IETF Logo Mail Archive

[DNSOP] Re: Last Call: <draft-ietf-dnsop-structured-dns-error-12.txt> (Structured Error Data for Filtered DNS) to Proposed Standard

tirumal reddy <kondtir@gmail.com> Mon, 05 May 2025 13:10 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id E66D924D1AF9; Mon, 5 May 2025 06:10:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7HSgDU7ulnD8; Mon, 5 May 2025 06:10:04 -0700 (PDT)
Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 1A79824D1AEE; Mon, 5 May 2025 06:10:04 -0700 (PDT)
Received: by mail-ej1-x629.google.com with SMTP id a640c23a62f3a-ace3b03c043so661701366b.2; Mon, 05 May 2025 06:10:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1746450603; x=1747055403; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=vOD3aHr6xVTI0XMeLVZHBeY+YdlbkriNcvFlom/TDhg=; b=EpiWSNhu23scHuW1pBsRVRaIJzIdel4YhxQ9JjUiNikIAUfl8LUcdZeeLjqTbTMIpW exiTFKu5AU8Qg7wUMfO7nn7z+EAFicVPh0vFduWWermAvyEd/NOZwONY9+i6Zv5arDnV YO1YvhjwKmfxhsuapP/+qoMe/oCDqRuMU9ERyorQtSr0HXsvF+l/2SrcEfK/jp5G52fr 99lfLIZwUilsKiAtTApphdHNyB7swWJuX6Cs9Dv/LyKLonZ0e+U9YqdMN5aK+QZHgaEt JOVti437c7b4V2vYLEspVNxwpa9RM84Q3fGrqlIMfSP+VGf4luLe5yi0Iy/U5AuAwdOS a1lA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1746450603; x=1747055403; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=vOD3aHr6xVTI0XMeLVZHBeY+YdlbkriNcvFlom/TDhg=; b=ZLgoV9T/LR8/MxjzanQqq6Zps2njG7Dm0hcrNmZsX/iELbYyeQbZTnv5tcUEXJ4CzY VWX/L5OLki45ZWzjOeHrQ7I9TAtp93OHvlipiIlLgyxy8mVUkjgAdpNZRswmYe+U7qqB 1BjKxfkAUEgRhXV+M9igNwTiUONTmWamUEFTmXxIx4X9N/2+VKWc5x+gVgcb2clxlHkM CDIs4vG4IK3WA5t9u01vhO+2bRuO2HZadNLkf/S3X69mnt4DM0781tDdh2lUH2STkI6n ts/j6S+iCV74wzaJ2xNwLmueje6NSP8YfIKtcP7l13BiI/BrTnrM5qXvRpiA/qzfntFt Nn6w==
X-Forwarded-Encrypted: i=1; AJvYcCVPS6NbwTlPVaIdJY0QJk+eCwf+MqTidfgODDpfP7I4IzcLm2IzYnfJgo4ic8D7rJs05VgunWQ=@ietf.org, AJvYcCVTTB9MMrDBYIZe7OVyhDwJkFmUvTGD6kccIhIZqkyvhoaPIgnPet4s2iJsgz/oAvdCFpczV2ivUEk/dvkIAxmnLgA7ttjgShPoIHIxz/vujSrcI4sYRw==@ietf.org, AJvYcCVb7DL59rFSg+YP2x1nYBhE4WwPTkdOlBQ7cTZ8WhXrhPktFpgftmBMujY32iyGGuYPEREHqu9cxz1W+AA=@ietf.org
X-Gm-Message-State: AOJu0YwUCSHkWsOLG9VCkoyb86R4+kS2gO6/HcLem/4akc0dX3gvFH9E a2LPlbRlvjYo5AjPdV04J4gdFN/7uqJndMNb/jjhuv5dk2SuMFhmxMYKTz/XwQ60L5wI6aEo5K1 KjV4tvsTnkVAxkrF5waZJj84m6Ck=
X-Gm-Gg: ASbGncuyHxgQWLdqQBHpld+FITQ/oO7qWrtr8JyGCIghYimj0hf5UFhwMSMQyDScabh F3b5zEWPbaw287zkIMPoOhaQLvKEkrunQJXzPOtMHBz2IlpHehXh+ppcs+AvlrvGGHn4hIEMxv+ j8KjTfeMi5Hb5J8ufYS7K5572ng27TUnmjbWA=
X-Google-Smtp-Source: AGHT+IH9xrenLjj6pOP9p+dvr6+VlSnF/sF3IfE5oDEzcBdo8k7opoL/FkhqbJxi4ndTrOLDyryiNJhVYFw0lvdTQhw=
X-Received: by 2002:a17:907:1c1a:b0:acf:30:7e9f with SMTP id a640c23a62f3a-ad19083710dmr836024466b.40.1746450602683; Mon, 05 May 2025 06:10:02 -0700 (PDT)
MIME-Version: 1.0
References: <174464390945.1162397.14602311698065057813@dt-datatracker-64c5c9b5f9-hz6qg> <bbaded85-6c2b-43fc-b2d6-813d534655b3@cs.tcd.ie>
In-Reply-To: <bbaded85-6c2b-43fc-b2d6-813d534655b3@cs.tcd.ie>
From: tirumal reddy <kondtir@gmail.com>
Date: Mon, 05 May 2025 18:39:25 +0530
X-Gm-Features: ATxdqUGzvYWUOojyHNVo51lowzjqVhNbQxB_MSH80p4pOp0-lMGfPz5M8g1v9JQ
Message-ID: <CAFpG3gdVkUrZvHjQuRfKbZU81sgV+cE7+ETkst450g7c4QU2kA@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: multipart/alternative; boundary="000000000000ca724106346337cf"
Message-ID-Hash: WDEH7PPNEZG3JAIKHH2FSAVKYHWJAOFB
X-Message-ID-Hash: WDEH7PPNEZG3JAIKHH2FSAVKYHWJAOFB
X-MailFrom: kondtir@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: last-call@ietf.org, benno@nlnetlabs.nl, dnsop-chairs@ietf.org, dnsop@ietf.org, draft-ietf-dnsop-structured-dns-error@ietf.org, evyncke@cisco.com
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: Last Call: <draft-ietf-dnsop-structured-dns-error-12.txt> (Structured Error Data for Filtered DNS) to Proposed Standard
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/bXb2NDYBsnw7cuzoJQOckpq8Dzg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On Sat, 3 May 2025 at 04:04, Stephen Farrell <stephen.farrell@cs.tcd.ie>
wrote:

>
> Hiya,
>
> On 14/04/2025 16:18, The IESG wrote:
> >
> > The IESG has received a request from the Domain Name System Operations WG
> > (dnsop) to consider the following document: - 'Structured Error Data for
> > Filtered DNS'
> >    <draft-ietf-dnsop-structured-dns-error-12.txt> as Proposed Standard
> >
> > The IESG plans to make a decision in the next few weeks, and solicits
> final
> > comments on this action. Please send substantive comments to the
> > last-call@ietf.org mailing lists by 2025-04-28. Exceptionally, comments
> may
> > be sent to iesg@ietf.org instead. In either case, please retain the
> beginning
> > of the Subject line to allow automated sorting.
>
> Apologies for being a few days late.
>
> My top level input is that this should be sent back to the WG with
> a recommendation to chat more with some apps folks (not just for the
> web, but mail, calendaring etc too) before trying again, if trying
> again still seems like a plan.
>
> Details:
>
> - abstract: "filtered DNS responses lack structured information for end
>    users to understand" - end users do not know the DNS exists; expecting
>    them to understand DNS errors, outside of the context of whatever
>    application has made the DNS query, will IMO be unproductive
>

The structured error information defined in this document is not intended
to be consumed directly by end users. Instead, it is designed for clients
to interpret and render meaningful, user-friendly messages. This approach
has already seen adoption, such as in AdGuard’s DNS SDE extension
<https://github.com/AdguardTeam/dns-sde-extension>, which demonstrates how
structured DNS error reporting can enhance transparency and improve
end-user communication.


>
> - I'm generally unkeen on helping censors, and while I recognise that
>    doing so is not the intent, it will be (at least) a side-effect, in
>    this case without even the cutesey/ironic 451 reference. On balance
>    I think (but not strongly) we've done enough to make filtering and
>    censorship explicit so don't need this.
>

The primary intent of this draft is not to aid censorship, but to provide
diagnostic clarity in diverse deployment environments.


>
> - Adding expectations of support for a variant of JSON seems optimistic.
>    That said I don't know how well supported that I-JSON variant may be
>    but I'd not expect anyone to go out of their way if they have some
>    JSON support but not quite that.
>

It builds on RFC 8427, "Representing DNS Messages in JSON", which already
defines a JSON-based schema for DNS message representation.


>
> - If a censor (in some authoritarian locale) includes a contact and a
>    person gets in touch with that, or their user agent decides to do
>    that, there could be negative consequences for the person. (That
>    field seems somewhat like "if you're unhappy with our censoring you
>    when you tried to get at something you ought not have wanted, please
>    feel free to call into secret-police-HQ and we'll happily deal with
>    your query" - not an attractive invitation.) And the 'contact' field
>    is mandatory. Seems a bad plan to me.


> - I agree with other comments to the effect that de-ref'ing the contact
>    is asking for e.g. malware trouble.
>

The "c" field is mandatory to be conveyed in the structured error payload,
but it is not intended to be displayed to the end user by default. As
discussed in the Security Considerations section, clients are expected to
apply restrictions on whether this information is revealed or not.


>
> - 11.3/11.4 seem wrong - "blocked by" is not an error when the blocking
>    is deliberate - I think that indicates something is fundamentally
>    wrong with this specification.
>

The rationale for introducing the new "Blocked by Upstream DNS Server" EDE
is to differentiate between filtering performed by local devices (e.g.,
home routers or enterprise gateways) and filtering enforced by upstream
recursive resolvers. It still represents a failure to resolve from the
client's perspective and requires a distinct diagnostic signal.

Cheers,
-Tiru


>
> Cheers,
> S.
>
>
>
>
>
>
>
>

v2.40.3 | Report a Bug | By Email | System Status