[DNSOP] Re: AD review of draft-ietf-dnsop-structured-dns-error
tirumal reddy <kondtir@gmail.com> Sun, 13 April 2025 09:25 UTC
Return-Path: <kondtir@gmail.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id C735F1B56F07 for <dnsop@mail2.ietf.org>; Sun, 13 Apr 2025 02:25:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C18tWh1FB7qc for <dnsop@mail2.ietf.org>; Sun, 13 Apr 2025 02:25:40 -0700 (PDT)
Received: from mail-ej1-x62f.google.com (mail-ej1-x62f.google.com [IPv6:2a00:1450:4864:20::62f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id A13AD1B56F00 for <dnsop@ietf.org>; Sun, 13 Apr 2025 02:25:40 -0700 (PDT)
Received: by mail-ej1-x62f.google.com with SMTP id a640c23a62f3a-ac345bd8e13so576801866b.0 for <dnsop@ietf.org>; Sun, 13 Apr 2025 02:25:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1744536339; x=1745141139; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ELMkirwRVS7LxrOoxai0xjamTgfmdi9n2u4gERotyEk=; b=Y4khhQscgdcLJB0Ef0yUKMkweUUMk3k50u/Inrx61HV/VH7h9MNThOZ2U5j4eU+U3E +blXNraedfXO3XbaQgdlMIFYU5kiwCfHRs4d4eKTMmpRY36FBpcxQabUSN41fMu9JB0Y uCFJ+JOknlGage9Da+r6dsGm427ieqM9obLUKL1zYQhpPxNPF9OB9bMW52yQEDRVBbrr X/CQVj91e578LVRwl0zg2OnBXGb+yywgahR5wF8+yLgegsyYR2zf9yAOg4YX/9rM8wqE vSSnBKXxnYd0GbtKNBz+BZqnWO882dfCOsVNEywe9ua/wAvkAXC23W4lsgjyCMRpYw5n h1rw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744536339; x=1745141139; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ELMkirwRVS7LxrOoxai0xjamTgfmdi9n2u4gERotyEk=; b=abhYC/vi1EEZ28NX0psIXN3vG1dN7qbM6utsDyC9N2l9VkvjRYIvmt4L/78gvpbAmk Qb6YLuIBkal3WxbjysAvnJ9NqSDQYf38wQxyBfQarXTf51qL0e5wnRVVA4nPkx1z1d0h Ql8jM9g4HGz5PTg1kJSHJm+j+gjZhKK9Fcb6YdJje9kvR3tvPETrzlNcqJINZ0khWGeU wMF38acmNvBYzy6iS58VYxxgsL5mpWIUtGd4yeET+T8pEJboYMES/Elm2UaD95vPziU0 cTKBd3AdwEmZ6brNylrNNuKJM+bSi/M06CtIfAZ0ukHMFfdK15cbz3VwLzJylb1kjPvN Io6w==
X-Gm-Message-State: AOJu0YzzUsfLz0YiTxmQEq9+UfkHWpRUqG5t4HXQjqfT+pS96whToTdg lQPpxUwEX6OSTwU2+5m4QSvo9HL7jw/26WyK4/Em8Qdz0FvD82VPiYOvajXvNmi/B58SsnX8DTF wznJnpVIBBs+RkJp8CL4LnEsI/wI=
X-Gm-Gg: ASbGncu+9+PyiMCtqGLzddsF2+uqO3a514OJAxKXqWzUNSbX+Yj5NgZTaVnYDFEFy7i WG/bSIO3fqOScpd7fsJ1kXo6CW+grHdiz8ZV28kwquAF0iem2Obf5lsUyiQeoV6I8AWBwLqyOXQ ODv8o5CgjjLmNM+Ttuz8b8YQ==
X-Google-Smtp-Source: AGHT+IFEXgbX1/6VNwpO/hLbXpMSN/2HgdogakeB5Fq4FTs+m/ns4yH8kfBo/dvlDejP/eS7qrvZdV6kkfPgELaSdyY=
X-Received: by 2002:a17:907:1c07:b0:ac7:ed27:974 with SMTP id a640c23a62f3a-acad3495f08mr821444766b.20.1744536339156; Sun, 13 Apr 2025 02:25:39 -0700 (PDT)
MIME-Version: 1.0
References: <PH0PR11MB4966F72BAF1F83E3F80D7C0EA9A92@PH0PR11MB4966.namprd11.prod.outlook.com> <CAFpG3gc2sojMQb+joC82nLxjU-4daJzDoJgdyub8h0NXC6G7jg@mail.gmail.com> <PH0PR11MB49667337AF2C5A63D2080C40A9B12@PH0PR11MB4966.namprd11.prod.outlook.com>
In-Reply-To: <PH0PR11MB49667337AF2C5A63D2080C40A9B12@PH0PR11MB4966.namprd11.prod.outlook.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Sun, 13 Apr 2025 14:55:01 +0530
X-Gm-Features: ATxdqUFt9EkXi5yxFxnwwtyxvBJg1GHzyoaDVmMxmCRyF3MUxaGQsKzyrGxfIOk
Message-ID: <CAFpG3gfqWKYs0w+2rVgF_iMNUcyA91rsdmtqjz8_GaT4GNHFrA@mail.gmail.com>
To: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
Content-Type: multipart/alternative; boundary="000000000000cb16280632a58425"
Message-ID-Hash: QWJNIRJXTZP6OR7Q4DJZQ4DLYIZOXQ6X
X-Message-ID-Hash: QWJNIRJXTZP6OR7Q4DJZQ4DLYIZOXQ6X
X-MailFrom: kondtir@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "dnsop@ietf.org" <dnsop@ietf.org>, "danwing@gmail.com" <danwing@gmail.com>, "neil.cook@noware.co.uk" <neil.cook@noware.co.uk>, Mohamed Boucadair <mohamed.boucadair@orange.com>, "benno@NLnetLabs.nl" <benno@nlnetlabs.nl>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: AD review of draft-ietf-dnsop-structured-dns-error
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/U_nNRzzfaOiysQ_g8rcjtta1PNk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
On Sat, 12 Apr 2025 at 11:04, Eric Vyncke (evyncke) <evyncke@cisco.com> wrote: > Tiru and other authors, > > > > Thanks for your reply and for the revised I-D. As noted below, some points > of the AD review were either not addressed at all or I still have > suggestions. > We addressed the pending issues, please see https://www.ietf.org/archive/id/draft-ietf-dnsop-structured-dns-error-12.html Best Regards, -Tiru > > > Nevertheless, I am proceeding with the IETF Last Call, i.e., you may > consider my AD review comments as a community review during the IETF Last > Call. > > > > Regards > > > > -éric > > > > > > > > *From: *tirumal reddy <kondtir@gmail.com> > *Date: *Monday, 7 April 2025 at 16:25 > *To: *Eric Vyncke (evyncke) <evyncke@cisco.com> > *Cc: *dnsop@ietf.org <dnsop@ietf.org>, danwing@gmail.com < > danwing@gmail.com>, neil.cook@noware.co.uk <neil.cook@noware.co.uk>, > Mohamed Boucadair <mohamed.boucadair@orange.com>, benno@NLnetLabs.nl < > benno@nlnetlabs.nl> > *Subject: *Re: AD review of draft-ietf-dnsop-structured-dns-error > > Hi Eric, > > > > Thanks for the review. Please see inline > > > > On Fri, 4 Apr 2025 at 17:27, Eric Vyncke (evyncke) <evyncke@cisco.com> > wrote: > > Dear authors, dear shepherd, DNSOP WG, > > > > As Mohamed ‘Med’ Boucadair is now the responsible AD for DNSOP, he passed > me the role of responsible AD for this I-D :-) Therefore, here is my own AD > review. Before proceeding with the publication process (IETF Last Call and > the IESG evaluation), I request to have all points below addressed, i.e., > by changing the text, by replying by email wit explanations, ... (Feel free > to reject my comments as long as you explain why). > > > > Benno, the shepherd’s write-up needs to be revised: > > 1. In point 1), there is an unfinished sentence “The status of > Proposed Standard will” > > 2. Change the responsible AD to a guy name “Éric Vyncke” ;-) > > > > ### Section 1 > > > > I am unsure whether firewalls and IPS do use DNS filtering rather than > content inspection. > > > > DNS filtering is also done by firewalls and IPS. For instance, by-pass > content inspection for domains with low security risk score. > > > > > > Is it worth defining “Users of DNS service”, is it the app or the user > using the app ? The text also uses “end user”, is the same human being ? > > > > Fixed text, please see > https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-structured-dns-error/pull/59 > > > > > > ` the DNS server`is a little ambiguous here, should it rather be > “recursive DNS resolver“ ? > > > > It could be either a DNS resolver or DNS forwarder. > > > > EVY> suggest to explicitly write so in the I-D > > > > ### Section 3 > > > > ` In order to return a block page over HTTPS, man in the middle (MITM)` > should “without triggering an invalid TLS server authentication” be added ? > Please refrain from using “MITM”, favor “on path attack” or simply > “interception” in this case. > > > > Fixed text, please see > https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-structured-dns-error/pull/59 > > > > > > ` The HTTPS server will have access` unsure which HTTPS server is referred > to... is it the expected or the spoofed reply servers ? > > > > The HTTP server hosted on the network security device, fixed text. > > > > > > s/Enterprise networks do not assume/Enterprise networks do not always > assume/ > > > > Should there be text in the DNSSEC bullet that if the filtering DNS server > is also the DNSSEC validator, then all is good ? > > > > Good point, updated text. > > > > > > Should bullet (4) be merged in bullet (3) ? > > > > Yes, merged. > > > > > > ### Section 4 > > > > Does this text add any value ` Note that [RFC7493 > <https://www.rfc-editor.org/rfc/rfc7493>] was based on [RFC7159 > <https://www.rfc-editor.org/rfc/rfc7159>], but [RFC7159 > <https://www.rfc-editor.org/rfc/rfc7159>] was replaced by [RFC8259 > <https://www.rfc-editor.org/rfc/rfc8259>].`? > > > > Yes, it helps when going through RFC7493 to refer to RFC8259 instead of > RFC7159 (RFC7493 refers to RFC7159) . > > > > > > s/ This field is structured as an array of contact URIs, using/ This field > is structured as an array of contact URIs that MUST use/ ? > > > > Fixed. > > > > > > Can the “l” name occur in the absence of “j” or “o” names ? > > > > "j" is a mandatory field, so "l" cannot occur without it. > > > > As I live in a country with 3 (+ English) languages, I sincerely regret > that only one language can be used... IMHO, “j” should be an array of > <language, text> especially when the end user is residential. > > > > The idea is if the language is known, it could be translated by the client > to the end-user's native language. > > (My country has 22 national languages :)) > > > > EVY> Oh man... you beat me flat there ;-) > > EVY> suggest adding some text around it even if I still would prefer an > array of languages. > > > > Did the WG consider using a single URI pointing to a possibly larger JSON > file ? > > > > Did the WG consider using CBOR for encoding ? It may be useful to justify > in the I-D why JSON was preferred to CBOR. > > > > JSON is already used by DNS (see RFC8427) and the spec mandates DoT, DoH > or DoQ, fragmentation is not an issue over these transports. > > > > EVY> OK, the justification is good > > > > ### Section 5.2 > > > > S/ A or AAAA record query/ A or AAAA resource record query/ > > > > Fixed. > > > > EVY> actually not fixed... > > > > > > The 2 seconds for TTL seems very short to me. I would avoid using this > value even as an example. > > > > Okay, replaced with 10 seconds. > > > > > > ### Section 5.3 > > > > As the I-D states `following ordered actions`, please use a numbered list. > > > > Thanks, updated. > > > > > > Also, I wonder about the actual order as the channel considerations should > probably be first, before the JSON syntax. > > > > #1 discusses implementations that both support and do not support this > specification. If the input is not valid JSON, subsequent steps will be > skipped. > > > > > > In ` If the "c" field contains any URI scheme not registered in the Section > 10.3 > <https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-structured-dns-error-10#IANA-Contact> registry, > it MUST be discarded` it is unclear what the “it” refers to. > > > > Fixed. > > > > > > s/ In such a case, the content of the "c" attribute can be ignored/ In > such a case, the content of the "c" attribute MAY be ignored/ > > > > Fixed. > > > > > > The last two bullets (DNS forwarder and app) are not really part of this > list but should probably appear as stand alone. > > > > Yes, added a new section (see > https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-structured-dns-error/pull/62 > ) > > > > > > ### Section 6 > > > > Is worth explaining why value = 0 is there and why there are no values for > 1 to 4 ? > > > > 1 to 4 are reserved for other error codes, please see Section 10.4 > > > > > > ### Section 7 > > > > It is unclear whether the original reply is forwarded as it is received, > i.e., is the information specified in this document also forwarded ? > > > > Yes, the EXTRA-TEXT field is forwarded to the DNS client. Updated text for > clarity. > > > > > > ### Section 10.1 > > > > I am not an application expert, but is this registration required ? > > > > Good catch, it is not required, removed the section. > > > > > > ### References > > > > draft-ietf-add-ddr-10 is now RFC 9642 > > > > draft-ietf-add-resolver-info-13 is now RFC 9606 (the authors should know > ;-) ) > > > > Yes, fixed all above :) > > > > > > DNS terminology is no more RFC 8499 but RFC 9499 > > > > Fixed. > > > > Cheers, > > -Tiru > > > > > > > > > > > >
- [DNSOP] AD review of draft-ietf-dnsop-structured-… Eric Vyncke (evyncke)
- [DNSOP] Re: AD review of draft-ietf-dnsop-structu… tirumal reddy
- [DNSOP] Re: AD review of draft-ietf-dnsop-structu… Eric Vyncke (evyncke)
- [DNSOP] Re: AD review of draft-ietf-dnsop-structu… tirumal reddy
- [DNSOP] Re: AD review of draft-ietf-dnsop-structu… Eric Vyncke (evyncke)
- [DNSOP] Re: AD review of draft-ietf-dnsop-structu… Benno Overeinder