IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-06.txt

Ben Schwartz <bemasc@meta.com> Fri, 20 October 2023 14:10 UTC

Return-Path: <prvs=36575d06e7=bemasc@meta.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B620C14CE51 for <dnsop@ietfa.amsl.com>; Fri, 20 Oct 2023 07:10:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.793
X-Spam-Level:
X-Spam-Status: No, score=-2.793 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vK01NEUB0GSa for <dnsop@ietfa.amsl.com>; Fri, 20 Oct 2023 07:10:23 -0700 (PDT)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4001EC1516F8 for <dnsop@ietf.org>; Fri, 20 Oct 2023 07:10:23 -0700 (PDT)
Received: from pps.filterd (m0044012.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 39KAKelD011698; Fri, 20 Oct 2023 07:10:21 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=s2048-2021-q4; bh=c79BHmjvHrddb+YhEIWEfeyjYawh8tT9IPazw+QzGds=; b=eE0wyEspvOXg1f+v15HDv6dqPmloJtYjDz/6RoI63kTsD+ZAzUxLtOGFw5fD41I+v2Fb I73bzv8+GClagsaZrlniTONw1tKglI8iY5l5jloDBcxSMti7LvIl8MjSFjjltbayWpJD AeSWMtC8p2oQrQ1eNnOuqgKkM3tLJlUsSfhXc0ibpPyWPr6qBofhZlOI778jHUcT6+Yo ys+t8fWvCuDVssunEA7B9dDjA+2FQG2RpzH/M6HFAZuJlPF33cmQ1BcwqCu3Lk6ph7ky UANKkEJT/Pl0foWF1MeCbBnmwf0b1KYswxINyj4ZdHeh0AvonAIMJgJfdtrOjgG4Mgal Xw==
Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2100.outbound.protection.outlook.com [104.47.55.100]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 3tuqq3h5b7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 20 Oct 2023 07:10:21 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=L5lQYQJY4nrUZ5Vi6HSSFBP6nsMALZU8Iy3vR6nScYsMck5ZPFIk2B5r3pVqnuSZzucqxc1SPwvGG9gx6xpYElPxzOv0q7H2uHqKIJKFJzfpquaGIBTR0g8JEMPRUh0+WWzDHOPVKIctM7GUnFFkQSHOvDz7foihlTtekCpvlwxqhH6YbTw3gqCHJBqNl9558iU5DlHS341r0FFwiFnoxV3Jg0Hmkh9Q+wEshBE0R/no2s1bioy8IhnKDWs6DYSrzYXVa/tFmL3d6cmlQtUokvofkNgI3FHBVhTxaRir7IuvJw0C0uV+ENLJYS51W5+WjjKTZpobz4d4ccr4jN2Pkw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=GrMpD5W6p3zC1WhV6VCHPnE3jnxlNhMBw+/jhqBSeMU=; b=iSQVfhjl6iDjJDIBRkc13XkYbkC3H1ChSdj9Sd7t/oT8+6H4y0UX/uBndWfYQdsEJmGSNA3UUZ+2DL/kZl2OkukGHJVUZ1NBuNvzFm9KacK/3TTu9vNFU2+8F02SPMXQ7blNa6/uuvLE7Y04TtNT5yKr9Mrq9e+cevdA152mJq0rZA4NZRPCNmLJjT46lH1U+WFpxE4MQ9XysMt1JjHiopnMo7olnZVw9MmT/rbN4pOvEdzX/mPkc4PtVSANS8Z3viNtDjpEwoBBDKFWRoklMSPsbOQAnNoxcKSgDyQb7apf/Sh6f5+R+lbRg5Rgb5uzH4nXa0KBiRiHDp85WhQS1A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from BN8PR15MB3281.namprd15.prod.outlook.com (2603:10b6:408:aa::24) by DS0PR15MB5549.namprd15.prod.outlook.com (2603:10b6:8:132::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6933.9; Fri, 20 Oct 2023 14:10:15 +0000
Received: from BN8PR15MB3281.namprd15.prod.outlook.com ([fe80::d9e2:fc18:82fa:fd56]) by BN8PR15MB3281.namprd15.prod.outlook.com ([fe80::d9e2:fc18:82fa:fd56%5]) with mapi id 15.20.6863.043; Fri, 20 Oct 2023 14:10:14 +0000
From: Ben Schwartz <bemasc@meta.com>
To: tirumal reddy <kondtir@gmail.com>, Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>
CC: Vodafone Gianpaolo Angelo Scalone <Gianpaolo-Angelo.Scalone=40vodafone.com@dmarc.ietf.org>, DNSOP WG <dnsop@ietf.org>
Thread-Topic: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-06.txt
Thread-Index: AQHaAsSttB2uAf/PK0+ay/5+HEYil7BRi4QAgADqBgCAAD48yg==
Date: Fri, 20 Oct 2023 14:10:14 +0000
Message-ID: <BN8PR15MB3281EAD3D8D14BAB395F47A1B3DBA@BN8PR15MB3281.namprd15.prod.outlook.com>
References: <DB9PR05MB847313955E9EE5F63F53FDB3A3D4A@DB9PR05MB8473.eurprd05.prod.outlook.com> <CAHw9_iKDDt9W207osTsHpfaacjQioDM1VVbLk9JTRB2hjpEa1g@mail.gmail.com> <DB850E35-E036-46B3-9BB0-B29277B75FA3@apple.com> <CAFpG3gcQhVpuWi9iBOFhxum5XNsA4-vXnQaUh2LgfFkQ3nMz9w@mail.gmail.com>
In-Reply-To: <CAFpG3gcQhVpuWi9iBOFhxum5XNsA4-vXnQaUh2LgfFkQ3nMz9w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN8PR15MB3281:EE_|DS0PR15MB5549:EE_
x-ms-office365-filtering-correlation-id: 7f3495b4-074e-4953-1fe4-08dbd1764818
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: k1rYtDO9FlKLER2SNufvR1gRXnHM7WeIgSVWYophimWYINqEonh7s8Fob3B34D/yquHOlFve92BoZbNmNaeWiJlidtai5ehlGEGy4Jvav4K2OLyXn6TmYggRiPA/S6hVv7QvDOwzvDVkSvHAlTVLXFhLD4s0xAOX/KOA6l5Qmh25tdRxJgeqOuVytNYjJEuRQROdpMXQT+fWTz9EWlVKoADDpQocBkbQwF+TAIa5JEJbCJY19wox8LPEEvB97EbAa90xOxaq8IlY8YWcNXLhBsZvnGfM0mpWFX7xGdMm7X/U3UFP4FmaBMQMCdMJE+tU5sARFVz7cbJ06xiJYwd4nUu1KsCKk/zCxBt1ianZuB/oefdSDlK87kwWZ0ZZh5aoal0yRX4TPIv0go5GSogf7r7UCrnslcGfKC1AQX4eB8ICXdLpV67xaNcZ7bOlbv2cQJs3uUwKWuxrWZyhNalcuImYYPCc5YnhYWF2JhU/vU4f6lBff2xroA5wlkRYjnP8xTjH569WZPL/zRTDvT3d4fgjo5bIo5T0KHFSewyNziGdtvec+vmqEc6QQsJW8Yv2M4b8KJZ8uHNOLNU5XW6bwwhVfxgRSs3FiQ8AHKgRHU0=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN8PR15MB3281.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(346002)(39860400002)(396003)(366004)(376002)(136003)(230922051799003)(451199024)(64100799003)(186009)(1800799009)(55016003)(2906002)(66899024)(53546011)(76116006)(7696005)(64756008)(6506007)(71200400001)(54906003)(316002)(478600001)(66556008)(66476007)(110136005)(66446008)(86362001)(91956017)(66946007)(966005)(83380400001)(122000001)(66574015)(26005)(166002)(33656002)(38100700002)(5660300002)(41300700001)(8936002)(8676002)(52536014)(4326008)(9686003)(38070700009)(19627405001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: ztrROwPxNaMh7KGA7p6gYfmiqKi4oqUxPJ6zFh1Y/Y8ccTM6VRWCITdHX1B3bKySLpSBLwOT+5y2PYT2AYrfial2wX6x5op25bcVP/va1eYlJ/5g+vpQU3pdBqMzgLXzzxDbjopvI9Zxi1d08NX0IjT7cTBfdqETwb5uJt2hnUhW8mf4iBcHIVRDWtHebkttX5Ya2OojSG7b517QJJSpiCl3VjhU++bdNNebqr3Q5c6+JBxO0uBVRun+HuX0j4tWdJlsTE5le0Z6Ek+BBe71fOb2jPh4upCcNJEItakfwGxslPMGfk+0sVuBeN5YzIEF56+pPI3YOe0l9GrFnLTPuYgYeRd74DEGShiPyqwQ7H+EQh1bOzNLYTeYbdSRNz/jpEKDLI0Uq8u5k6XQLZsuVUxz72Cgbd9iXIrpcNO1a/6xeDDXGxI0W0gxujzkfrgIcfY77zZXgwI91HaNhHv5F32TXTmHjqb0SnacQ/ZSvl5QDgim7ChMWBvmiTB2DWvlsflXA2v48f7Jt1ROKENGYOBmdAu3owdrERtNETWVQpfkOSCKUm7EEcUSQY13ApDtQdM1H7BHxcGc8IK66D7dpH3jHfHYC7pxbkXLu4qvOKaVOaN9zd/GgU7rcjTZk4c2EgrKO/M3EZ6M0hfxTxBkgR6Z7RwRl0OTfsJzEGUJjgHPLsnk1dES6ypH58Io4HUGGnGoPhWlACNV7N/x8YwfwJDhUOYaZbMmJzWeuHMi839NQMwfNbG3w3NTHazNm9TvkT4dO6jeAu45/+TRsyPpAoflo1EgcxbJRORuvPuY61ydnxLpjt9GaGhZFAEtBo8Pe6kuHLT4YxuxZ7aMeDJyvcH0jhSjp3gqaJ3tltpHt8jgk4BI31n9mwizQf+uXf1cGwPbSYad9g+om/flV4bKMuRhVN9jVMwF1l4DvPJQA+vyukBcAFSGro/rwO1lWgk33sawf8i0wdyb5fzE1pCd/oHn1h3+u1UF4ejXnat7yY2TpwktjDg/AlN7bowmF5Of3ce6FLw8vCUHoKlq31c3ggLiOtzWx/O/CTDAIQ9IR7CPt3l92VzX2hAWbItc76qRYnNejSIBjKYuBEgETI9lGMUbkvw+954Mz2GYrv8asL7xnYJzvgfmBtuIuGNZkpmysiZltif+kGY2MjbKYrWP6HcbzPRCN1NDk//qotiKAEKDuGy9MuRagCFXfM63J1nhUFENo9QU3Mi+bs8ikmxbiYNUnu11p0BA/y4JPG0nohNaSdah+2BBd3dbD6RC8zpMoxeEiTrpuB2rD24iuk3lATZKHCC5LP+2GQABYfOfIvJUCahpI5fgB+99uUEqFZmj+IcfaLJxfophMv9AysrfZ34Ij4ug481bzALfoN9tzxpTbheWjcyRfEmdJbgvG+Yw7wbT90HQ3/PifJW6eaUlyVO+FP/Z9WZrUzLeI9U1gZtitSTUZSgq6H3ZfRjvIUGB/O+7YTafE6Z0eYztjQ6pO5k69ulN7f8DtRIIDFddT84uy35850z2M3zdlR+s0IZRxHH4tu/hz/LuAL6vSb220qQBMerqlyge7hpRTuk1B9c=
Content-Type: multipart/alternative; boundary="_000_BN8PR15MB3281EAD3D8D14BAB395F47A1B3DBABN8PR15MB3281namp_"
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN8PR15MB3281.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7f3495b4-074e-4953-1fe4-08dbd1764818
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Oct 2023 14:10:14.8821 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: jsG6WII3ATOy7C8IPNEbgxdisB86VLFD7TKR6GM8Iuk+EMPdvullMxTio64R81My
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR15MB5549
X-Proofpoint-GUID: IuB_Dz2oBSkpsqVoLuPFsQKdSXxTTHbP
X-Proofpoint-ORIG-GUID: IuB_Dz2oBSkpsqVoLuPFsQKdSXxTTHbP
X-Proofpoint-UnRewURL: 6 URL's were un-rewritten
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.980,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-10-20_10,2023-10-19_01,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/dBU8vzksOjRcELFNXAD46n0ZGmQ>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-06.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Oct 2023 14:10:27 -0000

This draft originally proposed returning a webpage.  After reviews from the working group raising concern about allowing the DNS server to inject a webpage, it was changed to provide a contact URI instead ... but it then lists "https:" as an example of a suitable contact URI scheme.  This apparent contradiction ("https:" is not a form of contact info) strikes me as an awkward compromise, and a fine example of "design by committee".

Ultimately, it seems that this draft as aimed at browsers, and should provide information that browser makers believe can safely be displayed to users.  I think the most sensible solution is (1) replace the "https:" example in the draft with "mailto:" and (2) note that clients are free to ignore contact URIs with unsupported schemes.

Even a "mailto:" scheme is not without risk here, and I wouldn't be surprised if some browser vendors feel it is unsafe to display.  However, it sounds like there is some interest from potential clients, perhaps enough to support continuing with this draft.

--Ben
________________________________
From: DNSOP <dnsop-bounces@ietf.org> on behalf of tirumal reddy <kondtir@gmail.com>
Sent: Friday, October 20, 2023 6:09 AM
To: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>
Cc: Vodafone Gianpaolo Angelo Scalone <Gianpaolo-Angelo.Scalone=40vodafone.com@dmarc.ietf.org>; DNSOP WG <dnsop@ietf.org>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-06.txt

I would like to clarify that the purpose of the "c" (contact) field is not to display an error page but to provide contact details of the IT/InfoSec team for reporting misclassified DNS filtering. Its function is to report legitimate
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender

ZjQcmQRYFpfptBannerEnd
I would like to clarify that the purpose of the "c" (contact) field is not to display an error page but to provide contact details of the IT/InfoSec team for reporting misclassified DNS filtering. Its function is to report legitimate domain names that have been incorrectly blocked due to misclassification.

There is no mention in the draft that the "c" (contact) field is intended for displaying an error page. It is assumed that the client application would handle the display of an error page, and the content of the "c" field would be optionally used in specific scenarios, such as TRR.

To improve clarity, we could update the draft and specify that the error page must be displayed by the client application, and the "c" field link may be optionally provided to raise complaints. Furthermore, to minimize security risks, the client can retrieve the URL from the contact field in an isolated environment. It must also take additional precautions, such as clearly labeling the page as untrusted. This isolation should prevent the transmission of cookies, block JavaScript execution, and prevent the auto-fill of credentials or personal information. The isolated environment should be separate from the user's normal browsing environment.

Cheers,
-Tiru





On Fri, 20 Oct 2023 at 01:42, Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org<mailto:40apple.com@dmarc.ietf.org>> wrote:


On Oct 19, 2023, at 12:44 PM, Warren Kumari <warren@kumari.net<mailto:warren@kumari.net>> wrote:

I still don't understand why (other than marketing/advertising) this is needed — the EDE "4.18. Extended DNS Error Code 17 - Filtered" ("The server is unable to respond to the request because the domain is on a blocklist as requested by the client. Functionally, this amounts to "you requested that we filter domains like this one.") seems to cover it.

If browsers are willing to do anything with the EDE codes (like "ERROR: Your DNS filtering provider says you shouldn't go here") what additional **important** information needs to be communicated? And if browsers are not willing to do anything with just EDE codes, it sure doesn't seem like they would want to do that **and** follow an unauthenticated URL…

Safari is now displaying the EDE-code based information! So we are willing to show that.

The case that might still be interesting is providing the user some (hopefully safe) way to contact the blocker to dispute why this is being blocked — so a way to send an email to an administrator, but not something else. Showing advertising or marketing or any arbitrary page is not something I think would fly.

Tommy

Anything more simply adds complexity and security risks, and entails privacy concerns for the user too…

W


On Thu, Oct 19, 2023 at 4:05 AM, Vodafone Gianpaolo Angelo Scalone <Gianpaolo-Angelo.Scalone=40vodafone.com@dmarc.ietf.org<mailto:Gianpaolo-Angelo.Scalone=40vodafone.com@dmarc.ietf.org>> wrote:

Hi,

I think that we have now 2 good potential compromises:

  1.  A browser interstitial page explaining that the following page is generated by the service that blocked the actual page, with a button indicating “proceed to the blocking page” and another “dismiss”
  2.  A graphical representation of the blocking page, rendered as image with no clickable links, with a button indicating “proceed to the blocking page” and another “dismiss”



This would be understandable by customers and provide a good user experience and security.

In addition we could start thinking about a reputation mechanism.



Kind regards



Gianpaolo

C2 General

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org<mailto:DNSOP@ietf.org>
https://www.ietf.org/mailman/listinfo/dnsop<https://www.ietf.org/mailman/listinfo/dnsop>

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org<mailto:DNSOP@ietf.org>
https://www.ietf.org/mailman/listinfo/dnsop<https://www.ietf.org/mailman/listinfo/dnsop>

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org<mailto:DNSOP@ietf.org>
https://www.ietf.org/mailman/listinfo/dnsop<https://www.ietf.org/mailman/listinfo/dnsop>

v2.23.0 | Report a Bug | By Email