeO/fbOCxJD1IL8c=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_D205CCCEDF07460FB1EBD8419E4C7AF5skyuk_"
MIME-Version: 1.0
X-OriginatorOrg: sky.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: ea609411-7835-4355-d6a0-08d77732c10c
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Dec 2019 14:20:16.6329 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 68b865d5-cf18-4b2b-82a4-a4eddb9c5237
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: cggha7mVfRp4izbQShjUhA6cphlxb098cyJGII7M9PKiGee3Sm1VcYMZ4Jy7N4jMYvBfN3Ge6DQPEYNWqhx/ow==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0601MB2503
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/yyPwlTCxvFo4_E3vwr7xrXdDfXA>
Subject: Re: [dns-privacy] [EXTERNAL] Re: Trying to understand DNS resolver 'discovery'
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Dec 2019 14:20:22 -0000


Il 29 novembre 2019 01:40 Kenji Baheux <kenjibaheux=40google.com@dmarc.ietf.org> ha scritto:

On Thu, Nov 28, 2019 at 8:05 PM Konda, Tirumaleswar Reddy < TirumaleswarReddy_Konda@mcafee.com<mailto:TirumaleswarReddy_Konda@mcafee.com>> wrote:
In addition, with the extended error codes defined in https://tools.ietf.org/html/draft-ietf-dnsop-extended-error-08<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-dnsop-extended-error-08&data=02%7C01%7Calister.winfield%40sky.uk%7C8f6d20de304945e0a42908d7771fbaa3%7C68b865d5cf184b2b82a4a4eddb9c5237%7C0%7C0%7C637108850474743243&sdata=ZtDtO9aoPpax5pCIAN0dpZgEJx2dNyZwv%2F1NQzWu5lw%3D&reserved=0>, client would know the reason for blocking access to a domain, solves the user experience problem and, DoT/DoH ensures the error response is not spoofed.

Spot on.

A big part of the problem is that the DNS modifications for legit use cases or legal reasons are done in a non-transparent way, with potential security/privacy side-effects (e.g. application left in the dark, forced custom page), and without strong guarantees that this was indeed the original intent. That said, I understand the need for ISP or service operators to explain what happened to the user and how to act on it (e.g. request whitelisting in a parental control situation).

So, I'd love to hear feedback from ISPs in particular, on the extended DNS error draft in conjunction with DoH.
An alternative would be to use/repurpose HTTP status code such as 451 or 450 in DoH, and also define something for the explanation needs.

Vittorio Bertola vittorio.bertola@open-xchange.com<mailto:vittorio.bertola@open-xchange.com> wrote:
I was the one that asked for the addition to the draft of a specific error code for "filtered per user request", because I wholeheartedly share the view that the UX of current DNS filtering platforms, especially when applied to HTTPS destinations, is terrible and lacks the transparency, security and information necessary to reassure the user that this is indeed what was intended to happen and explain why. It would be great if we could find reliable ways to redirect the user to an explanation/configuration page without the need to circumvent or forge the HTTPS connection, while authenticating the origin of the DNS modification and of the message, and as a DNS vendor we would be happy to cooperate on that.
 I like the idea given the less than ideal methods required right now to give any feedback to the user. Quite happy to see something like this.
Alister Winfield
Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky Limited and Sky International AG and are used under licence.

Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075), Sky Subscribers Services Limited (Registration No. 2340150) and Sky CP Limited (Registration No. 9513259) are direct or indirect subsidiaries of Sky Limited (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD

v2.23.0 | Report a Bug | By Email