IETF Logo Mail Archive

Re: [DNSOP] draft-ietf-dnsop-structured-dns-error: suberr registration policy

Benjamin Schwartz <ietf@bemasc.net> Wed, 19 April 2023 15:19 UTC

Return-Path: <benjamin.m.schwartz@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8636C15153F; Wed, 19 Apr 2023 08:19:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.552
X-Spam-Level:
X-Spam-Status: No, score=-1.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.096, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z9TnC55k3Aj7; Wed, 19 Apr 2023 08:19:32 -0700 (PDT)
Received: from mail-vs1-f43.google.com (mail-vs1-f43.google.com [209.85.217.43]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7AA3C14CF15; Wed, 19 Apr 2023 08:19:32 -0700 (PDT)
Received: by mail-vs1-f43.google.com with SMTP id l16so8876196vst.2; Wed, 19 Apr 2023 08:19:32 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681917571; x=1684509571; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=lMMTvYtKA/HMjZM4zQBKjPKZVr4QciGTRp67dp6p4Zg=; b=gaVj16mSpuuR/H8keeKO+1FEnjq/hvlfcD7g4Sh3NglY4+Iu/Sdi9xh/sWb964t5TQ bVUkJ5hpb7ojKc/metT5aGM3zDUr4VAGYiHxrXYAH1YVLQNP6kqssl3IOLecnaXTpT8Q 907lwId95G8b0+zeDdKlEvpHkDVYskscChleYK2LSwKkIG59MEwJW27oi91fjsp77WlG ZzLiB3enmceKyxFZJQdSkq3CKbwY6FC/PvQz1gZmDoB77CWxd6oW7xkDZmOIDEGOwWn5 4oagpUV72csQgVrcm99qiNsGtjjuJgQVbBzm63oxCGSYVXPyviAcKWsK2e9NZK16vjVv u8XA==
X-Gm-Message-State: AAQBX9eZ0L2xFxy26SxSjPcCbhHPRZ9ycG2iWCsYO/QgIg9oBZ3yn2Ww 4fKxw1kf0r7YRU2x1iqcV6fgDVZP1pA=
X-Google-Smtp-Source: AKy350Y3PGLgTRqeTD9bZvvEj9A8THIYbvfT/G86zE6N0NYTsKOrCb5wg5F1TlAToVEvSPVwIGS3rg==
X-Received: by 2002:a67:eac7:0:b0:430:141d:f1ad with SMTP id s7-20020a67eac7000000b00430141df1admr223846vso.29.1681917571152; Wed, 19 Apr 2023 08:19:31 -0700 (PDT)
Received: from mail-ua1-f42.google.com (mail-ua1-f42.google.com. [209.85.222.42]) by smtp.gmail.com with ESMTPSA id v17-20020ab05b51000000b006ba03f9274fsm952056uae.22.2023.04.19.08.19.30 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 19 Apr 2023 08:19:31 -0700 (PDT)
Received: by mail-ua1-f42.google.com with SMTP id l13so7782785uan.10; Wed, 19 Apr 2023 08:19:30 -0700 (PDT)
X-Received: by 2002:a1f:5d46:0:b0:43f:b96e:355 with SMTP id r67-20020a1f5d46000000b0043fb96e0355mr143350vkb.14.1681917570290; Wed, 19 Apr 2023 08:19:30 -0700 (PDT)
MIME-Version: 1.0
References: <4561_1680881181_6430361D_4561_496_1_cbba461734d74dbf8116d7f476960f88@orange.com> <CAJF-iTRHVS8asiaf-fvtWZqpNdzou4zEsb36roaK-S_HMAEX2g@mail.gmail.com> <CAFpG3ge6b6LjeBahy2hS6CnHW00dhgHJ5gdS9eTxj0WxU7fbYg@mail.gmail.com>
In-Reply-To: <CAFpG3ge6b6LjeBahy2hS6CnHW00dhgHJ5gdS9eTxj0WxU7fbYg@mail.gmail.com>
From: Benjamin Schwartz <ietf@bemasc.net>
Date: Wed, 19 Apr 2023 11:19:19 -0400
X-Gmail-Original-Message-ID: <CAJF-iTQDaOK62Cr0ZUcHqiyZteH0oyM+oCD74zOK6TaumvF_nA@mail.gmail.com>
Message-ID: <CAJF-iTQDaOK62Cr0ZUcHqiyZteH0oyM+oCD74zOK6TaumvF_nA@mail.gmail.com>
To: tirumal reddy <kondtir@gmail.com>
Cc: mohamed.boucadair@orange.com, dnsop <dnsop@ietf.org>, "draft-ietf-dnsop-structured-dns-error@ietf.org" <draft-ietf-dnsop-structured-dns-error@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000519c4505f9b1f31a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/tBUTRDCLcND3smVllrXupUJOngE>
Subject: Re: [DNSOP] draft-ietf-dnsop-structured-dns-error: suberr registration policy
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Apr 2023 15:19:34 -0000

On Wed, Apr 19, 2023 at 10:04 AM tirumal reddy <kondtir@gmail.com> wrote:

> On Tue, 18 Apr 2023 at 16:41, Benjamin Schwartz <ietf@bemasc.net> wrote:
>
>> The draft's opening words are "DNS filtering is widely deployed for
>> network security".  This is true, but by far the "widest" deployment of DNS
>> filtering is for authoritarian national censorship, to prevent citizens
>> from engaging with forbidden ideas.
>>
>> The EDE draft acknowledges and rebukes this rather directly with the
>> "Censored" code, expressing that this filtering was performed _against_ the
>> preference of the resolver operator.  Although the EDE registry is FCFS,
>> the presence of this registry entry at the outset ensures that any attempt
>> to whitewash this sort of behavior would be duplicative.
>>
>> The "structured errors" draft risks undermining this norm and diluting
>> the intent of the "Censored" code.  For example, the "Malware", "Phishing",
>> "Spam", and "Spyware" suberrors are listed as applicable to the "Censored"
>> code, which is rather strange.  What is a "Spam" domain, and when would a
>> resolver be forced to filter it "due to an external requirement imposed by
>> an entity other than the operator"?
>>
>
> Yes, "Spam" is not suitable with "Censored" code. The other suberror codes
> may be applicable with "Censored" code. For instance, in a deployment where
> the network-provided DNS forwarder is configured to use a public resolver
> to filter malware domains.
>

"Censored" requires that the blocking is "due to an external requirement
imposed by an entity other than the operator of the server resolving or
forwarding the query".  This does not correspond to the situation you are
describing, where the filtering is "inherited" but not "required" or
"imposed".

I don't know of any situation today in the world where "Censored" could
logically be used with any of these sub-errors.  We would have to imagine a
situation where the resolver operator is being _forced_ to apply malware
filtering, not choosing to do so.

Personally, I don't think these "sub-errors" make a lot of sense for
"Censored".  We should consider excluding "Censored" from this draft, or
focusing instead on providing objective information about the block.  We
can take inspiration from some of the work related to HTTP 451:
 - RFC 7725 defines the "blocked-by" relation, to identify the party that
implemented the censorship.  This is relevant to DNS when forwarders are in
use.
 - draft-sahib-451-new-protocol-elements-01 (expired) proposed
"blocking-authority" and "geo-scope-block" headers to identify the source
and scope of the block.

Regardless of the draft's details, I think work related to DNS filtering
should generally receive HRPC review prior to WGLC.

--Ben Schwartz

v2.23.0 | Report a Bug | By Email