IETF Logo Mail Archive

Re: [DNSOP] draft-ietf-dnsop-structured-dns-error: suberr registration policy

Paul Wouters <paul@nohats.ca> Tue, 18 April 2023 13:53 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B964C15153D; Tue, 18 Apr 2023 06:53:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J11fVabMmgjo; Tue, 18 Apr 2023 06:53:36 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19676C14CF0C; Tue, 18 Apr 2023 06:53:35 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4Q153w0gt9z5BZ; Tue, 18 Apr 2023 15:53:32 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1681826012; bh=3VnlUiszy0Fe4inTqMO3OWZB+1nc5x4HuqaGIC4YJ9w=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=US5a/DwZSDWRvj9N77tZKPsgwfcuwa5tYT+ToqO9QPzg2MwZMRgMsSh0oK0Vm1JC+ ug19srBBM0tegJLhEy+BY0ON+SJo7csHyYRK6HXZwbOgveniFEKfnVoXHJ+T8YlM7I nF1jC2HsxXJTDSTJTXWeL9wMjgnOuyifWgeCfPNo=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id TD8z6IZDtz5T; Tue, 18 Apr 2023 15:53:31 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 18 Apr 2023 15:53:31 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 39E4E825341; Tue, 18 Apr 2023 09:53:30 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 36E6A825340; Tue, 18 Apr 2023 09:53:30 -0400 (EDT)
Date: Tue, 18 Apr 2023 09:53:30 -0400
From: Paul Wouters <paul@nohats.ca>
To: Ralf Weber <dns@fl1ger.de>
cc: Benjamin Schwartz <ietf@bemasc.net>, mohamed.boucadair@orange.com, dnsop <dnsop@ietf.org>, draft-ietf-dnsop-structured-dns-error@ietf.org
In-Reply-To: <9DFB9E73-1AB8-4B24-BC59-F6ADB4252B3A@fl1ger.de>
Message-ID: <f0160ab3-e802-33a9-fc1e-de8285397e3f@nohats.ca>
References: <4561_1680881181_6430361D_4561_496_1_cbba461734d74dbf8116d7f476960f88@orange.com> <CAJF-iTRHVS8asiaf-fvtWZqpNdzou4zEsb36roaK-S_HMAEX2g@mail.gmail.com> <9DFB9E73-1AB8-4B24-BC59-F6ADB4252B3A@fl1ger.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/54UjK7v3SJUP2vvd4xC3PO-OecI>
Subject: Re: [DNSOP] draft-ietf-dnsop-structured-dns-error: suberr registration policy
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Apr 2023 13:53:41 -0000

On Tue, 18 Apr 2023, Ralf Weber wrote:

[speaking as individual]

> On 18 Apr 2023, at 13:11, Benjamin Schwartz wrote:
>
>> The draft's opening words are "DNS filtering is widely deployed for network
>> security".  This is true, but by far the "widest" deployment of DNS
>> filtering is for authoritarian national censorship, to prevent citizens
>> from engaging with forbidden ideas.
>
> Do you have any data to back this claim up? I see far more solutions out
> there protecting against attackers (malware, phishing, etc) then there
> are for “censoring” or parental controls.

That could be because the nation state filters are not as visible or
advertised.

> Also there are democratic
> countries that with agreements of their citizens block access to some
> content using DNS.

I would avoid choices in reasoning based on the term "democratic", as
that definition is not very clear for a lot of nation states.

> But none of that should matter here as the idea of
> this draft is to help the user to be informed why something has happened
> using extended DNS errors and I think that is a win for the end user.

Will it? Every time there is helpful security software, we see filters
that are lying about the categories. Like the ACLU being filtered for
being "pornographic".

>> I think the idea of "suberrors" for the "Censored" EDE code probably just
>> doesn't make sense.  By definition, this code indicates that the resolver
>> _doesn't_ know why the result was filtered.  (The resolver operator may
>> know a _claimed_ reason, but it has no way to know whether this rationale
>> is the real motivation.)  Thus, one way forward might be to exclude this
>> code from the suberror registry.

The resolver operator might subscribe to various filtering lists and it
might have some idea. It would be useful if it can use categories to
explain to the user, provided it can also provide an identifier to the
source of such claims.

>> Even for the other codes, I think this registry opens a terrible can of
>> worms that the IETF can and should avoid.  Shall we add codes for "adult
>> content"? "advertising"? "social media"? "political extremism"? "terrorist
>> content"? "CSAM"? "fake news"?

Whther we should or not, if the registry is FCFS, these types will be
added and will end up being used. (subcategory or main category)

>> The EDE draft manages this to some extent by presenting an initial list of
>> codes that are plainly technical or structural in nature.  This draft does
>> the opposite, by starting to enumerate all the perceived evils of the
>> Internet.
>>
>> Let's not go down that road.

I'm also leaning towards not doing it, but think it will happen inevitably.

> Ok, so for me sub errors are useful as they can give some further information
> on why something was blocked, and that information can be conveyed to the
> end user. The EDE categories are rather broad and hence don’t give enough
> information on why exactly a site is blocked. Now we could also use free
> text

Free text was explicitely excluded in the original EDE RFC because of
its potential of abuse, eg [go to www.evil.com - your computer is infected!]
or another venue of delivering advertisements.

> or let each resolver operator pick there own, but maybe some categories that
> we all can agree on would be good to put in here. I’m ok with not adding
> stuff to the censored EDE code, but we should allow sub errors to Filtered
> and Blocked.

What I find far more important is to fix RBLs so that the original DNS
data is still delivered but in a containerized way, so that the
filtering works because it is desired (optin) and not because it is
enforced against the will of the enduser.

Paul

v2.23.0 | Report a Bug | By Email