Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-00.txt
Dan Wing <danwing@gmail.com> Tue, 14 February 2023 22:55 UTC
Return-Path: <danwing@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D22C7C231534 for <dnsop@ietfa.amsl.com>; Tue, 14 Feb 2023 14:55:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.094
X-Spam-Level:
X-Spam-Status: No, score=-7.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BG8XfVReyFcK for <dnsop@ietfa.amsl.com>; Tue, 14 Feb 2023 14:55:34 -0800 (PST)
Received: from mail-pj1-x1035.google.com (mail-pj1-x1035.google.com [IPv6:2607:f8b0:4864:20::1035]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AD55C22EF66 for <dnsop@ietf.org>; Tue, 14 Feb 2023 14:55:34 -0800 (PST)
Received: by mail-pj1-x1035.google.com with SMTP id z14-20020a17090abd8e00b00233bb9d6bdcso233281pjr.4 for <dnsop@ietf.org>; Tue, 14 Feb 2023 14:55:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:in-reply-to:to:references:date:subject:mime-version:from :from:to:cc:subject:date:message-id:reply-to; bh=PrPaEJA1ap6KCU6rGJF+N0+tlZ/fGSDGYgpRH71juxE=; b=hdZMmuU4lDerhkQL7ad3xPGY/DvqPMPzHnkrFaAjP39XS6Vv1b1kP/MKHmgjl5O8tT 3sqzmkM6F2XCHYMCrQuT9m6wwJCmzyOqDBS8AWcQev+2DqR39XoqrMUaeZ72h79BWOxY Yf6s8uzizwADcmgR3tFLzNBK6P3kcxywT1XbtvGEccOzDUH2uz+8a85LnDTzKPAoF9G2 XcY1SllcdewAXxvPHn5GehuyINP4myQqGMmijVOp/0UcJOMeGhUDrZPX4vdYULJpVG3s AmsIP5n2WVnLy/bXAVdoY0I2BzfXlpVNxOBYr8B1ZuY+3mw8O/QPnEitHyyPegSxOU6m tvZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=message-id:in-reply-to:to:references:date:subject:mime-version:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=PrPaEJA1ap6KCU6rGJF+N0+tlZ/fGSDGYgpRH71juxE=; b=GKYcEiJx9guize682KU2M3UXI8yUK9XeLua7JtWqIEn69wyGEYE8kRcRMr4fJWmg8H GMiEjcAlBjEFL2Ufa/yULpH5InwJW3MdlwMhpfTT/55xpctdSq5rWizjMogrNMEu0PPj kA+Yp8+qFiBG1SC+6ujvtlahM5ftyjdm/+lg2CzecI0La35NuT1g/fgloWXm70toq2Ej LF4GMA4++0OOKmG+/HN7GViYJYXLf+L7C7WGsGj65Alt2lGIcjqKfWat0eev1h+SyPNL PFr1XgnLDYjIG1IDERU4d5jHetGHT80e2nPEfhTnZsEpLAC2dAHuqKzbM36sndYjo/Ci tncw==
X-Gm-Message-State: AO0yUKUZ5tIsp6HdS8zaI4NBJF789iN1pk0Ra0y6nhkGyT7rYfi72Qjk HF7riIAGeIa/ikvLg2Vo2XbxP6c9eZg=
X-Google-Smtp-Source: AK7set+gl6JJdJ+bR4nayUX4o3UueMFS0rdR+MOHsaFvwEa0bJn46fK4zISbhUre5MOjOvcrirx9cg==
X-Received: by 2002:a05:6a20:6922:b0:bf:5d4e:1328 with SMTP id q34-20020a056a20692200b000bf5d4e1328mr513430pzj.25.1676415332959; Tue, 14 Feb 2023 14:55:32 -0800 (PST)
Received: from smtpclient.apple ([47.208.218.46]) by smtp.gmail.com with ESMTPSA id t17-20020aa79391000000b005a8de0f4c76sm1774435pfe.17.2023.02.14.14.55.32 for <dnsop@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 14 Feb 2023 14:55:32 -0800 (PST)
From: Dan Wing <danwing@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_BEF53A69-D046-402B-B432-B6657DF1CF09"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.400.51.1.1\))
Date: Tue, 14 Feb 2023 14:55:21 -0800
References: <167635627678.44256.10778343991088475054@ietfa.amsl.com>
To: DNSOP WG <dnsop@ietf.org>
In-Reply-To: <167635627678.44256.10778343991088475054@ietfa.amsl.com>
Message-Id: <FA22F8D9-CD65-483D-B181-B626A939BF41@gmail.com>
X-Mailer: Apple Mail (2.3731.400.51.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/MS702m0-9QtublxzmAWEnyjGqKk>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Feb 2023 22:55:35 -0000
We incorporated a few suggestions during WG adoption into the WG's -00 version, notably: - we listed citations for the sub-error codes Malware [RFC5901], Phishing [RFC5901], Spam [RFC4949], and Spyware [RFC4949] - split the sub-error code for local policy into two separate sub-error codes to allow better differentiation. So it now has DNS operator policy (e.g., the DNS operator imposed certain filtering on their own accord) and network operator policy (e.g., the operator of the network requested the filtering) - document now requires newly-defined Sub-Errors to cite an IETF-approved document - as a result of the above change, we removed the sub-error "Abuse" as it didn't have an IETF-approved citation - added text to better explain changes to RFC8914 - now require DNS servers never return "Forged Answer" Extended DNS Error (or a forged DNS answer) if the query indicated the client supports Extended DNS Error (EDE), because doing so prevents returning the RFC8914 Extended DNS Error that better explains the filtering. - allow "j" and "o" fields to contain UTF-8. - provide an explanation for handling language of the error. Negotiating the user's preferred language is another approach suggested by BCP18/RFC2277 but harms client privacy. The WG probably wants to consider the approach in the document more deeply. This complication is shared with RFC8914's EXTRA-TEXT but RFC8914 was silent on EXTRA-TEXT's language. The document is maintained at https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-structured-dns-error side-by-side diff: https://author-tools.ietf.org/iddiff?url1=https://www.ietf.org/archive/id/draft-wing-dnsop-structured-dns-error-page-05.txt&url2=https://www.ietf.org/archive/id/draft-ietf-dnsop-structured-dns-error-00.txt -d > On Feb 13, 2023, at 10:31 PM, internet-drafts@ietf.org wrote: > > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the Domain Name System Operations WG of the IETF. > > Title : Structured Error Data for Filtered DNS > Authors : Dan Wing > Tirumaleswar Reddy > Neil Cook > Mohamed Boucadair > Filename : draft-ietf-dnsop-structured-dns-error-00.txt > Pages : 19 > Date : 2023-02-13 > > Abstract: > DNS filtering is widely deployed for network security, but filtered > DNS responses lack information for the end user to understand the > reason for the filtering. Existing mechanisms to provide detail to > end users cause harm especially if the blocked DNS response is to an > HTTPS website. > > This document updates RFC 8914 by structuring the EXTRA-TEXT field of > the Extended DNS Error to provide details on the DNS filtering. Such > details can be parsed by the client and displayed, logged, or used > for other purposes. Other than that, this document does not change > any thing written in RFC 8914. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-dnsop-structured-dns-error/ > > There is also an HTML version available at: > https://www.ietf.org/archive/id/draft-ietf-dnsop-structured-dns-error-00.html > > > Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop
- [DNSOP] I-D Action: draft-ietf-dnsop-structured-d… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Dan Wing