IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-06.txt

tirumal reddy <kondtir@gmail.com> Fri, 20 October 2023 10:10 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00A49C151086 for <dnsop@ietfa.amsl.com>; Fri, 20 Oct 2023 03:10:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HIimz3Jer56z for <dnsop@ietfa.amsl.com>; Fri, 20 Oct 2023 03:10:02 -0700 (PDT)
Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com [IPv6:2a00:1450:4864:20::22b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC31FC14CE24 for <dnsop@ietf.org>; Fri, 20 Oct 2023 03:09:53 -0700 (PDT)
Received: by mail-lj1-x22b.google.com with SMTP id 38308e7fff4ca-2c52407516bso1538871fa.1 for <dnsop@ietf.org>; Fri, 20 Oct 2023 03:09:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1697796592; x=1698401392; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=TQA1bYIXa1cbRTAAW6Z1N8J89Fx1Z8fL5eTfLsF7hdU=; b=IyeODmTS4S+iltZKfNKzwYaH3YJIPwVzdZTEAWDlUCWapddIz9RvGLmkO+xNIlRDsa EE6U3YxstLcvEujUCMXSh3UiuuUFWLAXGlVajTA4ijWyX0m1qYn+OcTbBiy3CFbxByqa Rvp/3fIFS0QhRh8AoUv6y6kA7fJDJHoj1849F4yLFa0ycHPmK2DbR8IeOp6OJnX7vvgI iX8fmcJ61/o4QGj5xzWrXqoq5W0btBTuN6u79rk4CU/JGBjhBgiG3mAO8l5h31+kDt42 vnVNvtn1E6GizKnCzQsL8Bra7eQ/m/y+QIqDQr3IcYYjNhhJiZoMLIajFMil+YzI9LIO 714w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697796592; x=1698401392; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=TQA1bYIXa1cbRTAAW6Z1N8J89Fx1Z8fL5eTfLsF7hdU=; b=A6fx2BEYA+7yV7z59b8VT/SWd7lNCgRoQ256yx5uOcYlo/zB7VyBp5FCIfWGHzZpfF X9pYCB/nS9sRlbBrRAGrOn9ha5ZWVFBrI5YsgCju67qc9UDHP6sUXu0wiQppadkdVxbT 8UBZkMiPyI6oHIEQe+h8UUNGTbjrbDjxeyw/D/cJwDvpULSimYH0zdOltx0hjAn9AgKY BtvfI6AVsmMfqpRHhaI+t2Qs9rztC5W+ARypDLvGxFqdER50QBTUNOKsV2L5bw9O/sRX U1Ki+JaStsPq6luLIezFI2n1k+wtLurjZWXjxkiGz8gMwh+Url8ylPis8EQLOd50cRFq jLsw==
X-Gm-Message-State: AOJu0Yz6n9zbipkwcFl4Ar8RbWodSMrXttlN0jMZ3njz+gRhf9YLSDcw Kqd66KrHQFUAnTGDnSsAhCdfIIIB/KxzV9xMUt9T86fMGjU=
X-Google-Smtp-Source: AGHT+IGt/6Du2thBoSBDTyk9PSM8FhPW+t/zQO9ur5PoXHVvGZUX9qYJvqINSghvsD9pX2mTzTaiIa8q7CxmcWbBTnE=
X-Received: by 2002:a05:651c:610:b0:2c5:509:c080 with SMTP id k16-20020a05651c061000b002c50509c080mr903582lje.3.1697796591781; Fri, 20 Oct 2023 03:09:51 -0700 (PDT)
MIME-Version: 1.0
References: <DB9PR05MB847313955E9EE5F63F53FDB3A3D4A@DB9PR05MB8473.eurprd05.prod.outlook.com> <CAHw9_iKDDt9W207osTsHpfaacjQioDM1VVbLk9JTRB2hjpEa1g@mail.gmail.com> <DB850E35-E036-46B3-9BB0-B29277B75FA3@apple.com>
In-Reply-To: <DB850E35-E036-46B3-9BB0-B29277B75FA3@apple.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Fri, 20 Oct 2023 15:39:40 +0530
Message-ID: <CAFpG3gcQhVpuWi9iBOFhxum5XNsA4-vXnQaUh2LgfFkQ3nMz9w@mail.gmail.com>
To: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>
Cc: Warren Kumari <warren@kumari.net>, Vodafone Gianpaolo Angelo Scalone <Gianpaolo-Angelo.Scalone=40vodafone.com@dmarc.ietf.org>, DNSOP WG <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c10d540608231271"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/icoxZ6m5kSpjW4QKHu6tywlZ2xQ>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-06.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Oct 2023 10:10:07 -0000

I would like to clarify that the purpose of the "c" (contact) field is not
to display an error page but to provide contact details of the IT/InfoSec
team for reporting misclassified DNS filtering. Its function is to report
legitimate domain names that have been incorrectly blocked due to
misclassification.

There is no mention in the draft that the "c" (contact) field is intended
for displaying an error page. It is assumed that the client application
would handle the display of an error page, and the content of the "c" field
would be optionally used in specific scenarios, such as TRR.

To improve clarity, we could update the draft and specify that the error
page must be displayed by the client application, and the "c" field link
may be optionally provided to raise complaints. Furthermore, to minimize
security risks, the client can retrieve the URL from the contact field in
an isolated environment. It must also take additional precautions, such as
clearly labeling the page as untrusted. This isolation should prevent the
transmission of cookies, block JavaScript execution, and prevent the
auto-fill of credentials or personal information. The isolated environment
should be separate from the user's normal browsing environment.

Cheers,
-Tiru





On Fri, 20 Oct 2023 at 01:42, Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>
wrote:

>
>
> On Oct 19, 2023, at 12:44 PM, Warren Kumari <warren@kumari.net> wrote:
>
> I still don't understand why (other than marketing/advertising) this is
> needed — the EDE "4.18. Extended DNS Error Code 17 - Filtered" ("The server
> is unable to respond to the request because the domain is on a blocklist as
> requested by the client. Functionally, this amounts to "you requested that
> we filter domains like this one.") seems to cover it.
>
> If browsers are willing to do anything with the EDE codes (like "ERROR:
> Your DNS filtering provider says you shouldn't go here") what additional
> **important** information needs to be communicated? And if browsers are not
> willing to do anything with just EDE codes, it sure doesn't seem like they
> would want to do that **and** follow an unauthenticated URL…
>
>
> Safari is now displaying the EDE-code based information! So we are willing
> to show that.
>
> The case that might still be interesting is providing the user some
> (hopefully safe) way to contact the blocker to dispute why this is being
> blocked — so a way to send an email to an administrator, but not something
> else. Showing advertising or marketing or any arbitrary page is not
> something I think would fly.
>
> Tommy
>
>
> Anything more simply adds complexity and security risks, and entails
> privacy concerns for the user too…
>
> W
>
>
> On Thu, Oct 19, 2023 at 4:05 AM, Vodafone Gianpaolo Angelo Scalone <
> Gianpaolo-Angelo.Scalone=40vodafone.com@dmarc.ietf.org> wrote:
>
>> Hi,
>>
>> I think that we have now 2 good potential compromises:
>>
>>    1. A browser interstitial page explaining that the following page is
>>    generated by the service that blocked the actual page, with a button
>>    indicating “proceed to the blocking page” and another “dismiss”
>>    2. A graphical representation of the blocking page, rendered as image
>>    with no clickable links, with a button indicating “proceed to the blocking
>>    page” and another “dismiss”
>>
>>
>>
>> This would be understandable by customers and provide a good user
>> experience and security.
>>
>> In addition we could start thinking about a reputation mechanism.
>>
>>
>> Kind regards
>>
>>
>> Gianpaolo
>>
>> C2 General
>>
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
>>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email