IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-06.txt

Dan Wing <danwing@gmail.com> Fri, 20 October 2023 16:58 UTC

Return-Path: <danwing@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE0E0C15108C for <dnsop@ietfa.amsl.com>; Fri, 20 Oct 2023 09:58:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fTXZ5tehpBet for <dnsop@ietfa.amsl.com>; Fri, 20 Oct 2023 09:58:47 -0700 (PDT)
Received: from mail-pf1-x433.google.com (mail-pf1-x433.google.com [IPv6:2607:f8b0:4864:20::433]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6888C15107E for <dnsop@ietf.org>; Fri, 20 Oct 2023 09:58:47 -0700 (PDT)
Received: by mail-pf1-x433.google.com with SMTP id d2e1a72fcca58-6b3c2607d9bso958979b3a.1 for <dnsop@ietf.org>; Fri, 20 Oct 2023 09:58:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1697821127; x=1698425927; darn=ietf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=mlA1uRAWaFoG63TuHaFPYTWanInXnVxjuUINhknueyk=; b=NGM5qiwxQW7g6Y8deKjBrcdtaA6Y6lwevS42VMMQxdGZ7ZAtRiqI6J1QRtZfT3E3h8 iiNwRr9J0NkJHXnoxWl5fL0+OPxR08odSB2ZC9unN1NBkFTmzfrj6f0VlPj/4tXQYcs0 HfdOfdFKB5G1TYKldO2LDaQWTjh1d6OjOq3KOmaFvEZi6YRvZHt530feK2rVw+cCAjzR BEmzgwjmhLBVjtraMZkmlcpN17h9jbcfX/NfQX50y32dtn+n5T7nOaNfSFfWrSjagYaj p0wbj514xmS4wsqKqr3yZYdi18VO/RYSB9fvBw/OMdRzLr7ylOTSpJNGWibBVE/SfD+y VF+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697821127; x=1698425927; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=mlA1uRAWaFoG63TuHaFPYTWanInXnVxjuUINhknueyk=; b=pYfILecUvmBMhBkTUG58it2fXIMd3c5muGKNXmJLUJf8twVigiSD1FhRHqXDIKNnuN mZAVK0V60sX1qUND49xXjxcvXFCUZ//hvLDJEI+fxdje9XDo99q6pEz2GcYkJ9slFgKt zxqQG7W7yHX/zRDO3S4iOi/NTPWgovV411mBH0NJHZAVIoPz0L6Wt21NtNYFKbszUEzK Vcvzm8mQJ/MOh/U71Tl4ZKuhAB2qiHvX8PNGVZNKYC5TixxiBTgn3ZtoNDRL6U0TjzrB 1c9rU/lTdZ4W68HzinZngDdtP7kK0LjkA6WAbmWG28x0OmeGDpAqNSI4uNIlfuSVcKef +u3Q==
X-Gm-Message-State: AOJu0Yxk4i+upwzXzFNp7AddsgR0nE8h1Lg7s2jXHggwXnHz3KTq75Li bImvDzD+0n/+u6VzGdR75V/WjtUW15B8Ew==
X-Google-Smtp-Source: AGHT+IFE5Q44yETn4Wq1KwGPyao/Mzi44sE13j9fH4xZOprZ9uEgxryqNyLHCZdAlMZL5/JaDKglQA==
X-Received: by 2002:a05:6a21:35c8:b0:17b:3822:e5ea with SMTP id ba8-20020a056a2135c800b0017b3822e5eamr2246688pzc.19.1697821126946; Fri, 20 Oct 2023 09:58:46 -0700 (PDT)
Received: from smtpclient.apple ([47.208.219.53]) by smtp.gmail.com with ESMTPSA id x11-20020a634a0b000000b005b529d633b7sm1662897pga.14.2023.10.20.09.58.45 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 20 Oct 2023 09:58:46 -0700 (PDT)
From: Dan Wing <danwing@gmail.com>
Message-Id: <55ADB8F6-E786-411D-A709-D2C894A2302B@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_52D0C384-74F1-40C1-BB41-A2101205440F"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.100.2.1.4\))
Date: Fri, 20 Oct 2023 09:58:34 -0700
In-Reply-To: <BN8PR15MB3281EAD3D8D14BAB395F47A1B3DBA@BN8PR15MB3281.namprd15.prod.outlook.com>
Cc: Tirumaleswar Reddy <kondtir@gmail.com>, Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>, Vodafone Gianpaolo Angelo Scalone <Gianpaolo-Angelo.Scalone=40vodafone.com@dmarc.ietf.org>, DNSOP WG <dnsop@ietf.org>
To: Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org>
References: <DB9PR05MB847313955E9EE5F63F53FDB3A3D4A@DB9PR05MB8473.eurprd05.prod.outlook.com> <CAHw9_iKDDt9W207osTsHpfaacjQioDM1VVbLk9JTRB2hjpEa1g@mail.gmail.com> <DB850E35-E036-46B3-9BB0-B29277B75FA3@apple.com> <CAFpG3gcQhVpuWi9iBOFhxum5XNsA4-vXnQaUh2LgfFkQ3nMz9w@mail.gmail.com> <BN8PR15MB3281EAD3D8D14BAB395F47A1B3DBA@BN8PR15MB3281.namprd15.prod.outlook.com>
X-Mailer: Apple Mail (2.3774.100.2.1.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/CG8CDSzcHQ6Ax--YcdrFEUuTz3Y>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-06.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Oct 2023 16:58:51 -0000

The authors took a stab at text explaining mitigations which seem to have not met the WG's needs.

Removing HTTP would allow the document to move forward.  If someone finds a suitable way to weaken (or even prevent) malicious use of http in the Contact field by the DoH/DoT operator (with an interstitial or something else) we can create a bis to allow http in the Contact ("c") field.

-d


> On Oct 20, 2023, at 7:10 AM, Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org> wrote:
> 
> This draft originally proposed returning a webpage.  After reviews from the working group raising concern about allowing the DNS server to inject a webpage, it was changed to provide a contact URI instead ... but it then lists "https:" as an example of a suitable contact URI scheme.  This apparent contradiction ("https:" is not a form of contact info) strikes me as an awkward compromise, and a fine example of "design by committee".
> 
> Ultimately, it seems that this draft as aimed at browsers, and should provide information that browser makers believe can safely be displayed to users.  I think the most sensible solution is (1) replace the "https:" example in the draft with "mailto:" and (2) note that clients are free to ignore contact URIs with unsupported schemes.
> 
> Even a "mailto:" scheme is not without risk here, and I wouldn't be surprised if some browser vendors feel it is unsafe to display.  However, it sounds like there is some interest from potential clients, perhaps enough to support continuing with this draft.
> 
> --Ben
> From: DNSOP <dnsop-bounces@ietf.org <mailto:dnsop-bounces@ietf.org>> on behalf of tirumal reddy <kondtir@gmail.com <mailto:kondtir@gmail.com>>
> Sent: Friday, October 20, 2023 6:09 AM
> To: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org <mailto:tpauly=40apple.com@dmarc.ietf.org>>
> Cc: Vodafone Gianpaolo Angelo Scalone <Gianpaolo-Angelo.Scalone=40vodafone.com@dmarc.ietf.org <mailto:Gianpaolo-Angelo.Scalone=40vodafone.com@dmarc.ietf.org>>; DNSOP WG <dnsop@ietf.org <mailto:dnsop@ietf.org>>
> Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-06.txt
>  
> This Message Is From an External Sender 
> I would like to clarify that the purpose of the "c" (contact) field is not to display an error page but to provide contact details of the IT/InfoSec team for reporting misclassified DNS filtering. Its function is to report legitimate domain names that have been incorrectly blocked due to misclassification.
> 
> There is no mention in the draft that the "c" (contact) field is intended for displaying an error page. It is assumed that the client application would handle the display of an error page, and the content of the "c" field would be optionally used in specific scenarios, such as TRR. 
> 
> To improve clarity, we could update the draft and specify that the error page must be displayed by the client application, and the "c" field link may be optionally provided to raise complaints. Furthermore, to minimize security risks, the client can retrieve the URL from the contact field in an isolated environment. It must also take additional precautions, such as clearly labeling the page as untrusted. This isolation should prevent the transmission of cookies, block JavaScript execution, and prevent the auto-fill of credentials or personal information. The isolated environment should be separate from the user's normal browsing environment.
> 
> Cheers,
> -Tiru
> 
> 
> 
> 
> 
> On Fri, 20 Oct 2023 at 01:42, Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org <mailto:40apple.com@dmarc.ietf.org>> wrote:
> 
> 
>> On Oct 19, 2023, at 12:44 PM, Warren Kumari <warren@kumari.net <mailto:warren@kumari.net>> wrote:
>> 
>> I still don't understand why (other than marketing/advertising) this is needed — the EDE "4.18. Extended DNS Error Code 17 - Filtered" ("The server is unable to respond to the request because the domain is on a blocklist as requested by the client. Functionally, this amounts to "you requested that we filter domains like this one.") seems to cover it.
>> 
>> If browsers are willing to do anything with the EDE codes (like "ERROR: Your DNS filtering provider says you shouldn't go here") what additional **important** information needs to be communicated? And if browsers are not willing to do anything with just EDE codes, it sure doesn't seem like they would want to do that **and** follow an unauthenticated URL… 
> 
> Safari is now displaying the EDE-code based information! So we are willing to show that.
> 
> The case that might still be interesting is providing the user some (hopefully safe) way to contact the blocker to dispute why this is being blocked — so a way to send an email to an administrator, but not something else. Showing advertising or marketing or any arbitrary page is not something I think would fly.
> 
> Tommy
>> 
>> Anything more simply adds complexity and security risks, and entails privacy concerns for the user too…
>> 
>> W
>> 
>> 
>> On Thu, Oct 19, 2023 at 4:05 AM, Vodafone Gianpaolo Angelo Scalone <Gianpaolo-Angelo.Scalone=40vodafone.com@dmarc.ietf.org <mailto:Gianpaolo-Angelo.Scalone=40vodafone.com@dmarc.ietf.org>>wrote:
>> Hi,
>> I think that we have now 2 good potential compromises:
>> A browser interstitial page explaining that the following page is generated by the service that blocked the actual page, with a button indicating “proceed to the blocking page” and another “dismiss”
>> A graphical representation of the blocking page, rendered as image with no clickable links, with a button indicating “proceed to the blocking page” and another “dismiss”
>>  
>> This would be understandable by customers and provide a good user experience and security.
>> In addition we could start thinking about a reputation mechanism.
>>  
>> Kind regards
>>  
>> Gianpaolo
>> 
>> C2 General
>> _______________________________________________ 
>> DNSOP mailing list 
>> DNSOP@ietf.org <mailto:DNSOP@ietf.org>
>> https://www.ietf.org/mailman/listinfo/dnsop
>> 
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org <mailto:DNSOP@ietf.org>
>> https://www.ietf.org/mailman/listinfo/dnsop
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org <mailto:DNSOP@ietf.org>
> https://www.ietf.org/mailman/listinfo/dnsop
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org <mailto:DNSOP@ietf.org>
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email