IETF Logo Mail Archive

Re: [DNSOP] draft-ietf-dnsop-structured-dns-error: suberr registration policy

Ralf Weber <dns@fl1ger.de> Tue, 18 April 2023 11:49 UTC

Return-Path: <dns@fl1ger.de>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83864C1782C3; Tue, 18 Apr 2023 04:49:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yHvh95LtHTyQ; Tue, 18 Apr 2023 04:49:36 -0700 (PDT)
Received: from smtp.guxx.net (smtp.guxx.net [IPv6:2a01:4f8:a0:322c::25:42]) by ietfa.amsl.com (Postfix) with ESMTP id 496BDC1782C0; Tue, 18 Apr 2023 04:49:35 -0700 (PDT)
Received: from [100.64.0.1] (p4fc210d6.dip0.t-ipconnect.de [79.194.16.214]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by nyx.guxx.net (Postfix) with ESMTPSA id 2B1625F405CA; Tue, 18 Apr 2023 11:49:33 +0000 (UTC)
From: Ralf Weber <dns@fl1ger.de>
To: Benjamin Schwartz <ietf@bemasc.net>
Cc: mohamed.boucadair@orange.com, dnsop <dnsop@ietf.org>, draft-ietf-dnsop-structured-dns-error@ietf.org
Date: Tue, 18 Apr 2023 13:49:21 +0200
X-Mailer: MailMate (1.14r5964)
Message-ID: <9DFB9E73-1AB8-4B24-BC59-F6ADB4252B3A@fl1ger.de>
In-Reply-To: <CAJF-iTRHVS8asiaf-fvtWZqpNdzou4zEsb36roaK-S_HMAEX2g@mail.gmail.com>
References: <4561_1680881181_6430361D_4561_496_1_cbba461734d74dbf8116d7f476960f88@orange.com> <CAJF-iTRHVS8asiaf-fvtWZqpNdzou4zEsb36roaK-S_HMAEX2g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/t3EKxzr9mV4l32BfQC4NRhaeCrI>
Subject: Re: [DNSOP] draft-ietf-dnsop-structured-dns-error: suberr registration policy
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Apr 2023 11:49:38 -0000

Moin!

On 18 Apr 2023, at 13:11, Benjamin Schwartz wrote:

> The draft's opening words are "DNS filtering is widely deployed for network
> security".  This is true, but by far the "widest" deployment of DNS
> filtering is for authoritarian national censorship, to prevent citizens
> from engaging with forbidden ideas.

Do you have any data to back this claim up? I see far more solutions out
there protecting against attackers (malware, phishing, etc) then there
are for “censoring” or parental controls. Also there are democratic
countries that with agreements of their citizens block access to some
content using DNS. But none of that should matter here as the idea of
this draft is to help the user to be informed why something has happened
using extended DNS errors and I think that is a win for the end user.


> The EDE draft acknowledges and rebukes this rather directly with the
> "Censored" code, expressing that this filtering was performed _against_ the
> preference of the resolver operator.  Although the EDE registry is FCFS,
> the presence of this registry entry at the outset ensures that any attempt
> to whitewash this sort of behavior would be duplicative.
>
> The "structured errors" draft risks undermining this norm and diluting the
> intent of the "Censored" code.  For example, the "Malware", "Phishing",
> "Spam", and "Spyware" suberrors are listed as applicable to the "Censored"
> code, which is rather strange.  What is a "Spam" domain, and when would a
> resolver be forced to filter it "due to an external requirement imposed by
> an entity other than the operator"?
>
> I think the idea of "suberrors" for the "Censored" EDE code probably just
> doesn't make sense.  By definition, this code indicates that the resolver
> _doesn't_ know why the result was filtered.  (The resolver operator may
> know a _claimed_ reason, but it has no way to know whether this rationale
> is the real motivation.)  Thus, one way forward might be to exclude this
> code from the suberror registry.
>
> Even for the other codes, I think this registry opens a terrible can of
> worms that the IETF can and should avoid.  Shall we add codes for "adult
> content"? "advertising"? "social media"? "political extremism"? "terrorist
> content"? "CSAM"? "fake news"?
>
> The EDE draft manages this to some extent by presenting an initial list of
> codes that are plainly technical or structural in nature.  This draft does
> the opposite, by starting to enumerate all the perceived evils of the
> Internet.
>
> Let's not go down that road.

Ok, so for me sub errors are useful as they can give some further information
on why something was blocked, and that information can be conveyed to the
end user. The EDE categories are rather broad and hence don’t give enough
information on why exactly a site is blocked. Now we could also use free
text, which is a problem for people operating in multi language environments
or let each resolver operator pick there own, but maybe some categories that
we all can agree on would be good to put in here. I’m ok with not adding
stuff to the censored EDE code, but we should allow sub errors to Filtered
and Blocked.

So long
-Ralf
——-
Ralf Weber

v2.23.0 | Report a Bug | By Email