IETF Logo Mail Archive

[DNSOP] Re: Comments from IETF Last Call about draft-ietf-dnsop-structured-dns-error

David Adrian <davadria@umich.edu> Fri, 09 May 2025 00:49 UTC

Return-Path: <davadria@umich.edu>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 31ACF26A7A34 for <dnsop@mail2.ietf.org>; Thu, 8 May 2025 17:49:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.394
X-Spam-Level:
X-Spam-Status: No, score=-4.394 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0k9Ru92PdFzS for <dnsop@mail2.ietf.org>; Thu, 8 May 2025 17:49:02 -0700 (PDT)
Received: from ruling-nisien.relay-egress.a.mail.umich.edu (relay-egress-host.us-east-2.a.mail.umich.edu [13.59.128.245]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 8BF2A26A7A2D for <dnsop@ietf.org>; Thu, 8 May 2025 17:49:02 -0700 (PDT)
Received: from piquant-hellhound.authn-relay.a.mail.umich.edu (ip-10-0-73-190.us-east-2.compute.internal [10.0.73.190]) by ruling-nisien.relay-egress.a.mail.umich.edu with ESMTPS id 681D50FE.D298540.278FA73.3825969; Thu, 08 May 2025 20:49:02 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=relay-0; t=1746751742; bh=j2s6LeaZi7D4pIXdTAvZBPkyRUXjjiTtqGCItJSQhEg=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=bDt/vfCJcT/DP8SaawKBhW4dBVKcrNffNInnBPXxRUGQTpwAWJSsbZfS/w8KQV0wa 3ByKQV/hdEs4lqsaamXsres18TIbS5usAADuSY2NLKTXtEBJ5RflS/1j0tX91xFb4W 5HHbYs4YUdy0ugz3cVMQgUUul7gtRn9kGAOI/uYst2JwkZBsP2dhOYDvgbdQ+VANlb gHppGw8EszAN5IGdYvWIWKw61s07xZJs9379qFs/YSv4KTFq5lI/vavqLq0CE07+nO d1eTq+wY9KOhsb145cL5zUbENGr64pKLBKQlokNUuDtQZHBBGkkvM08ANE55KtZVo2 B0Igs8WfYyWug==
Authentication-Results: piquant-hellhound.authn-relay.a.mail.umich.edu; iprev=pass policy.iprev=209.85.217.50 (mail-vs1-f50.google.com); auth=pass smtp.auth=davadria
Received: from mail-vs1-f50.google.com (mail-vs1-f50.google.com [209.85.217.50]) by piquant-hellhound.authn-relay.a.mail.umich.edu with ESMTPSA id 681D50FD.31C951E2.335EB499.1155503; Thu, 08 May 2025 20:49:01 -0400
Received: by mail-vs1-f50.google.com with SMTP id ada2fe7eead31-4de9406bcf1so221624137.0 for <dnsop@ietf.org>; Thu, 08 May 2025 17:49:01 -0700 (PDT)
X-Forwarded-Encrypted: i=1; AJvYcCWHt5U9GdXiw4dGnjxFR/OCbqX/rUD+H/BUs3mJwTzkiQ9DtuJxIfuoaQo7qG5eOYVzEO7UJw==@ietf.org
X-Gm-Message-State: AOJu0Yz05mysyUA28g/GiOMMAc6rrOxFH4UtO5XvSUZYTV2V/+Av9G77 H9XFWw5Q6SnstKml5QvT311EGujySzx2Tx5RP6eLdP/FGmJp4dGCbzRFJ/spaKM0VEv+Lgjn3Go QO1HPU6bv2lqofT7VpHcRUKeMirg=
X-Google-Smtp-Source: AGHT+IGWEGJyd6Xw2fHNOKp3rjJLkSSALJDwa0N+pkWwDAlWWjWx7HyzdgJsvCsB8X8SkJX9D9R/5uSZlce3HejAsio=
X-Received: by 2002:a05:6102:5e97:b0:4c1:86ff:4af7 with SMTP id ada2fe7eead31-4deed3eafacmr1787860137.21.1746751740803; Thu, 08 May 2025 17:49:00 -0700 (PDT)
MIME-Version: 1.0
References: <PH0PR11MB49666C9FAA1DC4C04EB7AEDBA98E2@PH0PR11MB4966.namprd11.prod.outlook.com> <6.2.5.6.2.20250508041105.13c2cd10@elandnews.com> <6.2.5.6.2.20250508044326.1859c340@elandnews.com>
In-Reply-To: <6.2.5.6.2.20250508044326.1859c340@elandnews.com>
From: David Adrian <davadria@umich.edu>
Date: Thu, 08 May 2025 20:48:49 -0400
X-Gmail-Original-Message-ID: <CACf5n79O4Mv0RNELnvsmgKqTf6Ef1ZveOpdkr4UBh3ZZquti+w@mail.gmail.com>
X-Gm-Features: AX0GCFsXQ9CREAA7fQZgaajx53YOnMmIxpGxZU1KXE8FYdi4849q8txmWYJAv8k
Message-ID: <CACf5n79O4Mv0RNELnvsmgKqTf6Ef1ZveOpdkr4UBh3ZZquti+w@mail.gmail.com>
To: S Moonesamy <sm+ietf@elandsys.com>
Content-Type: multipart/alternative; boundary="0000000000000585b40634a95596"
Message-ID-Hash: 25VEAUVTWPPJNLMZQUALLLBVAR2FLPSK
X-Message-ID-Hash: 25VEAUVTWPPJNLMZQUALLLBVAR2FLPSK
X-MailFrom: davadria@umich.edu
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "Eric Vyncke (evyncke)" <evyncke@cisco.com>, dnsop@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: Comments from IETF Last Call about draft-ietf-dnsop-structured-dns-error
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/OuxqN4A03KbRh4624URBKtBpE3c>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Hi all,

> More generally, I think we should hear from some client vendors (browsers
or otherwise
about what they want here, prior to standardizing anything in this space.

Apologies for the delay in responding from the perspective of a browser
vendor (Chrome)

The use case we would like to see in Chrome is to basically duplicate what
is done on the search results page for DMCA, but for DNS resolution errors
caused by legal blocking. I don't have images on hand, but on an, e.g.,
Google search results page where some results have been removed due to
DMCA, it says at the bottom something along the lines of "Some search
results have been removed due to a DMCA request. See more information at
the request at Lumen Database [link-to-lumen]".

The link to Lumen is roughly of the form
https://lumendatabase.org/notices/$id, e.g.
https://lumendatabase.org/notices/51783697.

We would like to duplicate this on the NXDOMAIN error page in the browser,
for EDE's of BLOCKED or CENSORED. Lumen Database already has information
about legal requests that block the resolution of certain names in certain
regions, and graciously allows us to link to them. The current plan is to
use Mark Nottingham's Public Resolver Errors draft to do so. We see the
preregistration of link URLs to resolver names as a way to mitigate the
risk of allowing arbitrary attacker controlled user-facing messages on
error pages.

We don't have any real stake in any specific approach, other than:
- We want to render a link
- We do not want to be able to render arbitrary links
- We do not want to render arbitrary attacker-controlled strings in
otherwise trusted UI.

-dadrian



On Thu, May 8, 2025 at 7:51 AM S Moonesamy <sm+ietf@elandsys.com> wrote:

> Hi Eric,
>
> I made a mistake when I typed the URL.  The correct one is
> http://r.elandsys.com/r/57132 Sorry about that.
>
> Regards,
> S. Moonesamy
>
> _______________________________________________
> DNSOP mailing list -- dnsop@ietf.org
> To unsubscribe send an email to dnsop-leave@ietf.org
>

v2.31.3 | Report a Bug | By Email | System Status