IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-07.txt

Tim Wicinski <tjw.ietf@gmail.com> Thu, 09 November 2023 15:48 UTC

Return-Path: <tjw.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56BC6C18FCB8 for <dnsop@ietfa.amsl.com>; Thu, 9 Nov 2023 07:48:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6O85we8FYdtr for <dnsop@ietfa.amsl.com>; Thu, 9 Nov 2023 07:48:30 -0800 (PST)
Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A953C18FCB6 for <dnsop@ietf.org>; Thu, 9 Nov 2023 07:48:30 -0800 (PST)
Received: by mail-ej1-x629.google.com with SMTP id a640c23a62f3a-9d2e6c8b542so170960066b.0 for <dnsop@ietf.org>; Thu, 09 Nov 2023 07:48:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699544908; x=1700149708; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Vrk/cx6DwdNAcA5plMExOxpwWIvRBBIyEv7jvEWHOI0=; b=PU1T2csMmbNZx04OmNEi2Lz4KAsZ3aBsUxN2a8bTHCn9OaWfxbX/48j7h0Lf6vAkTg 2oDoZNkSlHlMGy6pEuepQoJd2XNp62zjmOOGAjYdgeHQ9qjIJa9bCck8kvukX6WR54ES 87xUQSJS5Z+/+2CvGoPVV1aoyYkIJwEeAx8EZ2xmAwQ5+ts6c+/tzrC08qfaNFeT5WI8 FCIj2tdjA+2TlAB10h2wZj+7OBIiykcOg7kGCpEQOZMAWhBLdQwicyuVG2CtOHz20I7z YKHKdHWNOmYvcvQWFl1R/Z8ZEBSPTGmbQu9zkNebQiACz/ioiBKL4TAeWq/U8mZp0EuA m0pQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699544908; x=1700149708; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Vrk/cx6DwdNAcA5plMExOxpwWIvRBBIyEv7jvEWHOI0=; b=esgdrvTPif+8EgIPwF/L/UZ03Cgk3QKDiC/TaOwbjSJ/99EJpP4YHiWogJH7radhb7 y4Dy5xToa62ggMsmD1VgRNB/oIunFBwXKvUUZRQF1txs2uJuYoq16XC3mC5nyfdLbELM 6aXSU/fhOHzC3wR/g+2srQXaNuoyMbKSl6xI8gFJxogoiVWggRpefNBKohE3GwHlmxmG r6hBiTfeDGPbjUt4xSkwoTNwTZxrweNXmwKQIFyPQId1andxbv40oEO4hqxSZrL9mFX6 QwiPWVxOeqKbQ/e4ALVgFMnmQu+UY0w8Kyg0JAO270ZLM3bAap9D2RxK3LMgiT3VX00H UMGw==
X-Gm-Message-State: AOJu0YyhHvwLopfB23i8voJ39n8kTwF8JLjkHKtzo+UnCi7T1y79szEj n29OauqbCahFvyAwfgMo0MKsXCRKifJo1GdYq54=
X-Google-Smtp-Source: AGHT+IGMS0d83qZQEHmUgtpn+STqy+cyhwOqC6edKE8inrhGTyU7UArtSL1xMAn6yGauQvKEdJsW/3c4VIt1p7EhvyQ=
X-Received: by 2002:a17:907:6088:b0:9dd:79ce:fc72 with SMTP id ht8-20020a170907608800b009dd79cefc72mr4742037ejc.71.1699544908333; Thu, 09 Nov 2023 07:48:28 -0800 (PST)
MIME-Version: 1.0
References: <DB9PR05MB8473EE94D86348FF1E8207EAA3AFA@DB9PR05MB8473.eurprd05.prod.outlook.com> <BN8PR15MB32817912282A69869281090DB3AFA@BN8PR15MB3281.namprd15.prod.outlook.com>
In-Reply-To: <BN8PR15MB32817912282A69869281090DB3AFA@BN8PR15MB3281.namprd15.prod.outlook.com>
From: Tim Wicinski <tjw.ietf@gmail.com>
Date: Thu, 09 Nov 2023 10:48:16 -0500
Message-ID: <CADyWQ+FtytyMmwzBjvW=upDzC1HCbfUXOyD6sEyDK5dr5gQfMw@mail.gmail.com>
To: Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org>
Cc: "Gianpaolo Angelo Scalone, Vodafone" <Gianpaolo-Angelo.Scalone=40vodafone.com@dmarc.ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008a88860609ba2225"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/QkuNAdfG0KqZUmZhIhfVOSw4KM4>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-07.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Nov 2023 15:48:32 -0000

On Thu, Nov 9, 2023 at 10:02 AM Ben Schwartz <bemasc=
40meta.com@dmarc.ietf.org> wrote:

> Note that "mailto" URIs can pre-populate subject and body contents, so
> information about the specific blocked item and other metadata could be
> populated automatically.  This seems sufficient for enterprise use cases
> like allowing employees to tell corporate IT that they are blocking
> something incorrectly.
>
> HTTP error pages are primarily relevant to end users on personal devices
> whose access is being blocked by their ISP.   That is not an environment in
> which it is safe or appropriate for the network to inject block pages.
>

Ben

In the Enterprise case , the end user does need to see some simple web
based feedback.  My employer's Firewalls throw up a very basic "You can not
go to example.com".

tim



> --Ben Schwartz
> ------------------------------
> *From:* DNSOP <dnsop-bounces@ietf.org> on behalf of Gianpaolo Angelo
> Scalone, Vodafone <Gianpaolo-Angelo.Scalone=40vodafone.com@dmarc.ietf.org>
> *Sent:* Thursday, November 9, 2023 4:08 AM
> *To:* dnsop@ietf.org <dnsop@ietf.org>
> *Subject:* Re: [DNSOP] I-D Action:
> draft-ietf-dnsop-structured-dns-error-07.txt
>
> Hi, I still think that a mechanism to reach an HTTPS resource is needed.
> Considering the security implications of rendering directly an HTTPS URI,
> It could be an additional field, to be used by the client For out of band
> connection to retrieve
>
> Hi,
>
> I still think that a mechanism to reach an HTTPS resource is needed.
>
> Considering the security implications of rendering directly an HTTPS URI,
>
> It could be an additional field, to be used by the client
>
>    - For out of band connection to retrieve the needed page info from
>    resolvers with high reputation that have agreements with the browser
>    - To connect to an high reputation service (to be created) having the
>    only purpose to host blocking pages on behalf of the various DNS filtering
>    services
>       - This high reputation service would be defined in a separated RFC
>       - Access criteria and content to be defined
>       - Management criteria to be defined
>
>
>
> Having such a service would allow to access high reputation information
> about the eventual blocking reason and provide the end user modern methods
> to understand the blocking or request an amendment in case of false
> positives.
>
>
>
> The mechanism proposed in draft-ietf-dnsop-structured-dns-error-07.txt is
> a big improvement respect the existing situation, but still requires some
> knowledge that common users may not have and so limit the capability to
> require amendments only to users well educated on the topic.
>
> With a SIP contact or an EMAIL contact the end user should know what to
> ask very well, with an HTTPS URI a request to amend the blocking could be
> populated with the relevant information, empowering also less experienced
> users (here we are sort of providing a pre internet solution to an internet
> problem).
>
>
>
> Many countries request filtering of DNS traffic for CSAM or for Adult
> Content Filtering reasons, so a good way to avoid false positives would
> provide the population a better access to internet.
>
>
>
> Gianpaolo
>
>
>
> C2 General
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email