IETF Logo Mail Archive

Re: [DNSOP] draft-ietf-dnsop-structured-dns-error: suberr registration policy

Benjamin Schwartz <ietf@bemasc.net> Tue, 18 April 2023 13:54 UTC

Return-Path: <benjamin.m.schwartz@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 123A6C15153D; Tue, 18 Apr 2023 06:54:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.549
X-Spam-Level:
X-Spam-Status: No, score=-1.549 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.096, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0UJeW3ZKVQaW; Tue, 18 Apr 2023 06:54:27 -0700 (PDT)
Received: from mail-vs1-f54.google.com (mail-vs1-f54.google.com [209.85.217.54]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9502C151557; Tue, 18 Apr 2023 06:54:25 -0700 (PDT)
Received: by mail-vs1-f54.google.com with SMTP id i20so11851444vss.5; Tue, 18 Apr 2023 06:54:25 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681826065; x=1684418065; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=rZleTWAbA26lrs2FyD/upd5UsMu58vQNdJEqwaEPjgE=; b=l6Zp9NamJCVIWMzDh6iUn14CD5QZs/+Y149RJ5Z534Hfhpg0+AIuGSeeuQvlaVLFks srETwjbBJs/o7FiCaws1Y8Itn3xqlt/2WiVeWHDf8X0sQlitzsuvzyzpl0psP3mVvhfx AJL/scEY06m9wmz9TQJ6HPu9qlKOnU8L3LWDpcLNMSUQkp659WDLThI5Ws1v9yJYkEEW gPjp3NTNhOwg5exxwAB1ioZIOWkOm1C3kPpZKT8RoYaZDlC8bSG4ViK8kGz1P6iBb5EZ fikDPep0pev9ErF1OMHx5s4KJqam1JGrC7cMAgGhvLZyyuRG1Hr7xXDqLGXMPfAxPdpk xfwA==
X-Gm-Message-State: AAQBX9dxcU9uERLkmN2m5UGiuZ9/U2Gtk6DBM5r8MvJ9Z897ooQnpjIK /wSvumgZvjOyEM1Ghr6Dx01HOaRkQe8I3Q==
X-Google-Smtp-Source: AKy350ZiRp+0PznCGpV11mkSjaiug0eQJvquSKprV9fCLZyQO8EZxMGqyo+ujs/UjhnM2WrFc/wRDA==
X-Received: by 2002:a05:6102:4a8:b0:426:20a8:a5b0 with SMTP id r8-20020a05610204a800b0042620a8a5b0mr6298160vsa.13.1681826064542; Tue, 18 Apr 2023 06:54:24 -0700 (PDT)
Received: from mail-ua1-f44.google.com (mail-ua1-f44.google.com. [209.85.222.44]) by smtp.gmail.com with ESMTPSA id a4-20020ab05684000000b0076d52359f2asm1864086uab.31.2023.04.18.06.54.24 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 18 Apr 2023 06:54:24 -0700 (PDT)
Received: by mail-ua1-f44.google.com with SMTP id r10so11179029uat.6; Tue, 18 Apr 2023 06:54:24 -0700 (PDT)
X-Received: by 2002:a1f:cec2:0:b0:43f:a097:5e8c with SMTP id e185-20020a1fcec2000000b0043fa0975e8cmr5235727vkg.16.1681826063796; Tue, 18 Apr 2023 06:54:23 -0700 (PDT)
MIME-Version: 1.0
References: <4561_1680881181_6430361D_4561_496_1_cbba461734d74dbf8116d7f476960f88@orange.com> <CAJF-iTRHVS8asiaf-fvtWZqpNdzou4zEsb36roaK-S_HMAEX2g@mail.gmail.com> <9DFB9E73-1AB8-4B24-BC59-F6ADB4252B3A@fl1ger.de>
In-Reply-To: <9DFB9E73-1AB8-4B24-BC59-F6ADB4252B3A@fl1ger.de>
From: Benjamin Schwartz <ietf@bemasc.net>
Date: Tue, 18 Apr 2023 09:54:12 -0400
X-Gmail-Original-Message-ID: <CAJF-iTTWJq=8xOa+=tkQ2iXsYhttyPGGQNhaeZcq1EQVkE9Cxg@mail.gmail.com>
Message-ID: <CAJF-iTTWJq=8xOa+=tkQ2iXsYhttyPGGQNhaeZcq1EQVkE9Cxg@mail.gmail.com>
To: Ralf Weber <dns@fl1ger.de>
Cc: mohamed.boucadair@orange.com, dnsop <dnsop@ietf.org>, draft-ietf-dnsop-structured-dns-error@ietf.org
Content-Type: multipart/alternative; boundary="0000000000001b4f4e05f99ca563"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/HsXj4s_mQm952sXdQEzLeyz85C4>
Subject: Re: [DNSOP] draft-ietf-dnsop-structured-dns-error: suberr registration policy
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Apr 2023 13:54:32 -0000

On Tue, Apr 18, 2023 at 7:49 AM Ralf Weber <dns@fl1ger.de> wrote:

> Moin!
>
> On 18 Apr 2023, at 13:11, Benjamin Schwartz wrote:
>
> > The draft's opening words are "DNS filtering is widely deployed for
> network
> > security".  This is true, but by far the "widest" deployment of DNS
> > filtering is for authoritarian national censorship, to prevent citizens
> > from engaging with forbidden ideas.
>
> Do you have any data to back this claim up?


According to Freedom House, 64% of Internet users "live in countries where
political, social, or religious content was blocked", and "51% live in
countries where access to social media platforms was temporarily or
permanently restricted". (
https://freedomhouse.org/report/freedom-net/2022/countering-authoritarian-overhaul-internet)
In my experience, DNS-based censorship is used for a majority of these
blocks (often in concert with other methods).

...

> Ok, so for me sub errors are useful as they can give some further
> information
> on why something was blocked, and that information can be conveyed to the
> end user. The EDE categories are rather broad and hence don’t give enough
> information on why exactly a site is blocked. Now we could also use free
> text, which is a problem for people operating in multi language
> environments
> or let each resolver operator pick there own, but maybe some categories
> that
> we all can agree on would be good to put in here.
>
...

I understand the use case, but I'm not sure this is amenable to
standardization.  Here are some lists of categories commonly used for this
kind of filtering:
* Cloudflare:
https://developers.cloudflare.com/cloudflare-one/policies/filtering/domain-categories/
* Cisco Umbrella:
https://docs.umbrella.com/umbrella-user-guide/docs/dns-content-category-settings
* BlueCoat: https://sitereview.bluecoat.com/#/category-descriptions

These lists seem highly subjective, proprietary, dynamic (but also
ossified), contentious, and likely to raise serious ethical issues (e.g.
https://blog.cloudflare.com/the-mistake-that-caused-1-1-1-3-to-block-lgbtqia-sites-today/)
A durable agreement between the many filter operators (to agree on the
classification) and browser vendors (in order to show user-facing error
messages) seems unlikely in general and inappropriate for the IETF
specifically.

If the suberror field is mainly for communication from resolvers to
browsers, then any solution should only move forward if it's satisfactory
to both camps.  I can't speak for either one, but I think the localization
problem sounds easier than the categorization problem.  I can also imagine
using something like a URN scheme registry to punt categorization out to
one or more third parties.

v2.35.0 | Report a Bug | By Email | System Status