Re: [DNSOP] Fwd: New Version Notification for draft-reddy-dnsop-error-page-00.txt

Wes Hardaker <> Fri, 24 July 2020 14:20 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 45F163A09E7 for <>; Fri, 24 Jul 2020 07:20:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 0DZ9o-R2tibr for <>; Fri, 24 Jul 2020 07:20:07 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 88BF63A0A49 for <>; Fri, 24 Jul 2020 07:19:33 -0700 (PDT)
Received: from localhost (unknown []) by (Postfix) with ESMTPA id DB19421744; Fri, 24 Jul 2020 07:19:32 -0700 (PDT)
From: Wes Hardaker <>
To: tirumal reddy <>
Cc: dnsop <>
References: <> <>
Date: Fri, 24 Jul 2020 07:19:32 -0700
In-Reply-To: <> (tirumal reddy's message of "Wed, 8 Jul 2020 13:07:41 +0530")
Message-ID: <>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <>
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-reddy-dnsop-error-page-00.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 24 Jul 2020 14:20:09 -0000

tirumal reddy <> writes:

> This draft
> discusses a method to return an URL that explains the reason the DNS
> query was filtered.

Interesting idea.  A couple of points:

1) The document doesn't state where the HTTPS record should go.  I
assume in the additional section (it's not an answer).

2) It doesn't talk about what the name should be for the record.  I
assume it must match the name that was requested (IE, the question
section name).

3) WRT DNSSEC and this statement:

       but DNSSEC signing and validation
       is not possible for the HTTPS record returning the error page URL
       along with the "Forged Answer" extended error.

   You should probably also insert a MUST / MUST NOT about these errors
   and how they must only come from the resolver the client is talking
   to and must not be forwarded from something upstream (double hops
   provide no trust in DOH (or any other secured transport) without
   DNSSEC or some other signing mechanism)

Wes Hardaker