Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended-error-04.txt

Stephane Bortzmeyer <bortzmeyer@nic.fr> Fri, 15 February 2019 09:02 UTC

Return-Path: <bortzmeyer@nic.fr>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B89FF130F28 for <dnsop@ietfa.amsl.com>; Fri, 15 Feb 2019 01:02:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r24r1fP60XSm for <dnsop@ietfa.amsl.com>; Fri, 15 Feb 2019 01:02:38 -0800 (PST)
Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C419130E7E for <dnsop@ietf.org>; Fri, 15 Feb 2019 01:02:38 -0800 (PST)
Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id C33CF28047F; Fri, 15 Feb 2019 10:02:35 +0100 (CET)
Received: by mx4.nic.fr (Postfix, from userid 500) id BD0D228054E; Fri, 15 Feb 2019 10:02:35 +0100 (CET)
Received: from relay01.prive.nic.fr (relay01.prive.nic.fr [IPv6:2001:67c:2218:15::11]) by mx4.nic.fr (Postfix) with ESMTP id B51BE28047F; Fri, 15 Feb 2019 10:02:35 +0100 (CET)
Received: from b12.nic.fr (b12.users.prive.nic.fr [10.10.86.133]) by relay01.prive.nic.fr (Postfix) with ESMTP id B04096424E49; Fri, 15 Feb 2019 10:02:35 +0100 (CET)
Received: by b12.nic.fr (Postfix, from userid 1000) id ABAD7401CB; Fri, 15 Feb 2019 10:02:35 +0100 (CET)
Date: Fri, 15 Feb 2019 10:02:35 +0100
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Warren Kumari <warren@kumari.net>
Cc: dnsop@ietf.org
Message-ID: <20190215090235.afz4x75j5dij2wo7@nic.fr>
References: <154689301066.32204.17312124670782800354@ietfa.amsl.com> <20190214195125.nwbazwpk3rgrgxkf@sources.org> <CAHw9_iLeAwU8gskbhyd7OMPYEY68eCDocB9k6ezjUxYj=_WHRg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAHw9_iLeAwU8gskbhyd7OMPYEY68eCDocB9k6ezjUxYj=_WHRg@mail.gmail.com>
X-Operating-System: Debian GNU/Linux 9.7
X-Kernel: Linux 4.9.0-8-amd64 x86_64
X-Charlie: Je suis Charlie
Organization: NIC France
X-URL: http://www.nic.fr/
User-Agent: NeoMutt/20170113 (1.7.2)
X-Bogosity: No, tests=bogofilter, spamicity=0.022544, version=1.2.2
X-PMX-Version: 6.0.0.2142326, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2019.2.15.85116
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/_YAfzSO_EvNnqcAHVC7H0tCQ8cQ>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended-error-04.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Feb 2019 09:02:46 -0000

On Thu, Feb 14, 2019 at 03:33:23PM -0500,
 Warren Kumari <warren@kumari.net> wrote 
 a message of 388 lines which said:

> but how about:
> "The majority of these extended error codes are primarily useful for
> resolvers, to return to stub resolvers or to downstream
> resolvers. Authoritative servers may also use this technique to
> annotate errors (for example, REFUSED), but as of publication there
> are not as many of these defined"

OK

> > > 4.4.1.  NXDOMAIN Extended DNS Error Code 1 - Blocked
> > >
> > >   The resolver attempted to perfom a DNS query but the domain is
> > >   blacklisted due to a security policy.
> >
> > I tend to think it would be a good idea to separate the case where
> > the policy was decided by the resolver and the case where the
> > policy came from outside, typically from the local law (see RFC
> > 7725 for a similar case with HTTP).
> >
> > Rationale: in the first case (local policy of the resolver), the
> > user may be interested in talking with the resolver admin if he or
> > she disagrees with the blocking. In the second case, this would be
> > useless.

You did not reply to this one. It is inspired by a message from Petr
Špaček
<https://mailarchive.ietf.org/arch/msg/dnsop/b3wtVj_aWm24PXyHr1M9NMj3LJ0>
explaining how extended DNS errors would be great to tell the user
whose fault it is (signature expired == no need to tell the resolver's
operator). I really think it is important to make the difference between:

* I blocked your request because that's _my_ policy
* I blocked your request because I'm compelled to do so, don't
  complain, it would be useless.

> > NOERROR Extended DNS Error Code 3 - Forged answer

> I'd really like to avoid the word "Forged"

I did not know it was pejorative (in french, "forgée", which has the
same origin, is not). So, what about "substituted answer"? Neutral
enough?