Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended-error-08.txt
Wes Hardaker <wjhns1@hardakers.net> Tue, 10 September 2019 03:44 UTC
Return-Path: <wjhns1@hardakers.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C5881200F5 for <dnsop@ietfa.amsl.com>; Mon, 9 Sep 2019 20:44:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id epl3ybNmKfRN for <dnsop@ietfa.amsl.com>; Mon, 9 Sep 2019 20:44:47 -0700 (PDT)
Received: from mail.hardakers.net (mail.hardakers.net [168.150.192.181]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBCC71200BA for <dnsop@ietf.org>; Mon, 9 Sep 2019 20:44:46 -0700 (PDT)
Received: from localhost (unknown [10.0.0.3]) by mail.hardakers.net (Postfix) with ESMTPA id 7E6C2234ED; Mon, 9 Sep 2019 20:44:46 -0700 (PDT)
From: Wes Hardaker <wjhns1@hardakers.net>
To: Vittorio Bertola <vittorio.bertola@open-xchange.com>
Cc: Wes Hardaker <wjhns1@hardakers.net>, dnsop@ietf.org
References: <156541541443.1807.17639675157921847600@ietfa.amsl.com> <yblblwwhmq3.fsf@w7.hardakers.net> <319120265.868.1567600269990@appsuite-gw1.open-xchange.com>
Date: Mon, 09 Sep 2019 20:44:46 -0700
In-Reply-To: <319120265.868.1567600269990@appsuite-gw1.open-xchange.com> (Vittorio Bertola's message of "Wed, 4 Sep 2019 14:31:09 +0200 (CEST)")
Message-ID: <ybla7bcak7l.fsf@w7.hardakers.net>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/PhjtAwMkrBgTM4wtW4Uxk53k3es>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended-error-08.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Sep 2019 03:44:49 -0000
Vittorio Bertola <vittorio.bertola@open-xchange.com> writes: > > Il 10 agosto 2019 20:57 Wes Hardaker <wjhns1@hardakers.net> ha scritto: > > > > 4) Now that this has had multiple implementations (though they'll need > > to change after the packet format and code changes [that they > > requested]), this is likely ready for last call after passing through > > the document for nits and addressing any last comments raised. > > Given some recent discussions on the ADD list, I think that it could > make sense to add a third error code for DNS filtering. Currently, the > draft has these two: Hi Vittorio, I've included responses and actions to your suggestions below. 10 Sep 4 Vittorio Bertola ========================= 10.1 DONE Add another blocked error ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Given some recent discussions on the ADD list, I think that it could make sense to add a third error code for DNS filtering. Currently, the draft has these two: 4.16. Extended DNS Error Code 15 - Blocked The resolver attempted to perfom a DNS query but the domain is blacklisted due to a security policy implemented on the server being directly talked to. 4.17. Extended DNS Error Code 16 - Censored The resolver attempted to perfom a DNS query but the domain was blacklisted by a security policy imposed upon the server being talked to. Note that how the imposed policy is applied is irrelevant (in- band DNS somehow, court order, etc). There is however a third case, which is "blocked by user request". The three cases differ on who made the decision to filter, i.e.: - code 15 is for when the recursor blocks stuff that its own operator dislikes; - code 16 is for when the recursor blocks stuff that public authorities dislike; - the third code would be for when the recursor blocks stuff that the user (the entity that acquired the service) dislikes, e.g. for parental control, destinations not suitable for work, etc. + Response: I think the idea of a "you requested we block this" makes sense, so I'll add that one 10.2 WONTDO you requested blocking ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ There was also some discussion on whether these error codes could be accompanied by a URL that the client device can use to display a human-readable explanation to the user, which would be a cleaner solution than the current practice of giving to the client a positive response, but with the IP address of a local web server instead of the original one (a practice that doesn't work well with HTTPS anyway). This has many security caveats, and could only work with an authenticated, trusted resolver (which is anyway true of the above error codes in themselves, since an adversarial recursor could just lie on the reason for blocking or even on the fact that it is actually blocking something). It is really too early to say whether this could work or whether it would actually be implemented, and also, on transports other than DoH, I'm not sure if applications could ever access this information. Still, perhaps a note on whether EXTRA-TEXT could bear structured information for certain error codes, and how this mechanism could be later defined, could be useful. + Response: I don't think we want to get into how log messages should be delivered. If an implementation wants to put a URL in the additional information, that certainly would make sense. But the Web does not equal the internet, and figuring out how to do it for everything is not easily possible. -- Wes Hardaker USC/ISI
- [DNSOP] I-D Action: draft-ietf-dnsop-extended-err… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Wes Hardaker
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Shane Kerr
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Wes Hardaker
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Vittorio Bertola
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Vladimír Čunát
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Wes Hardaker
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Petr Špaček
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Tony Finch
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Vladimír Čunát