IETF Logo Mail Archive

Re: [DNSOP] draft-ietf-dnsop-structured-dns-error: suberr registration policy

Benjamin Schwartz <ietf@bemasc.net> Tue, 18 April 2023 11:11 UTC

Return-Path: <benjamin.m.schwartz@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94AEFC16B5D4; Tue, 18 Apr 2023 04:11:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.549
X-Spam-Level:
X-Spam-Status: No, score=-1.549 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.096, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Br7hp6Jc9U9w; Tue, 18 Apr 2023 04:11:45 -0700 (PDT)
Received: from mail-vs1-f47.google.com (mail-vs1-f47.google.com [209.85.217.47]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 637CAC16B5BF; Tue, 18 Apr 2023 04:11:45 -0700 (PDT)
Received: by mail-vs1-f47.google.com with SMTP id x20so4028871vss.0; Tue, 18 Apr 2023 04:11:45 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681816304; x=1684408304; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=itlZEMuk8lkCuPTjbQY7HN5YWYwAvxM6b5PSueWh4yE=; b=cskyRaBivSVqcwRR1Dz+6SpU03IWY+v6PWJjOIqpRCc68/JqCifIqt7cKk30WOIRbl Irgb1+RVgM1tjqaADPxSHezI0Je7NCZrlr1nrNGql/C4VOvdJrf4PckbL2zwJTpAU9jn 6j4yBVvgQd0YnfHSikNtwv/Fs7fr9RhlMuvCn+83mZbjah4MRAIbS27BbDcYSRxYPwBD HY7bC8w5XRfas84WDVvRbhVT7QSogO7ln/I3SfGC8KyzZx9zY6gQyS2PJ4bACHhxuj3T 34E4PAOMrpyjblRG8Qdf40Q0OBqzdFWQ4U+MgG5RtTySxILSc6ZcGzWO+jI2D/TQ/Skc gDtw==
X-Gm-Message-State: AAQBX9f1+/pFqc4jYmXvoNpqmmbYc68XZ+Aj5PlHW7SQGj2CBAFRvfOW NCSNGmG+zuxDv4V1b17uaPxh9KJc/Wjl5g==
X-Google-Smtp-Source: AKy350a6oG7z/bOgPwV0Bif0V7SUrK9hzfjhR4AFwPyzajW6ijL47C1iDAs+3c5/EWEhnBoVISXrQg==
X-Received: by 2002:a67:be02:0:b0:42f:e91d:1ae8 with SMTP id x2-20020a67be02000000b0042fe91d1ae8mr2358957vsq.24.1681816303897; Tue, 18 Apr 2023 04:11:43 -0700 (PDT)
Received: from mail-ua1-f44.google.com (mail-ua1-f44.google.com. [209.85.222.44]) by smtp.gmail.com with ESMTPSA id x18-20020ab05ad2000000b0068727e88479sm1949294uae.19.2023.04.18.04.11.43 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 18 Apr 2023 04:11:43 -0700 (PDT)
Received: by mail-ua1-f44.google.com with SMTP id q10so5459787uas.2; Tue, 18 Apr 2023 04:11:43 -0700 (PDT)
X-Received: by 2002:a1f:bd58:0:b0:440:d7:da79 with SMTP id n85-20020a1fbd58000000b0044000d7da79mr5539217vkf.2.1681816303013; Tue, 18 Apr 2023 04:11:43 -0700 (PDT)
MIME-Version: 1.0
References: <4561_1680881181_6430361D_4561_496_1_cbba461734d74dbf8116d7f476960f88@orange.com>
In-Reply-To: <4561_1680881181_6430361D_4561_496_1_cbba461734d74dbf8116d7f476960f88@orange.com>
From: Benjamin Schwartz <ietf@bemasc.net>
Date: Tue, 18 Apr 2023 07:11:31 -0400
X-Gmail-Original-Message-ID: <CAJF-iTRHVS8asiaf-fvtWZqpNdzou4zEsb36roaK-S_HMAEX2g@mail.gmail.com>
Message-ID: <CAJF-iTRHVS8asiaf-fvtWZqpNdzou4zEsb36roaK-S_HMAEX2g@mail.gmail.com>
To: mohamed.boucadair@orange.com
Cc: dnsop <dnsop@ietf.org>, "draft-ietf-dnsop-structured-dns-error@ietf.org" <draft-ietf-dnsop-structured-dns-error@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000051983405f99a5f12"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/YwVXi7zCEAxCooq_FD2TaZyehW8>
Subject: Re: [DNSOP] draft-ietf-dnsop-structured-dns-error: suberr registration policy
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Apr 2023 11:11:49 -0000

The draft's opening words are "DNS filtering is widely deployed for network
security".  This is true, but by far the "widest" deployment of DNS
filtering is for authoritarian national censorship, to prevent citizens
from engaging with forbidden ideas.

The EDE draft acknowledges and rebukes this rather directly with the
"Censored" code, expressing that this filtering was performed _against_ the
preference of the resolver operator.  Although the EDE registry is FCFS,
the presence of this registry entry at the outset ensures that any attempt
to whitewash this sort of behavior would be duplicative.

The "structured errors" draft risks undermining this norm and diluting the
intent of the "Censored" code.  For example, the "Malware", "Phishing",
"Spam", and "Spyware" suberrors are listed as applicable to the "Censored"
code, which is rather strange.  What is a "Spam" domain, and when would a
resolver be forced to filter it "due to an external requirement imposed by
an entity other than the operator"?

I think the idea of "suberrors" for the "Censored" EDE code probably just
doesn't make sense.  By definition, this code indicates that the resolver
_doesn't_ know why the result was filtered.  (The resolver operator may
know a _claimed_ reason, but it has no way to know whether this rationale
is the real motivation.)  Thus, one way forward might be to exclude this
code from the suberror registry.

Even for the other codes, I think this registry opens a terrible can of
worms that the IETF can and should avoid.  Shall we add codes for "adult
content"? "advertising"? "social media"? "political extremism"? "terrorist
content"? "CSAM"? "fake news"?

The EDE draft manages this to some extent by presenting an initial list of
codes that are plainly technical or structural in nature.  This draft does
the opposite, by starting to enumerate all the perceived evils of the
Internet.

Let's not go down that road.

On Fri, Apr 7, 2023 at 11:26 AM <mohamed.boucadair@orange.com> wrote:

> Hi all,
>
>
>
> We are implementing the changes to address the feedback we received in
> IETF#116. The candidate changes can be seen at Diff:
> draft-ietf-dnsop-structured-dns-error-01.txt -
> draft-ietf-dnsop-structured-dns-error.txt
> <https://author-tools.ietf.org/api/iddiff?doc_1=draft-ietf-dnsop-structured-dns-error&url_2=https://ietf-wg-dnsop.github.io/draft-ietf-dnsop-structured-dns-error/draft-ietf-dnsop-structured-dns-error.txt>
>
>
>
> The current version of the draft indicates that the policy for registering
> a new suberr is via DE. We added a guard to prevent that DEs modify entries
> set via IETF review.
>
>
>
> I know that Ben indicated a preference for requiring IETF review for the
> registry. This seems to me too restrictive, especially that the policy for
> the EDE itself is FCFS. The argument that DEs will be pressured is not
> specific to this registry and would a priori apply for every registry with
> a DE policy.
>
>
>
> I think that we need a good balance to allow for useful suberr codes to be
> registered without requiring much heaviness in the process that is induced
> by an IETF review.
>
>
>
> Ben, if your concern is to have some control, what about requiring that
> new registrations should be sent to the DEs and also to dnsop (or another
> list), and that DEs should listen to whatever feedback received from the
> list?
>
>
>
> Thank you.
>
>
>
> Cheers,
>
> Med
>
> _________________________________________________________________________________________________________________________
>
> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
>
> This message and its attachments may contain confidential or privileged information that may be protected by law;
> they should not be distributed, used or copied without authorisation.
> If you have received this email in error, please notify the sender and delete this message and its attachments.
> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
> Thank you.
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.35.0 | Report a Bug | By Email | System Status