IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-07.txt

Ben Schwartz <bemasc@meta.com> Thu, 09 November 2023 15:02 UTC

Return-Path: <prvs=4677fefb4b=bemasc@meta.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3094C18E55A; Thu, 9 Nov 2023 07:02:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.803
X-Spam-Level:
X-Spam-Status: No, score=-2.803 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KR5uFKm-SMC4; Thu, 9 Nov 2023 07:02:08 -0800 (PST)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CDADC18FCCE; Thu, 9 Nov 2023 07:01:11 -0800 (PST)
Received: from pps.filterd (m0044012.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 3A96cWM3006333; Thu, 9 Nov 2023 07:01:11 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=s2048-2021-q4; bh=k8uuZoeWkfAA6iXj7fFviRZJCBMkINeV4w3l8rS2hQM=; b=Sh/eZYk1rVk69QWXqQOhNOWvd0bWdUWmSq2/NATyRkDT7UooXID/Eqp43dphZA4NeQoC ipCvKu4s13Lw02nOk/+SGBQGXzK86e3njvS4FnqAj/Nf7P1lPE/FMgJNSMW9Sb9gx0q2 zk9S3plWLDVbZD1tFngR7hba7xWI11sPYRj3728pnEx1O2tbBpWOAyTJrVN3OsSe1Dvo dZrrthWgoKdP1BLcnNjs0b4ihOAphl3T9wKEccs/h38vx1wqpigThMW8RXIHdP4ZEhLG 0cSA0nNqvLc91fcHjJvVM0LuPcgPTWI3+zAFUr96LbeeYBn9Wv8zM25ctJ6fN+Hq/HAw Fw==
Received: from nam11-co1-obe.outbound.protection.outlook.com (mail-co1nam11lp2169.outbound.protection.outlook.com [104.47.56.169]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 3u8k5enhk2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 09 Nov 2023 07:01:10 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PtiJ30Pb+rBIFKDMp7CTAwxvjdkS9YAXc35h+VXlfHY6SnyRvZvl84iCJV5WCSetjxVeQ7PUKygOC0Zlz5dv/hI8Uu0ejGFxDZBbSASHSR4Expvc+AvYfAc89rgJ76rwkfDtsOiDBLLbr5c6YPgdYsUi6h5WIYCN1JSzkJozoiXOv+/C+OWnkFVSD4hqTPCPG5LDHZrCAK41TVSz6QjvBDyrRXlKqowkcjcdCX5Zu2+VaNidZlCPY3BLZwk0zlLvKhW6OiU1hZixkiVxm73ASawGEsSvcxU4zG47wTdTooVXPy5lg2eeu69g8EbCtesj7DXFZCAtCraxdx6KHh3MgQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=RFaVqpcwt+9rih6RU8WkB+OtFwqaTocQaGWlgisvuLI=; b=MDm4UF8lrxmGW6w91kK7Wp7qCybrQpGbR8UtTFVsZhme266soy1RQFPhpPrNskm8fe3lBrBx5sFsKdLtXYHf3T82d9aDQvyi3+zQd7sBBYlvOv9UmM4WBOMP9GoozNoR5zJCGNmtqc6w/0axMdNS8DpodMSykIry8IhbADiEwo4dnfj16K3ITPo+a3pLDBIgFzlPfs6Ha6d5oQSgLkLJpFwIk/CEDVcp3fQKz4QJoTa0o4QcxR8AzSGGXaYT76YTK22Y0n0oVj2yznu74aHJK7GxQ2ILxBWfyNaLU7ONKltSoi+6U6YkKojZXG+5R0GILtPeaEq+kIKNvkv2Hfm3/A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from BN8PR15MB3281.namprd15.prod.outlook.com (2603:10b6:408:aa::24) by SN7PR15MB5732.namprd15.prod.outlook.com (2603:10b6:806:329::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6977.10; Thu, 9 Nov 2023 15:01:07 +0000
Received: from BN8PR15MB3281.namprd15.prod.outlook.com ([fe80::d54d:eea6:c930:d1e6]) by BN8PR15MB3281.namprd15.prod.outlook.com ([fe80::d54d:eea6:c930:d1e6%2]) with mapi id 15.20.6977.018; Thu, 9 Nov 2023 15:01:06 +0000
From: Ben Schwartz <bemasc@meta.com>
To: "Gianpaolo Angelo Scalone, Vodafone" <Gianpaolo-Angelo.Scalone=40vodafone.com@dmarc.ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-07.txt
Thread-Index: AdoS6i3t/HAhjImSTKqIUjL3G/PMVAAMa6c9
Date: Thu, 09 Nov 2023 15:01:06 +0000
Message-ID: <BN8PR15MB32817912282A69869281090DB3AFA@BN8PR15MB3281.namprd15.prod.outlook.com>
References: <DB9PR05MB8473EE94D86348FF1E8207EAA3AFA@DB9PR05MB8473.eurprd05.prod.outlook.com>
In-Reply-To: <DB9PR05MB8473EE94D86348FF1E8207EAA3AFA@DB9PR05MB8473.eurprd05.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_0359f705-2ba0-454b-9cfc-6ce5bcaac040_Enabled=true; MSIP_Label_0359f705-2ba0-454b-9cfc-6ce5bcaac040_SetDate=2023-11-09T09:06:37Z; MSIP_Label_0359f705-2ba0-454b-9cfc-6ce5bcaac040_Method=Standard; MSIP_Label_0359f705-2ba0-454b-9cfc-6ce5bcaac040_Name=0359f705-2ba0-454b-9cfc-6ce5bcaac040; MSIP_Label_0359f705-2ba0-454b-9cfc-6ce5bcaac040_SiteId=68283f3b-8487-4c86-adb3-a5228f18b893; MSIP_Label_0359f705-2ba0-454b-9cfc-6ce5bcaac040_ActionId=9acd6dae-4546-4047-b193-b346b890c1c0; MSIP_Label_0359f705-2ba0-454b-9cfc-6ce5bcaac040_ContentBits=2;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN8PR15MB3281:EE_|SN7PR15MB5732:EE_
x-ms-office365-filtering-correlation-id: afd14547-43b3-4068-6e01-08dbe134b320
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Z4+CYMppTJSGFkliygzk9NfoBrfGYj5Q9kWJ+9KyBi5bNT3qGrUuDuCBcSTYDSWxDm8/s0W9h8VI1uWPkAmtqyt6pCmUfY0LNF9q4Qhm2H9857gNXTY+x5KiHb3ToxF/vwVWAJZXHZ9uKQ8FSF0NEAUFrjM7KaSWT7hRyY++iiaGFhwyBbHGq1JB2QAdZgpJ2a9ehcgpUbhk3AnXQpb63LidBe394Si1IK3j/7d9R2hGfhVOLr23inz9LyI0ML1criAib/XXtjQdeybPlrOPxs02E1h21CL5SRyS6I3HfjRWr6bM1KwO3G0Ge2ogjMboUJ4vm5sIVbYAgWndB2pvC3ZmqPNxhy0pVXJqXv8JrA+mpigIOzsN411eHo8nm2bLKhym0+pme4VvmvxgtEbc7CWw6eYbZr4NlBW5q8vsPpJn626jQYdrjYGFAjLtzRc9oBrM8vw/40UMvEErBuQI65PILUlWuZdPoZte5O6WMaE74+YVFi3Pt3OPk6c6+jVqpuwzkCWTNQ2C3PCfcf9+DVFM1B2nRtD+7C1UHsZWeE1Q5VQksYL2l57NXXuVnbGr7FalS8pfBJ7bBkn8JZhQbLM3ZvHuuiOOfip/8HQypONuTbrYVHyBgWUrBzcf6dwHX7t1ZptF2DJScTC+K3p4MCnYFEtKiGmtUvYkqmS1MuY=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN8PR15MB3281.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(366004)(136003)(396003)(376002)(346002)(39860400002)(230922051799003)(230273577357003)(230173577357003)(186009)(1800799009)(451199024)(64100799003)(6506007)(7696005)(41300700001)(9686003)(86362001)(33656002)(122000001)(38070700009)(38100700002)(53546011)(66574015)(83380400001)(55016003)(2906002)(19627235002)(66946007)(8936002)(110136005)(91956017)(66446008)(66476007)(316002)(5660300002)(66556008)(76116006)(8676002)(19627405001)(52536014)(71200400001)(64756008)(478600001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: WHl1S68wrnmiMDgQCyYlrA7qO2pj13jYHPdG/nGCYdZiRYOhnBuPkkb8XuVewz2m/1UuEVDqcaWcR7sWgbR5DxtV0Z22MckBtHATEYxCbd6Zh3IcluTMO7KVTLbUDULBHOwxLT2orJ/X0frfk8LBwxHH/THGMVS7P8c2ro26l/Wxd8P//HDErVir+YCu4txjbV94tZ6zF+0Q9aw0FEz5PiFsI+rr4J3bFeRjlz9y4h2F+m9pxM+YOtF/wGNUvQYjHUqANDax+Mnz965yjb3wa5/gL16lRWl6DSK/CFcHgGpoWyAIdnLq22SY9DrCU6fMm3NcHyApXtpo4oNBwY9exp84kCXe4qM7BHGjVNhHWT/vADOTZJADu/gLcfuCl1nTsJK6zUVp3Wa4Z6tbpcZJA16Gw5uUatPOsFsINdbeupZChPfpXpbTytIKqNygyyBQQA6rWOIL9Oop+iu2Z7HRhcwl2Sx0BFVkm+Y12yTzM8xuQHzOySRQ0JKp+gxgfsFjcUEsvQoqXBcEaLS6hju4Dv4cEzZ/6WN+YFNvfOcj2t7bflCGdxGJQNXnvSUg4KaUFlV2gca+SpLWRuYdhrKA5kGlwOdK57d7LN8hEeXgVBFVD57jdfJB05plLMK/r3cvcONpfXQQ837v8USI3aaa1e98TIUG4qaQQg5DULXV4srP6piFH/j6mofrMLkVz69kLthL+xpWgG3x8DCLtQ2wOTD93dn8yjgipfGYUyZIRCjMN6ui9nyepiMXuPNuDrUqq2w93zU9b4W7DgldChaVEk2eNh+0EuVxXGWBeF/C9uV1jTVKdQKd+kKh7kA7NFYspseLBiPkc2gMZZ5aDR2pwTiIKvzXDmQBF2CweWu+DbOmhRRvtlY91DA5HOATQ7KUjJSDEkPiPVN960AiTtGWTX71D5763PbC2NIKA68X6a4G/bAA7bDJ7nCis2Bw1M/TQtrrfyIIVpqd0rsGT4YqxupOr93rTuEouc1DThhSJdtNID8pyn41owUUzOJGkGTfN2HaNCfg4nXIIPem31sWXm/dgwCfgVtQrXydcI2ZSWqeNmiYX9VKfm92NECdBPIg2mJaSL+fffwEq+JgtFrjDY+6jSPAw+Z8EvuLxBOs6FRcbFYROhae+xuyer7Vp8Lb1UbBGoQsDi3MV+1GzSADPmtMd3tG34QnYhhF3xr3wt5QY6nTBSVRuzzji1XC4WCMVkCQKDdylifTPAyeb7UY693j4RUk34wkx0TDIG0xmPxmArOB6uT6QnvhL1nOKLIaTHaxw5ZOiQB4etQQ/L5kJkAtwBiFFTpd1a389YDKg8qDlQ12QA4y+xmsmXm01o84cfWem8J9/Ob6SQAjhWZnix0/shATkHpR7aZgnnZ4yLnmxrJSkicHD5bAxZ65T8bSRQ9UmWMNExwrxd61S5SURprsr0Bx0euehZc4TUSNQ/r8J5+i+zQ85FVV4TEE6oj5wbxID4cERFiUjAOH47BNs0M0UMQuRb5O8ss4GbWq/T/iAZud6eBE2BABwzFHqjYk4na6OcsGctC5UvAqdsn+QJE0AMllVGXLQBOFgI0Lvq2aZNV+J/IN2rRrB7cwEyRdvQCunEGynbqcMtDa1BeVrhKpw+hoywXNoSsPxLe1xjY=
Content-Type: multipart/alternative; boundary="_000_BN8PR15MB32817912282A69869281090DB3AFABN8PR15MB3281namp_"
MIME-Version: 1.0
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN8PR15MB3281.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: afd14547-43b3-4068-6e01-08dbe134b320
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Nov 2023 15:01:06.2768 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: u6Mb/C0uhBYVfZ+ASgTcSRu9q/XcbQWiUaYqje9lzKy1l1K/3CbKtUexSGw3HlbU
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN7PR15MB5732
X-Proofpoint-ORIG-GUID: tzxPSmRqsFqQrkgWU3uff5-mpO9sSHox
X-Proofpoint-GUID: tzxPSmRqsFqQrkgWU3uff5-mpO9sSHox
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.987,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-11-09_11,2023-11-09_01,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/lTDzeEBdeJtd-uyfHhUtECqt2Qg>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-07.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Nov 2023 15:02:12 -0000

Note that "mailto" URIs can pre-populate subject and body contents, so information about the specific blocked item and other metadata could be populated automatically.  This seems sufficient for enterprise use cases like allowing employees to tell corporate IT that they are blocking something incorrectly.

HTTP error pages are primarily relevant to end users on personal devices whose access is being blocked by their ISP.   That is not an environment in which it is safe or appropriate for the network to inject block pages.

--Ben Schwartz
________________________________
From: DNSOP <dnsop-bounces@ietf.org> on behalf of Gianpaolo Angelo Scalone, Vodafone <Gianpaolo-Angelo.Scalone=40vodafone.com@dmarc.ietf.org>
Sent: Thursday, November 9, 2023 4:08 AM
To: dnsop@ietf.org <dnsop@ietf.org>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-07.txt

Hi, I still think that a mechanism to reach an HTTPS resource is needed. Considering the security implications of rendering directly an HTTPS URI, It could be an additional field, to be used by the client For out of band connection to retrieve


Hi,

I still think that a mechanism to reach an HTTPS resource is needed.

Considering the security implications of rendering directly an HTTPS URI,

It could be an additional field, to be used by the client

  *   For out of band connection to retrieve the needed page info from resolvers with high reputation that have agreements with the browser
  *   To connect to an high reputation service (to be created) having the only purpose to host blocking pages on behalf of the various DNS filtering services
     *   This high reputation service would be defined in a separated RFC
     *   Access criteria and content to be defined
     *   Management criteria to be defined



Having such a service would allow to access high reputation information about the eventual blocking reason and provide the end user modern methods to understand the blocking or request an amendment in case of false positives.



The mechanism proposed in draft-ietf-dnsop-structured-dns-error-07.txt is a big improvement respect the existing situation, but still requires some knowledge that common users may not have and so limit the capability to require amendments only to users well educated on the topic.

With a SIP contact or an EMAIL contact the end user should know what to ask very well, with an HTTPS URI a request to amend the blocking could be populated with the relevant information, empowering also less experienced users (here we are sort of providing a pre internet solution to an internet problem).



Many countries request filtering of DNS traffic for CSAM or for Adult Content Filtering reasons, so a good way to avoid false positives would provide the population a better access to internet.



Gianpaolo




C2 General

v2.23.0 | Report a Bug | By Email