IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-07.txt

Ben Schwartz <bemasc@meta.com> Thu, 09 November 2023 16:46 UTC

Return-Path: <prvs=4677fefb4b=bemasc@meta.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C56FC18FCB1 for <dnsop@ietfa.amsl.com>; Thu, 9 Nov 2023 08:46:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.092
X-Spam-Level:
X-Spam-Status: No, score=-7.092 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 93sDVETlgqPR for <dnsop@ietfa.amsl.com>; Thu, 9 Nov 2023 08:46:54 -0800 (PST)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41E69C1C02D9 for <dnsop@ietf.org>; Thu, 9 Nov 2023 08:46:54 -0800 (PST)
Received: from pps.filterd (m0109333.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 3A9FRvln026404; Thu, 9 Nov 2023 08:46:52 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=s2048-2021-q4; bh=A6QdrEoVQpNf+kEHlcQZYhRRw1I4x01PRKbNpS248lg=; b=WbsEsHCqX0hTDjjMgdnqJpIlWCykF8zxIOzbOiqgRzSjfasFAxfg1jOeUtqJM625uYE+ rPSJd6xHWm+ZbTLjV8n/i4QHpW09/MxxtGB5qPLGqYaAc26AF2JHyp8xTEQmnWr1HOOo GkYNvxkhajK5zjlqD3IKjOWvyFmanVEgMSDz/r6zZ+jSH/WhPxkb44dgDOOHwkDfNFqi ESBbGEiegApgK4OSmnqwh1Lm7GC8FQzSgT/L0c54xgpATO65lhE6gEzK2Hz91CtM2QfD 2kQiwFZ7rWYluEdOsi8i3yjC3k11bL0cUvuUeU3FC+MlC6sB2cY5j47dz6ten6TMgcxf eQ==
Received: from nam11-co1-obe.outbound.protection.outlook.com (mail-co1nam11lp2168.outbound.protection.outlook.com [104.47.56.168]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 3u7w3e0fj6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 09 Nov 2023 08:46:52 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZZ6OrwF/yNXST27Eo2OxLeB/zQU2PoSVyvTQklZ8bzwSUr3fOSzZ1/22DcHS2mFV5j32/MumogRzQV76E7LWhjpBXa1mCZcO6Np1Qc4kAnBruQcgeemOaF9AdSb6JqzOn3wDj06DzflFaCLj+efwwVXrPlK3CyEyVcQ1NmnfTepkgLvEBfTaFXyXsPjNzKXckfIUon6eMVKRrEqfsiU9ng/q06yY3Bwj2aU6yQFlWJ5m0lqmXjWiFJTLyKbfHTKa9iKFkDyXA1Hq4wSow26cf39ZAWwmMtuVfIl0gTIcmyngicedZwbG5cz534jLU6Qj+Sb+6ujMxEH6T3+URfQvmg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=oExqLG+MZhmyNWmp170Briul3CYfl49tVTX3D5EL11g=; b=ZKUrIK3FNi5kKCLbhiivjVS6nxFRwfTONCSLXFqBq2FQteIrM8/1ceQVPt0AMYbSzMK1Sr98CYjmody+Cj6bB2khHVhAOj9Yj869h3OCKoAdsZYaDPYyPIhK4r6107REluZ+Gf2mSFNwihyhCFcDSKp10ZRu237ENUULcIiy9RgTwz5KzcH1ClNNI6RyrmKURknWrALsBFpZrbV8LeEiRRHvkM+jNW8Nt8KkGkMzjq3E8sjKEnGrAuSvvio9cBi2pmv7+R2wFEzZE0sVw+lHGZ6YHWFED7931OXrG9w3iJ+TUbgoicnUV9FXH34oIrH553dCJoCBGII7NtiQ03uOnA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from BN8PR15MB3281.namprd15.prod.outlook.com (2603:10b6:408:aa::24) by MW5PR15MB5147.namprd15.prod.outlook.com (2603:10b6:303:198::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6977.12; Thu, 9 Nov 2023 16:46:48 +0000
Received: from BN8PR15MB3281.namprd15.prod.outlook.com ([fe80::d54d:eea6:c930:d1e6]) by BN8PR15MB3281.namprd15.prod.outlook.com ([fe80::d54d:eea6:c930:d1e6%2]) with mapi id 15.20.6977.018; Thu, 9 Nov 2023 16:46:48 +0000
From: Ben Schwartz <bemasc@meta.com>
To: "Gianpaolo Angelo Scalone, Vodafone" <Gianpaolo-Angelo.Scalone@vodafone.com>, Tim Wicinski <tjw.ietf@gmail.com>
CC: Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-07.txt
Thread-Index: AQHaEyQ1LbGdgbeXmkqAID1mTE0af7ByKKa4gAACRoCAAABKgIAAAIsAgAACVE0=
Date: Thu, 09 Nov 2023 16:46:48 +0000
Message-ID: <BN8PR15MB3281A77E615C6B633DD9D5DAB3AFA@BN8PR15MB3281.namprd15.prod.outlook.com>
References: <DB9PR05MB8473EE94D86348FF1E8207EAA3AFA@DB9PR05MB8473.eurprd05.prod.outlook.com> <BN8PR15MB32817912282A69869281090DB3AFA@BN8PR15MB3281.namprd15.prod.outlook.com> <CADyWQ+FtytyMmwzBjvW=upDzC1HCbfUXOyD6sEyDK5dr5gQfMw@mail.gmail.com> <BN8PR15MB32814A8A9E26BD1672B8104FB3AFA@BN8PR15MB3281.namprd15.prod.outlook.com> <DB9PR05MB8473050AB3D79D47709D29A4A3AFA@DB9PR05MB8473.eurprd05.prod.outlook.com> <CADyWQ+HhWGHJp=pm2==LHYgTTZKvgeDGWY1EM-k6zA7bZi6R+g@mail.gmail.com> <DB9PR05MB847368E0C6CE75F6E2C251D5A3AFA@DB9PR05MB8473.eurprd05.prod.outlook.com>
In-Reply-To: <DB9PR05MB847368E0C6CE75F6E2C251D5A3AFA@DB9PR05MB8473.eurprd05.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_0359f705-2ba0-454b-9cfc-6ce5bcaac040_Enabled=True; MSIP_Label_0359f705-2ba0-454b-9cfc-6ce5bcaac040_SiteId=68283f3b-8487-4c86-adb3-a5228f18b893; MSIP_Label_0359f705-2ba0-454b-9cfc-6ce5bcaac040_SetDate=2023-11-09T16:22:13.0684217Z; MSIP_Label_0359f705-2ba0-454b-9cfc-6ce5bcaac040_ContentBits=0; MSIP_Label_0359f705-2ba0-454b-9cfc-6ce5bcaac040_Method=Standard;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN8PR15MB3281:EE_|MW5PR15MB5147:EE_
x-ms-office365-filtering-correlation-id: 76f8064b-e81a-45d9-6148-08dbe1437773
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 1zLaqZ4ut+X1W9SJ4WFkTxfwdyrHSuqkh8aGGIzhWMNJwXuwnnRaX25qB9sQU0LF3jO/5sf468SeIDEBRGf4i89fR4vH0AZ12kJBQMlRdYZ/jnyJMeKrOApVY/gFkdoGOoOAuYSmqu9cs7DjYzI8dAT1pp9k1yuaRR9gzWhb7PQNq+WyhhHB1snuOx2bKCNdseNLGSCRNkLMqSJh6qHF97h8nFmUkISbYgq4Txp8OmMna0YUv5CtRRnE7S7kDyuqD2aEm3ntECD4ffhRs/2/c8dEUsxtVMU4GA4JZbq0/1qpSinDmerwPsFPOcRvfMjCI6uWN/Cr2pxxaSKKfhnIxTXJDVLmwX1lCb2/eZtb1YtMUPVdvMQG9Ey0Xx6ltgCFmnZdrM9s4AyMWk5xIX0FSQOyDlsIdL2Jl9HKCWHQGnS5uQ6S7sXbOJisb7+mU1RPp3caSJVbP8oNE3qlm3n6cmFA/c4MCidCc67YbTl1ZDRMrVaPPsBAu6ctA9KFFEQymqFVVpRtLEmABr/pdS//bvdYxHCfahfIKJW7QVHFft5q8xiGSGhfVFCfhhzAQIy6IyNN/uHQ3zYWM+xVEmmZpyrOl15RFcxoxKNkTfXP46r94DKTWBDXumXjF2Rom57sh73HgI5PFOxX/1HfKHIAJA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN8PR15MB3281.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(39860400002)(396003)(366004)(376002)(346002)(136003)(230173577357003)(230922051799003)(230273577357003)(186009)(1800799009)(64100799003)(451199024)(76116006)(966005)(33656002)(38070700009)(2906002)(91956017)(71200400001)(45080400002)(478600001)(83380400001)(9686003)(5660300002)(64756008)(66446008)(52536014)(4326008)(66574015)(8676002)(66946007)(66556008)(41300700001)(8936002)(110136005)(316002)(66476007)(54906003)(7696005)(38100700002)(53546011)(166002)(6506007)(86362001)(122000001)(19627405001)(55016003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Qe+UwiduisfHquQ2Sf3sssKRp5IRAKJavgOrJ99I9FIij8RYI7iTACX4wX/MgODF6FMs76udn6rj3yh4R25e7x7g8N0Fo2hSFZKxabQOG14ZjBaoOpG0sQu7gNKidM4RXjfI/eVimX3rcVOZZ3J3SmjcASbTKbsucYV4g8T0fWzqJtjTswMxoFB8T6W/xpt2IWbhDo+Y9q600+8lXyDy7/DnLG38SduQEiqzX/osmxtzOG5bgPsDCwvIip36QiI0SY2DAUnRCWRmdMX7zzmxMH5E/Pa1oaQA33j81XA/Q1DH75s3omnYcaE52s2yxPOtEZeci6PrwZgIFf/o1wLHkuA6HIDytt1hD/iKlo4KSYd0nAkVSrl26ZAe3ruXDIgNGBa0GJEdrj99HQPDd3kLaQP+1cseEasc4PBRKDxncjdoDTGlkm4GAamabQL2K+9nJ7YcaTvl2nY81KwmLClwtebD9hOUVApaVHwvYLXrheXhgbQN8dsX4ZQx/cC1yl/pT/iGPA8I+1SgiButlmh4Q+ZakZPtHZoemaBJrzutnM1yn0M8CK8fIRafZ5JLNs8hsmooFZAxZhvAlby3OH5x9tEqIom8r7n2gg51RxNMoQXNDarG//k7O8BGF5DlyhVt4wAkNdDlXmPNUYiaJR/X3NN9FkagNbKpcOkCoGG0ITu4zMoU94EHY4WdTE3DF/Zx54FhTwPLaQOVyjm6AD2rLElAwPk/qCAaW3JH+s4tlJZ9+63WD733R3yqRUV5khFg8IRYa1jC2zRKv0O3SlIp3YE/uqqAOCtpPWYRe1ohbGzLBEhZGVZ2umg+hVoQ2ARWOb9lPS2SKpOKQ1JnyOyxrwoYyNrcpjpsuUl0U4WRACrK0TL+baYLNiF/0YT5HSoS5DoS9HzfUJkP5ivi7UdnHGcJe/Es/jAZ+Z6ArhtTHdVL9ELx9TFfuZ1v5BmjRgFM1hQa8OXZFxQ+C8Vd0T5ujB/JRmGN7h0CCAtC8+2DOmgsE7NR8YDAB0Td5Fc4p/F0rIy9nEqw8RRh3DrfZOmjmVEeSIkFyUh4gofmGlAZ7wgMHs0ZDBAybGbE77kn25c80fVzKkHYXm//dE/kuIRMrByODqfPz8B1yLKd+B3j9Jh5Q+kkF2vVuJgqJ81mdLY/KBCCKmDLEtvNr4HsmVqkY0JUkrbfdvFDAfZ+9d3mae1ChRXieIu4SxFNCZQ/gO3FB5eNO11VKjiue5LAlEUScf7oLaSMTdlhMRImALuipX7LQpHZS/eSufc4H6cqB9dVLnV8V9L2wZRWlyr0bDcucJCNfOb9Vd5dGDvZ3mzHch1x4j3WMiyc7V+xXrVHDCV/Fsmli7xPj3mwBnND6rE3DmgsJ5Mh58o/CNt8EFQnlN7b+mfL+wrq+pq6SHYl5nrKQRxVPx7MHG4mAnpHdPcJqGAPxJaf1sxX8qLgZvIXMhWn9YqV6yMjFL1dM3zOMbJ7/J7j006Nbs7GmzeJYIUwagKq5DB/oRSqraUDUpoWh6VdTrPKw9lLRKp2Y0AJdtKpIsCLva3pQDbQm18Gi3h12Vm5mSgIyrX9b9U7LPhTdOKMO9YMsrRmfsWMFXRElwH4BUZXjCHmjxcGZsgh3a19nCUr8zRwaDA/IKX0cDsYM9Q=
Content-Type: multipart/alternative; boundary="_000_BN8PR15MB3281A77E615C6B633DD9D5DAB3AFABN8PR15MB3281namp_"
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN8PR15MB3281.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 76f8064b-e81a-45d9-6148-08dbe1437773
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Nov 2023 16:46:48.5797 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 2ridxLsTIiTaDAjWdiKJQ7heTg1xwsovtLYvtwgsqh+2zB2qwbqQoviexh8ueAQR
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW5PR15MB5147
X-Proofpoint-ORIG-GUID: hzfo49QLdj_idbvw3KQ_Puf9cFWwm4fW
X-Proofpoint-GUID: hzfo49QLdj_idbvw3KQ_Puf9cFWwm4fW
X-Proofpoint-UnRewURL: 8 URL's were un-rewritten
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.987,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-11-09_14,2023-11-09_01,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/JskoqbSflziMmJgQUoRyq91GnPQ>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-07.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Nov 2023 16:46:58 -0000

Thus far, I don't think we've heard from any browser vendors who believe that it would be prudent and worthwhile to display server-generated error pages of this kind to ordinary end-users on their personal devices.  Absent that support, I think it would not be sensible for us to try to develop such a mechanism.

(If such a browser vendor did appear, I would argue against them on both security and human rights grounds.)

--Ben
________________________________
From: Gianpaolo Angelo Scalone, Vodafone <Gianpaolo-Angelo.Scalone@vodafone.com>
Sent: Thursday, November 9, 2023 11:23 AM
To: Tim Wicinski <tjw.ietf@gmail.com>
Cc: Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org>; Ben Schwartz <bemasc@meta.com>; dnsop@ietf.org <dnsop@ietf.org>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-07.txt

Hi Tim, sorry the comment was more for Ben :-) on the consumer users use case. Inviato da Outlook per Android C2 General From: Tim Wicinski <tjw. ietf@ gmail. com> Sent: Thursday, November 9, 2023 5: 21: 09 PM To: Gianpaolo Angelo Scalone,
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender

ZjQcmQRYFpfptBannerEnd
Hi Tim, sorry the comment was more for Ben :-) on the consumer users use case.

Inviato da Outlook per Android<https://aka.ms/AAb9ysg>


C2 General

________________________________
From: Tim Wicinski <tjw.ietf@gmail.com>
Sent: Thursday, November 9, 2023 5:21:09 PM
To: Gianpaolo Angelo Scalone, Vodafone <Gianpaolo-Angelo.Scalone@vodafone.com>
Cc: Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org>; Ben Schwartz <bemasc@meta.com>; dnsop@ietf.org <dnsop@ietf.org>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-07.txt


External Email: Be cautious about the sender email address, attachments and links. If uncertain use Report Message button.

Thanks both of you - I knew I was missing this when I hit send.

tim


On Thu, Nov 9, 2023 at 11:20 AM Gianpaolo Angelo Scalone, Vodafone <Gianpaolo-Angelo.Scalone@vodafone.com<mailto:Gianpaolo-Angelo.Scalone@vodafone.com>> wrote:
Hi Tim ,
I'm not proposing that the browser shows an https page in any use case,
Only as result of out of band request or if received from well known service,
Eventually by creating a service for hosting well known high reputation static only blocking pages.
Without this the user remain subject to false positives without being able to request a reclassification,
Resulting in potentially unwanted censorship...

Gianpaolo

Inviato da Outlook per Android<https://aka.ms/AAb9ysg>



C2 General

________________________________
Da: Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org<mailto:40meta.com@dmarc.ietf.org>>
Inviato: Giovedì, Novembre 9, 2023 5:14:26 PM
A: Tim Wicinski <tjw.ietf@gmail.com<mailto:tjw.ietf@gmail.com>>; Ben Schwartz <bemasc@meta.com<mailto:bemasc@meta.com>>
Cc: Gianpaolo Angelo Scalone, Vodafone <Gianpaolo-Angelo.Scalone@vodafone.com<mailto:Gianpaolo-Angelo.Scalone@vodafone.com>>; dnsop@ietf.org<mailto:dnsop@ietf.org> <dnsop@ietf.org<mailto:dnsop@ietf.org>>
Oggetto: Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-07.txt


External Email: Be cautious about the sender email address, attachments and links. If uncertain use Report Message button.

Tim,

The EDE error codes cover that use case already, by allowing the browser to generate that error page, and without requiring the DNS filter to run an HTTP server at all.

--Ben Schwartz
________________________________
From: DNSOP <dnsop-bounces@ietf.org<mailto:dnsop-bounces@ietf.org>> on behalf of Tim Wicinski <tjw.ietf@gmail.com<mailto:tjw.ietf@gmail.com>>
Sent: Thursday, November 9, 2023 10:48 AM
To: Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org<mailto:40meta.com@dmarc.ietf.org>>
Cc: Gianpaolo Angelo Scalone, Vodafone <Gianpaolo-Angelo.Scalone=40vodafone.com@dmarc.ietf.org<mailto:40vodafone.com@dmarc.ietf.org>>; dnsop@ietf.org<mailto:dnsop@ietf.org> <dnsop@ietf.org<mailto:dnsop@ietf.org>>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-07.txt

On Thu, Nov 9, 2023 at 10: 02 AM Ben Schwartz <bemasc=40meta. com@ dmarc. ietf. org> wrote: Note that "mailto" URIs can pre-populate subject and body contents, so information about the specific blocked item and other metadata could
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender

ZjQcmQRYFpfptBannerEnd


On Thu, Nov 9, 2023 at 10:02 AM Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org<mailto:40meta.com@dmarc.ietf.org>> wrote:
Note that "mailto" URIs can pre-populate subject and body contents, so information about the specific blocked item and other metadata could be populated automatically.  This seems sufficient for enterprise use cases like allowing employees to tell corporate IT that they are blocking something incorrectly.

HTTP error pages are primarily relevant to end users on personal devices whose access is being blocked by their ISP.   That is not an environment in which it is safe or appropriate for the network to inject block pages.

Ben

In the Enterprise case , the end user does need to see some simple web based feedback.  My employer's Firewalls throw up a very basic "You can not go to example.com<http://example.com/>".

tim



--Ben Schwartz
________________________________
From: DNSOP <dnsop-bounces@ietf.org<mailto:dnsop-bounces@ietf.org>> on behalf of Gianpaolo Angelo Scalone, Vodafone <Gianpaolo-Angelo.Scalone=40vodafone.com@dmarc.ietf.org<mailto:40vodafone.com@dmarc.ietf.org>>
Sent: Thursday, November 9, 2023 4:08 AM
To: dnsop@ietf.org<mailto:dnsop@ietf.org> <dnsop@ietf.org<mailto:dnsop@ietf.org>>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-07.txt

Hi, I still think that a mechanism to reach an HTTPS resource is needed. Considering the security implications of rendering directly an HTTPS URI, It could be an additional field, to be used by the client For out of band connection to retrieve

Hi,

I still think that a mechanism to reach an HTTPS resource is needed.

Considering the security implications of rendering directly an HTTPS URI,

It could be an additional field, to be used by the client

  *   For out of band connection to retrieve the needed page info from resolvers with high reputation that have agreements with the browser
  *   To connect to an high reputation service (to be created) having the only purpose to host blocking pages on behalf of the various DNS filtering services
     *   This high reputation service would be defined in a separated RFC
     *   Access criteria and content to be defined
     *   Management criteria to be defined



Having such a service would allow to access high reputation information about the eventual blocking reason and provide the end user modern methods to understand the blocking or request an amendment in case of false positives.



The mechanism proposed in draft-ietf-dnsop-structured-dns-error-07.txt is a big improvement respect the existing situation, but still requires some knowledge that common users may not have and so limit the capability to require amendments only to users well educated on the topic.

With a SIP contact or an EMAIL contact the end user should know what to ask very well, with an HTTPS URI a request to amend the blocking could be populated with the relevant information, empowering also less experienced users (here we are sort of providing a pre internet solution to an internet problem).



Many countries request filtering of DNS traffic for CSAM or for Adult Content Filtering reasons, so a good way to avoid false positives would provide the population a better access to internet.



Gianpaolo




C2 General

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org<mailto:DNSOP@ietf.org>
https://www.ietf.org/mailman/listinfo/dnsop<https://www.ietf.org/mailman/listinfo/dnsop>

v2.23.0 | Report a Bug | By Email