IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-06.txt

Warren Kumari <warren@kumari.net> Thu, 19 October 2023 19:44 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D8F1C151538 for <dnsop@ietfa.amsl.com>; Thu, 19 Oct 2023 12:44:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YT-FiPxJIc3u for <dnsop@ietfa.amsl.com>; Thu, 19 Oct 2023 12:44:20 -0700 (PDT)
Received: from mail-yb1-xb2b.google.com (mail-yb1-xb2b.google.com [IPv6:2607:f8b0:4864:20::b2b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33399C14EB17 for <dnsop@ietf.org>; Thu, 19 Oct 2023 12:44:19 -0700 (PDT)
Received: by mail-yb1-xb2b.google.com with SMTP id 3f1490d57ef6-d9ad67058fcso85245276.1 for <dnsop@ietf.org>; Thu, 19 Oct 2023 12:44:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari.net; s=google; t=1697744659; x=1698349459; darn=ietf.org; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=WdFqWDDLplXYJrdOjIcB15DBkRUCZq4SIzupTEJ57y8=; b=K7zf5SnS1/bw34Y0YC6k6tJAg07P3l+n/uJpzrRenT8GppRo9tDrzlratigATrbHsW NwbTq5a/4pw+JZ9Z+VIixHb+EpLvZgRS44pgFQNrJh6lVCpY29A43iT3JNnXxsDjlTj4 qsg3+eMgd0ODZNbiu3DSejYHRAhyJCcGSKICvX5ovEv5yFwLFeueOuYXqDsEFZ260kwU b8oLvLKqMEEpNVdMElTXB3tQSlTCZfeOauGv4+NhbxjmZwvZrFr+D7lCBAeT9YBCCv8b /Gh7DchwWgnyuyrmwV8e5Juq4/au1bADAElcUz0taxBX/SF6Xsdq/Eonbqj7sBMBO8v8 329A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697744659; x=1698349459; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=WdFqWDDLplXYJrdOjIcB15DBkRUCZq4SIzupTEJ57y8=; b=JbS0MBPZjWduA2M1cV61QUeoEVF/Bfe9dNDZxXMUyHK81q2h/FlS/ymhbGm/6QQPRh ExzzKqg2hwQCjlkGtJwBdurOU9iC7UgRSxS3CUUODazXEl42G9/sIAIPKrfF5XlQI9Vm LTWulbexZi3AbIFSPj00b6ChhIGootmvHOP+JO8d/7/NWLpAjWIYCpFKF7CwQVWjlVvw VsChChdly7JFZfFzmVXs9zdpWEowvKmxrPXjyCM4nRHL8M4DTJojV3dczCvlWtSW2pqa OuDBfbMqeJSOj9zODJNCwvtHQaAIOWMwm6pqMZZ1Ax3E/iNGhGpbRvbfryO/Gf2kPgGD Pzdw==
X-Gm-Message-State: AOJu0YzowlybGBS7JMui342ZxqK1S8M0xtTXAz2QlK7Rs39NiHynso0B 7CG759p1Lh6mCyfUOxdfR+htbRQBpVhz5tSIsKH99IpoLeBTkzEM
X-Google-Smtp-Source: AGHT+IGxpUnfZu80iCMVqDIrzmbAEOxUyXc3cAG0tooT+/AhUsU3w2tgTLJoJ41aRGp+RUguc/EDSNkhK+SUM2KaAu0=
X-Received: by 2002:a25:d84e:0:b0:d9a:66fd:e411 with SMTP id p75-20020a25d84e000000b00d9a66fde411mr3019182ybg.64.1697744658830; Thu, 19 Oct 2023 12:44:18 -0700 (PDT)
Received: from 649336022844 named unknown by gmailapi.google.com with HTTPREST; Thu, 19 Oct 2023 12:44:17 -0700
Mime-Version: 1.0
X-Superhuman-ID: lnxlblug.483e3435-c926-4709-aadf-d74fcf4eef3f
In-Reply-To: <DB9PR05MB847313955E9EE5F63F53FDB3A3D4A@DB9PR05MB8473.eurprd05.prod.outlook.com>
References: <DB9PR05MB847313955E9EE5F63F53FDB3A3D4A@DB9PR05MB8473.eurprd05.prod.outlook.com>
From: Warren Kumari <warren@kumari.net>
X-Mailer: Superhuman Desktop (2023-10-18T19:46:46Z)
X-Superhuman-Draft-ID: draft0035ee8b8feaea31
Date: Thu, 19 Oct 2023 12:44:17 -0700
Message-ID: <CAHw9_iKDDt9W207osTsHpfaacjQioDM1VVbLk9JTRB2hjpEa1g@mail.gmail.com>
To: Vodafone Gianpaolo Angelo Scalone <Gianpaolo-Angelo.Scalone=40vodafone.com@dmarc.ietf.org>
Cc: dnsop@ietf.org
Content-Type: multipart/alternative; boundary="0000000000004f2cc7060816fba1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/toTh3lLpu4W4OKthTsSgJC6N450>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-06.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Oct 2023 19:44:24 -0000

I still don't understand why (other than marketing/advertising) this is
needed — the EDE "4.18. Extended DNS Error Code 17 - Filtered" ("The server
is unable to respond to the request because the domain is on a blocklist as
requested by the client. Functionally, this amounts to "you requested that
we filter domains like this one.") seems to cover it.

If browsers are willing to do anything with the EDE codes (like "ERROR:
Your DNS filtering provider says you shouldn't go here") what additional
**important** information needs to be communicated? And if browsers are not
willing to do anything with just EDE codes, it sure doesn't seem like they
would want to do that **and** follow an unauthenticated URL…

Anything more simply adds complexity and security risks, and entails
privacy concerns for the user too…

W


On Thu, Oct 19, 2023 at 4:05 AM, Vodafone Gianpaolo Angelo Scalone <
Gianpaolo-Angelo.Scalone=40vodafone.com@dmarc.ietf.org> wrote:

> Hi,
>
> I think that we have now 2 good potential compromises:
>
>    1. A browser interstitial page explaining that the following page is
>    generated by the service that blocked the actual page, with a button
>    indicating “proceed to the blocking page” and another “dismiss”
>    2. A graphical representation of the blocking page, rendered as image
>    with no clickable links, with a button indicating “proceed to the blocking
>    page” and another “dismiss”
>
>
>
> This would be understandable by customers and provide a good user
> experience and security.
>
> In addition we could start thinking about a reputation mechanism.
>
>
>
> Kind regards
>
>
>
> Gianpaolo
>
> C2 General
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email