IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-06.txt

Ralf Weber <dns@fl1ger.de> Mon, 16 October 2023 13:05 UTC

Return-Path: <dns@fl1ger.de>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1088C15153F for <dnsop@ietfa.amsl.com>; Mon, 16 Oct 2023 06:05:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ixKUqaryoXiU for <dnsop@ietfa.amsl.com>; Mon, 16 Oct 2023 06:05:47 -0700 (PDT)
Received: from smtp.guxx.net (nyx.guxx.net [85.10.208.173]) by ietfa.amsl.com (Postfix) with ESMTP id 4F366C15109E for <dnsop@ietf.org>; Mon, 16 Oct 2023 06:05:46 -0700 (PDT)
Received: from [100.64.0.1] (p54b8a279.dip0.t-ipconnect.de [84.184.162.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by nyx.guxx.net (Postfix) with ESMTPSA id ABCAE5F40143; Mon, 16 Oct 2023 13:05:43 +0000 (UTC)
From: Ralf Weber <dns@fl1ger.de>
To: Peter Thomassen <peter@desec.io>
Cc: tirumal reddy <kondtir@gmail.com>, Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>, Vodafone Gianpaolo Angelo Scalone <Gianpaolo-Angelo.Scalone=40vodafone.com@dmarc.ietf.org>, DNSOP WG <dnsop@ietf.org>
Date: Mon, 16 Oct 2023 15:05:42 +0200
X-Mailer: MailMate (1.14r5997)
Message-ID: <750428A6-234E-4BBB-865E-BABECF44E57E@fl1ger.de>
In-Reply-To: <45acd3d1-fa3f-435f-90f9-51966a439995@desec.io>
References: <DB9PR05MB847355CA18F73D1B8F892C15A3CDA@DB9PR05MB8473.eurprd05.prod.outlook.com> <DB9PR05MB84738B9AA9551E7E116AE491A3CDA@DB9PR05MB8473.eurprd05.prod.outlook.com> <CAHw9_i+bJ3-rJD97Rr21RoX_O58hdEz2DUHxgiheYdsxw4rhsw@mail.gmail.com> <B02CC0F1-C264-444B-8B3C-F60B2E4CA293@apple.com> <CAFpG3gcPwjXq7XVjtU1OVvD3Yb4cOnkbgtSDg-FG65iHi5qCAQ@mail.gmail.com> <45acd3d1-fa3f-435f-90f9-51966a439995@desec.io>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/8wJsHc9QBrJA0eWdetyHaCXw5T4>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-06.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Oct 2023 13:05:52 -0000

Moin!

On 16 Oct 2023, at 12:37, Peter Thomassen wrote:
> I share this concern (and Eric's, where the error page is an impersonation of the target page!), and am not convinced that the potential benefit is larger than the harm.

As said before an interstitial page created by the browser before the actual block page seems like a better solution to me than not have.

> An alternate route could be to make the error page "well-known", based on the encrypted resolver's hostname (e.g. https://dns.adguard.com/?malw.scalone.eu.), and have the browser display a big warning ("This content does not come from the page you requested.).
>

DNS or even DoH resolvers are not general purpose web servers. So having the resolver issue a block page is a non starter at least for me. The whole point of using URLs is to point it somewhere where it can be served efficient. We could go down the road of requiring the resolver IP cert, but that would not work for DNR upgraded resolver.

Overall I think the browser displaying the URL and the web page having the certificate over the domain of the URL seems sufficient to me. The browser could check for not allowing certain  UTF characters or maybe having a reputation list, but that should be a secondary measurement.

So long
-Ralf
---
Ralf Weber
Principal Architect, Carrier Division

Akamai Technologies GmbH
Parkring 20-22, 85748 Garching
phone: +49.89.9400.6174
mobile: +49.151.22659325

Geschäftsführer: David Matthew McDonald Aitken, Justyna Kalina
Jankowska
Sitz der Gesellschaft: Garching
Amtsgericht München HRB 129886

v2.23.0 | Report a Bug | By Email