Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-06.txt
Ralf Weber <dns@fl1ger.de> Mon, 16 October 2023 13:05 UTC
Return-Path: <dns@fl1ger.de>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1088C15153F for <dnsop@ietfa.amsl.com>; Mon, 16 Oct 2023 06:05:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ixKUqaryoXiU for <dnsop@ietfa.amsl.com>; Mon, 16 Oct 2023 06:05:47 -0700 (PDT)
Received: from smtp.guxx.net (nyx.guxx.net [85.10.208.173]) by ietfa.amsl.com (Postfix) with ESMTP id 4F366C15109E for <dnsop@ietf.org>; Mon, 16 Oct 2023 06:05:46 -0700 (PDT)
Received: from [100.64.0.1] (p54b8a279.dip0.t-ipconnect.de [84.184.162.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by nyx.guxx.net (Postfix) with ESMTPSA id ABCAE5F40143; Mon, 16 Oct 2023 13:05:43 +0000 (UTC)
From: Ralf Weber <dns@fl1ger.de>
To: Peter Thomassen <peter@desec.io>
Cc: tirumal reddy <kondtir@gmail.com>, Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>, Vodafone Gianpaolo Angelo Scalone <Gianpaolo-Angelo.Scalone=40vodafone.com@dmarc.ietf.org>, DNSOP WG <dnsop@ietf.org>
Date: Mon, 16 Oct 2023 15:05:42 +0200
X-Mailer: MailMate (1.14r5997)
Message-ID: <750428A6-234E-4BBB-865E-BABECF44E57E@fl1ger.de>
In-Reply-To: <45acd3d1-fa3f-435f-90f9-51966a439995@desec.io>
References: <DB9PR05MB847355CA18F73D1B8F892C15A3CDA@DB9PR05MB8473.eurprd05.prod.outlook.com> <DB9PR05MB84738B9AA9551E7E116AE491A3CDA@DB9PR05MB8473.eurprd05.prod.outlook.com> <CAHw9_i+bJ3-rJD97Rr21RoX_O58hdEz2DUHxgiheYdsxw4rhsw@mail.gmail.com> <B02CC0F1-C264-444B-8B3C-F60B2E4CA293@apple.com> <CAFpG3gcPwjXq7XVjtU1OVvD3Yb4cOnkbgtSDg-FG65iHi5qCAQ@mail.gmail.com> <45acd3d1-fa3f-435f-90f9-51966a439995@desec.io>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/8wJsHc9QBrJA0eWdetyHaCXw5T4>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-06.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Oct 2023 13:05:52 -0000
Moin! On 16 Oct 2023, at 12:37, Peter Thomassen wrote: > I share this concern (and Eric's, where the error page is an impersonation of the target page!), and am not convinced that the potential benefit is larger than the harm. As said before an interstitial page created by the browser before the actual block page seems like a better solution to me than not have. > An alternate route could be to make the error page "well-known", based on the encrypted resolver's hostname (e.g. https://dns.adguard.com/?malw.scalone.eu.), and have the browser display a big warning ("This content does not come from the page you requested.). > DNS or even DoH resolvers are not general purpose web servers. So having the resolver issue a block page is a non starter at least for me. The whole point of using URLs is to point it somewhere where it can be served efficient. We could go down the road of requiring the resolver IP cert, but that would not work for DNR upgraded resolver. Overall I think the browser displaying the URL and the web page having the certificate over the domain of the URL seems sufficient to me. The browser could check for not allowing certain UTF characters or maybe having a reputation list, but that should be a secondary measurement. So long -Ralf --- Ralf Weber Principal Architect, Carrier Division Akamai Technologies GmbH Parkring 20-22, 85748 Garching phone: +49.89.9400.6174 mobile: +49.151.22659325 Geschäftsführer: David Matthew McDonald Aitken, Justyna Kalina Jankowska Sitz der Gesellschaft: Garching Amtsgericht München HRB 129886
- [DNSOP] I-D Action: draft-ietf-dnsop-structured-d… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Gianpaolo Angelo Scalone, Vodafone
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Tommy Pauly
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Warren Kumari
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Gianpaolo Angelo Scalone, Vodafone
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… tirumal reddy
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Tommy Pauly
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Eric Orth
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Ralf Weber
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… tirumal reddy
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Warren Kumari
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Peter Thomassen
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Peter Thomassen
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Ralf Weber
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Gianpaolo Angelo Scalone, Vodafone
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Warren Kumari
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Tommy Pauly
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… tirumal reddy
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Ben Schwartz
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Dan Wing
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… tirumal reddy