[DNSOP] Further feedback on draft-ietf-dnsop-structured-dns-error-15
Mark Nottingham <mnot@mnot.net> Tue, 22 July 2025 17:33 UTC
Return-Path: <mnot@mnot.net>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 799DE48BB1B1 for <dnsop@mail2.ietf.org>; Tue, 22 Jul 2025 10:33:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b="XZF8svsj"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="kUZESNZl"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uBy-5_k-d_dO for <dnsop@mail2.ietf.org>; Tue, 22 Jul 2025 10:33:25 -0700 (PDT)
Received: from fhigh-b3-smtp.messagingengine.com (fhigh-b3-smtp.messagingengine.com [202.12.124.154]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id B62FC48BADBD for <dnsop@ietf.org>; Tue, 22 Jul 2025 10:32:52 -0700 (PDT)
Received: from phl-compute-01.internal (phl-compute-01.phl.internal [10.202.2.41]) by mailfhigh.stl.internal (Postfix) with ESMTP id 6FBBB7A0282 for <dnsop@ietf.org>; Tue, 22 Jul 2025 13:32:52 -0400 (EDT)
Received: from phl-mailfrontend-02 ([10.202.2.163]) by phl-compute-01.internal (MEProxy); Tue, 22 Jul 2025 13:32:52 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h=cc :content-transfer-encoding:content-type:content-type:date:date :from:from:in-reply-to:message-id:mime-version:reply-to:subject :subject:to:to; s=fm3; t=1753205572; x=1753291972; bh=WUJdw8WF+N n2crB8Kb8yiGMvMIS2qBLzdhmMO7MODlQ=; b=XZF8svsjUFCjsJ1X1HeXP/mXfG aoWmYtNXJ9mKQ5WbC/JMZo/tn0CJwQWNjIvNaOYO5qPLDNCwiAcp2ANjJAzy8dLX 3wREMTdMc041ejp545ucN0x04/X6mA8IGjnvk6GHbWpDiv1v0WNm3/lJ+VRzTO3x dHwtWvJopO/mSfENu0t+z4UG4MHf9HzEtrYTACkeKIltAhObUmcLKpiO6h2TS7ir +kstDIX2yJShHQdgsEvWl6VEA0YkFkwUq5qxOJqmB1/z2bdFxS20//2AQC0J9at2 5znPpd4tXkQVBSOowCCiuhbPnXekVF35zJGTDkp6w0m1W6jo9YS+3rEWtTlw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:message-id:mime-version:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t= 1753205572; x=1753291972; bh=WUJdw8WF+Nn2crB8Kb8yiGMvMIS2qBLzdhm MO7MODlQ=; b=kUZESNZlqicFKh58NvCSnoXkevGwc/m+0bHdKb4JE40OamtsQcK YPzdK4rnefp0dgZobJLD/b5eoDNWVTYA3Mz5vW5n8GFVcvuFIN/iPKL9PfCqh+V7 ZvhGtaG6jCTGB7dJwFHbo42vI0hCriGfZaUw0ahYIYiIre1H6+SzTmdKu3gc4i5K d0vftGNhvtf0Ynq9+afwTokUEFtr5Jr3qrHvcmInfo1EH+YMG5pah13XPxCpyfEF zKLZlcKjFcXzX2MMwnstdCWujpfHx0xoWGczuWEX9Gx9UMlUFspNF/sxza4LJBic hDVJc576BdQ2c+J8UOZwauTP9tSEs8tPDEA==
X-ME-Sender: <xms:RMt_aNyIG683Wq2xfjgBSWSamBG-mgBlRBnPpdCGpNATZE6mYBEkhw> <xme:RMt_aIi6L0c4Uf9DTuiU0wsKdjNuZN7CTeMN9_hF7eUvVA2aquYW7JZHwpCCcBpR0 FFkuin7eot9ESrTjQ>
X-ME-Received: <xmr:RMt_aH-w6LxZunC53Vyu_jy9GMqQoLZyva81vS7m6SKiqH8t8Vjw7diK25fPvSRBc6tyClfDHwQslEwF7rfEyA7PJ3BD7i5X780>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdefgdejheehudcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpuffrtefokffrpgfnqfghnecuuegr ihhlohhuthemuceftddtnecunecujfgurhephfgtgfgguffkfffvofesthhqmhdthhdtvd enucfhrhhomhepofgrrhhkucfpohhtthhinhhghhgrmhcuoehmnhhothesmhhnohhtrdhn vghtqeenucggtffrrghtthgvrhhnpefgveekieeigeeljeekfedvffeuffelhfduuddtte efudelfeffjedutddvgeefffenucffohhmrghinhepmhhnohhtrdhnvghtnecuvehluhhs thgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepmhhnohhtsehmnhhoth drnhgvthdpnhgspghrtghpthhtohepuddpmhhouggvpehsmhhtphhouhhtpdhrtghpthht ohepughnshhophesihgvthhfrdhorhhg
X-ME-Proxy: <xmx:RMt_aFur29AymAzOfFJkPvgh9vyIcqUnW1tOWsqo0X81JPlz1Q2hLg> <xmx:RMt_aOY41ZMPgUdQS2jVSF_VJeosTIaEmkreTs4daSSXJm4cfEkzhA> <xmx:RMt_aFrTFAwxwUVHkx9YxKg88_xQoPv4AxDiSiWBYIVKB-TQfU0B7g> <xmx:RMt_aD_GY39TGLyCgjhPq97vjXH7pDD3vYESQou3ufWTLO_XqhZBoQ> <xmx:RMt_aNJ36liXFg4GFifN6Iqt3xrjbLZBFQfhPiuGPt3uJonG89X77xhP>
Feedback-ID: ie6694242:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA for <dnsop@ietf.org>; Tue, 22 Jul 2025 13:32:51 -0400 (EDT)
From: Mark Nottingham <mnot@mnot.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.600.51.1.1\))
Message-Id: <21E492D4-390D-4159-BED1-311AD198A27D@mnot.net>
Date: Tue, 22 Jul 2025 19:32:49 +0200
To: "dnsop@ietf.org WG" <dnsop@ietf.org>
X-Mailer: Apple Mail (2.3826.600.51.1.1)
Message-ID-Hash: G3NUOOSQACUAARHK45I4CEJ3UMWYXVZD
X-Message-ID-Hash: G3NUOOSQACUAARHK45I4CEJ3UMWYXVZD
X-MailFrom: mnot@mnot.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Further feedback on draft-ietf-dnsop-structured-dns-error-15
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/3WpGIlfUw6WGjCdhwsD2iP-w3Ag>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
Hi all,
After the discussion on Monday, I had a look through structured-dns-error-15 to see if anything would clash with what we're thinking of in draft-nottingham-public-resolver-errors.
In short, it appears that updates by the authors address many of the issues I found previously; there are only a couple left that would raise concerns for me if the two drafts were kept separate. See below for those, along with some comments and questions I had along the way (that don't affect that decision).
## Issues
- 5.2 prohibits using sub-error codes in 'Censored' responses. That seems excessive; conceivably, they might conceivably be needed down the road.
- Section 5.3 step 2 requires the use of encrypted DNS, otherwise the extra information is thrown away. Conceivably, some clients may have enough information available to trust non-encrypted DNS at some future time. I agree with the notion that the client should evaluate the context of the DNS resolver and make decisions based upon that regarding how to use the information -- and that definitely involves whether the connection is encrypted -- but baking it into the algorithm like this precludes them from any future flexibility, no matter what the use case.
If WG consensus on this is firm and fully informed, so be it, but I thought I heard an indication that there was a subtle shift away from such draconian measures in the discussion on Monday.
- Similarly, 5.3 step 6 puts constraints on the information available to clients who have enabled a DoT opportunistic privacy profile. This likewise seems to take any discretion out of the client's hands and bakes it into the algorithm.
- Same question for step 7 regarding opportunistic discovery.
- 10.2 puts specific requirements on browsers (as opposed to clients) -- is that intentional?
## Comments
- Section 3 ("DNS Filtering Techniques and Their Limitations") should be moved to an appendix; it has a very different character as compared to the rest of the specification.
- Because this specification requires use of I-JSON, it should be clarified whether non-conforming messages are required to be rejected. See RFC7493 Section 3. I'd suggest this NOT be required (but we still need to be explicit about that).
- Making 'j' mandatory seems excessive; most of these responses will never be seen by "IT staff" and the justification may be self-evident from other fields.
- Requiring contact details for reporting seems... optimistic, and will likely lead to 'do-not-reply' style addresses being used. I'd suggest making this a SHOULD.
- 10.2 "The value consists solely of an organization name and does not contain any additional free-form content such as instructions, URLs, or messaging intended to influence the end-user behavior." Is this implementable? The context seems to imply it can be done in an automated fashion.
- 11.1 Has a registry column for 'mandatory'. It should be noted that new mandatory extensions can't be introduced in a backwards-compatible way, and so this should always be 'no' for extensions registered after the initial RFC publication.
- 11.2 Probably needs to say that contact URI schemes must be registered URI schemes.
Cheers,
--
Mark Nottingham https://www.mnot.net/
- [DNSOP] Further feedback on draft-ietf-dnsop-stru… Mark Nottingham
- [DNSOP] Re: Further feedback on draft-ietf-dnsop-… Petr Špaček