IETF Logo Mail Archive

[DNSOP] Re: AD review of draft-ietf-dnsop-structured-dns-error-19

tirumal reddy <kondtir@gmail.com> Thu, 07 May 2026 05:33 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 8D318EA4EB22 for <dnsop@mail2.ietf.org>; Wed, 6 May 2026 22:33:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1778131980; bh=qKbNSKnQZll0ekoVMa3MzH3Jun2LNqaiUnw92dw6gXs=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=uyjK58Q4MV/xPa1hNWjVa62owIO1gOc1GLK4qFE09v9ALcbsyQEnjpU5zsmUjq25s h3yYNFTUQa7urkvYWsVRl9ASD2XL7E71p65b+uNdYwJqQt1rX/emTA02PSnQ35A8im 38wFGWQ7Wir2oxuhTl0WrQg0VsWF5ikE8PD6uj3I=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, THIS_AD=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SIzXvnckV2Ma for <dnsop@mail2.ietf.org>; Wed, 6 May 2026 22:32:59 -0700 (PDT)
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 7E899EA4EB12 for <dnsop@ietf.org>; Wed, 6 May 2026 22:32:59 -0700 (PDT)
Received: by mail-ed1-x52c.google.com with SMTP id 4fb4d7f45d1cf-67c3cb1433cso619374a12.0 for <dnsop@ietf.org>; Wed, 06 May 2026 22:32:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1778131973; cv=none; d=google.com; s=arc-20240605; b=ZxM7D0BtsEamfnER+QPW4eRzkc+oe15CzdvxTlvKamiDkFlQAf/A816824umsLsTIe 64Y0Ywf9A1KVpCoIX6s4GQp13zgRPYGWJFYtu+lZdo6hu2N8xTxX1BHlhrZoNlpv9dDV UBuOAdhp2zd6AsM5y/cpo3JHkqnmBryVW1fSh2i8wLYWHviev9Sr3OIVQ6h6A3oSqbTH x+xayKZQQirNxdqVIdoLTTmb0gnr2ffTIZfJ8jico8A2xfplrTJ3ZPc1+IAPuwSpcC/R xcsQh2ih5LY8jC7/NokYL02l645twZzC8t1naloGEMsi2d9kYPJSlekK7Q/d3D48g33G rJDQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=+uJsavXdLTwGF/5GHJTM+0zNAjM8sXDC/UY4Uwi2jX8=; fh=pWfifuVPrCpfT7NUK3sRZazIk6kpyprFh/DHw9rkDKY=; b=elgtetlsB+4dYxQuMzaHF/uHO3bu/7Dd7EfsGFaO6oWq7FzX61l5yU5MmUqD1p3abx cwHPOjWWGpXJxEvtFAU6e5OTBPXN6Fg+H43HOvysCNgRbt8S6uA0X2JB7fKnhDx4aAlX pootxxKRUdMJogSpZAaaaox4BFvnutJbdYA1WuqCi8EkImgROOjjmxVkbaHk6l+wqWbR JxmD24+SpnKDUfTMuPFP71xSjbW/LEBI/PjBzXpktUifRybN79F8o6pM3dKzoLhXgA0p wxfalPbvx+5AZ7x4inYC7Dj+sogJz+qXHBVHH3p2rC42YL3mP7W0M7nXj6g/gIjYsT+v iJ6w==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778131973; x=1778736773; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=+uJsavXdLTwGF/5GHJTM+0zNAjM8sXDC/UY4Uwi2jX8=; b=s2cP+E1MFjWDUcbNJqJx2b+DqLumIbhbv84ci/49gtFEsG8DX2bKKDXJu+uoGrDEmt SubJZCamyZGxf2xIuh09P1YC1IleXHZtrn7NQcsdbFp19D0A2qqUFzBxBRGOlqk+4bA7 iHZcyAzFttDi5Z040Vhto43h6vDK3AiK7adqcmO18rivbPKysLHByFcwU8DGLyfx0cfD 06b08mB00BOCq67o7s1RVrLBWri2Sy0E3zjXIb8bxo2twdgDicyQtt4rFk68H2iMdVmc X27rXzkIPsALk30q3H+qtT8KhtQF2Dz6esK9JGQ/5VjMgxOG70dPKTuRqiRRPhSYNUhE lItg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778131973; x=1778736773; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=+uJsavXdLTwGF/5GHJTM+0zNAjM8sXDC/UY4Uwi2jX8=; b=GXbKhsDulhSLr6EDQ60pRchDOJp2XYMrwG74qsrztilCzxCoUglV+ZIOHURJ1MXUF3 IfnAGdGXRdUqtWTDi5WG3nDv0js+6nVBCIj0ylAvKtJbb5yfXjp3Goc4bFETaY7dOA+8 Heo6fcsswWbc4PK8sqSx+zTJoO4zLt8V/6xSKvbwY+Wme63bncMTkmEeDWFozfLsBFvy +XjOTWtA20wcBjWKlwxs0oNuV5thNpx53jPqFvABpvNZW5kGqKVG5A/6MteJkMmCr2fW u0GNbFn0V/ocCT0QvOuGA16E8LTvIpP68saIhTKsmLsMiTvS9dHAj0xhBr2wNRgplYZC wa7g==
X-Gm-Message-State: AOJu0YzpfMr4vW/y5+1nSJMPQ2qY20o27Z92gO95/jctb+uwnWMCod+1 heXl39V0LMkYEWd2Dpwk7MkWuWnmkuemjpmpG7TM4Gs/BOWwXeDham0Y11/QsnbeJaX/8JldCej e4U3nJRTtzIrKsTDhribZKfqJhHd9mVfvs8qE
X-Gm-Gg: AeBDieu0H4vUbczdluESq35lZC7dFb/ZLrDyrq7rQH1pVxKfuVJkFfFSxVsrzHdDQaP FmgewFhnZEMllVxhmMExNSsUi2kVuO3TdFL4UmLA380HcUtyeFqul0r1A2PPnigKBdNeaE97EoA ZyovhB18rvaxM071fPhFu4boX+t8nRYwk1dNPZ9HC/np9Dwsez2Fpz9dLy47Q/pB0e7nvUOswRE uX5qFA8plpHlL2Qny0KAEzIhY89VvD5DkOMyvtEMNWFx8RmSYyaZ2qScmcusnbyyz5zZ0OnnJ/z NnEVgPfqEiwB0wnLoymiiKaokNA=
X-Received: by 2002:a05:6402:21d3:b0:671:a18b:32b8 with SMTP id 4fb4d7f45d1cf-67d6201ec96mr3191673a12.0.1778131972258; Wed, 06 May 2026 22:32:52 -0700 (PDT)
MIME-Version: 1.0
References: <PH0PR11MB49665D117EA1C0C920A1ED0FA93E2@PH0PR11MB4966.namprd11.prod.outlook.com>
In-Reply-To: <PH0PR11MB49665D117EA1C0C920A1ED0FA93E2@PH0PR11MB4966.namprd11.prod.outlook.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Thu, 07 May 2026 11:02:15 +0530
X-Gm-Features: AVHnY4L6sZ2fFO3mG9MnUBURDiqYswfq43bD4-5ZdqncNCd38nEBEtGJH4BZYps
Message-ID: <CAFpG3geNkMs=_HeeirUcRX2-GXW5wEHZiYTLUj0Q_5CYVeVmWQ@mail.gmail.com>
To: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
Content-Type: multipart/alternative; boundary="00000000000091feb20651339c52"
Message-ID-Hash: SWLJK6UL2OPXOC5JM3FKI56KFCDATP3D
X-Message-ID-Hash: SWLJK6UL2OPXOC5JM3FKI56KFCDATP3D
X-MailFrom: kondtir@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "dnsop@ietf.org WG" <dnsop@ietf.org>, Dan Wing <danwing@gmail.com>, "neil.cook@noware.co.uk" <neil.cook@noware.co.uk>, Mohamed Boucadair <mohamed.boucadair@orange.com>, Benno Overeinder <benno@nlnetlabs.nl>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: AD review of draft-ietf-dnsop-structured-dns-error-19
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/yFN8iI1ywN2MFhxNe4MD-71-YiE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Hi Eric,

Thanks for the detailed review. I raised PR
https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-structured-dns-error/pull/88
to address most of your comments. Please see the inline responses for
comments where the draft is not updated.

On Tue, 5 May 2026 at 19:38, Eric Vyncke (evyncke) <evyncke@cisco.com>
wrote:

> [As Med is a co-author, he cannot be the responsible AD for this document,
> hence, I have been selected as the responsible AD]
>
> # Éric Vyncke, INT AD, AD review for
> draft-ietf-dnsop-structured-dns-error-19
> CC @evyncke
>
> Thank you for the work put into this document. It is very easy to read.
>
> Please find below my AD review.
>
> As the responsible AD, I expect all the points below to be addressed,
> either by a revised I-D, or an email reply. Of course, authors and WG can
> reject my points, but this needs to be justified. Once all the points are
> addressed, I will proceed with the publication process, i.e., IETF Last
> Call.
>
> Special thanks to Benno Overeinder for the shepherd's detailed write-up
> including the WG consensus, the history behind the 2nd "publication
> request", and the justification of the intended status.
>
> I hope that this review helps to improve the document,
>
> Regards,
>
> -éric
>
> Note: this AD reviews follows the Markdown syntax of
> https://github.com/mnot/ietf-comments/tree/main, i.e., they can be
> processed by a tool to create github issues.
>
> ## Critical issues
>
> ### Shepherd's write-up
>
> Q18 got it wrong as sections 11.2 et al. request the creation of a new
> registry.
>
> ### Abstract
>
> I am not sure whether `including *network* security` is correct as it does
> not really protect the network per se but more the IT system or the end
> users. Suggest either rephrase it or remove it.
>

"network security" is appropriate: an endpoint infected with malware can
scan the attached network for vulnerabilities and perform lateral movement.
DNS filtering that blocks communication with C2 server serves a network
security purpose.


>
> ### Section 1
>
> Why not adding a reference to RFC 7754 section 6 `promptly informing the
> endpoint that blocking has occurred provide necessary transparency to
> redress any errors, particularly as they relate to any collateral damage
> introduced by errant filter`?
>

> ### Section 3
>
> In bullet 1, `The HTTPS server hosted on the network security device will
> have access to the client's IP address and the hostname being requested. `,
> isn't this the same issue with DNS server in all 3 scenarios ? The
> difference there is for the *path* component and not the *host* part of the
> URL.
>

Yes, the block-page server additionally learns the URL path component,
revealing more about the specific resource the end user attempted to
access. Updated text accordingly.


>
> ### Section 4
>
> `IT/InfoSec team` or "DNS operator" or "DNS administrator" as used later
> in the section?
>

The "c" field contains the contact details of the IT/InfoSec team that the
end-user needs to reach to report misclassified filtering. "DNS
administrator" elsewhere in the section refers to the party operating the
DNS server. These are distinct roles.


>
> As a resident of a country, Belgium, with THREE national languages (not to
> mention the common use of English), I find *VERY* limiting the use of a
> single language... Why not an array of languages ? or a 'accept language'
> in the DNS query SDE option? Relying on `optionally translate it` is
> wishful thinking (especially for small messages).
>

Adding a preferred language field to the SDE option in the query is
appealing, similar to the HTTP Accept-Language header where the client
sends a list of preferred languages and the server picks the best match.
However, it would require a non-trivial wire format change to the SDE
option, which currently has no OPTION-DATA, as well as updates to the
client request and server-side processing.

Furthermore, the "l" field already allows clients to identify the language
and invoke machine translation.

If you insist on this change, I am open to discuss with my co-authors to
update the draft.


>
> Can the JSON object be empty as all JSON names are optional ? Should there
> be text about this special case ?
>

This case is already handled in Step 5 of {{client-processing}}, which
requires the client to discard the JSON object if none of the "c", "j", or
"s" fields are present or all have empty values.


>
> Why JSON and not CBOR ?
>

JSON was chosen over CBOR as the structured message is sent over an
encrypted DNS transport (e..g, DoT, DoH, DoQ) which handles fragmentation.


>
> ### Section 5.2
>
> What can the server do when there are several blocking causes (e.g.,
> malware + court order)?
>


When multiple blocking causes apply, the "j" field can be used to provide
additional context about all applicable causes.


>
> ### Section 5.3
>
> What is the client behavior when receiving more than 1 EDE option ?
>

{{!RFC8914}} already addresses this: "Senders MAY include more than one EDE
option and receivers MUST be able to accept (but not necessarily process or
act on) multiple EDE options in a DNS message."


>
> Should bullet 2 and 3 be swapped ?
>
> ### Section 10
>
> Should there be a 'privacy considerations' sub-section ?
>
> ### Section 11
>
> "IETF review" seems like a pretty high bar to me, why not "specification
> required" ?
>

The "IETF Review" policy was deliberately chosen to prevent registration of
sub-error codes that could conflict with IETF policy. A lower bar like
"Specification Required" would not provide sufficient oversight to prevent
such registrations.


>
> ### Section 11.2
>
> Please add a field in table 1 for "Mandatory (Y/N?)".
>

  All current fields are optional and the draft already requires that
future extensions must not introduce mandatory fields for backward
compatibility.


>
> ## Non-critical / cosmetic issues
>
> Note: these points must also be addressed.
>
> ### Section 3
>
> s/succesfully/successfully/
> s/a end user/an end user/ (more than once)
>
> For readability, I wonder whether `This document defines a structured,
> machine-readable....` part should appear either as a new paragraph in
> bullet 3 or even outside of the bulleted list (of course adding a reference
> to bullet #3).
>
> ### Section 8
>
> Consider using a 'dig' request to show the SDE & EDE encoding. BTW, the
> length of the example is about 100 octets... hence a justification for not
> using CBOR is mostly required.
>
> ### Section 11
>
> The formats and apparences of the sub-sections are all different (use of
> bullet, bold, ...), please fix.
>

Could you please elaborate on the formatting inconsistencies you observed
in Section 11 ?

Cheers,
-Tiru

v2.46.0 | Report a Bug | By Email | System Status