diff --git a/draft-ietf-dnsop-structured-dns-error-page.txt b/draft-ietf-dnsop-structured-dns-error-page.txt index a1d2201..ed5bfa8 100644 --- a/draft-ietf-dnsop-structured-dns-error-page.txt +++ b/draft-ietf-dnsop-structured-dns-error-page.txt @@ -75,25 +75,24 @@ Copyright Notice Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 - 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 + 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Limitations of Filtering techniques . . . . . . . . . . . . . 4 4. I-JSON in EXTRA-TEXT field . . . . . . . . . . . . . . . . . 6 5. Protocol Operation . . . . . . . . . . . . . . . . . . . . . 7 5.1. Client Generating Request . . . . . . . . . . . . . . . . 7 5.2. Server Generating Response . . . . . . . . . . . . . . . 7 - 5.3. Client Processing Response . . . . . . . . . . . . . . . 8 + 5.3. Client Processing Response . . . . . . . . . . . . . . . 7 6. Interoperation with RPZ Servers . . . . . . . . . . . . . . . 9 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 9 8. Security Considerations . . . . . . . . . . . . . . . . . . . 10 - 9. IANA Considerationsd . . . . . . . . . . . . . . . . . . . . 11 - 9.1. New registry for SubError Codes . . . . . . . . . . . . . 12 - 10. Initial Sub-errors . . . . . . . . . . . . . . . . . . . . . 13 - 11. Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 - 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14 - 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 - 13.1. Normative References . . . . . . . . . . . . . . . . . . 15 - 13.2. Informative References . . . . . . . . . . . . . . . . . 15 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17 + 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 + 9.1. New registry for SubError Codes . . . . . . . . . . . . . 11 + 10. Initial Sub-errors . . . . . . . . . . . . . . . . . . . . . 12 + 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13 + 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 + 12.1. Normative References . . . . . . . . . . . . . . . . . . 13 + 12.2. Informative References . . . . . . . . . . . . . . . . . 14 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 1. Introduction @@ -106,6 +105,7 @@ Table of Contents same reasons as above and additionally for parental control. Internet Service Providers typically block access to some DNS domains due to a requirement imposed by an external entity (e.g., law + enforcement agency) also performed using DNS-based content filtering. @@ -114,8 +114,6 @@ Wing, et al. Expires 7 August 2023 [Page 2] Internet-Draft Data for Filtered DNS February 2023 - enforcement agency) also performed using DNS-based content filtering. - Users of DNS services which perform filtering may wish to receive more information about such filtering to resolve problems with the filter -- for example to contact the administrator to allowlist a @@ -125,8 +123,6 @@ Internet-Draft Data for Filtered DNS February 2023 administrator to resolve erroneous filtering, log the information, or other uses. - - For both DNS filtering mechanisms described in Section 4 of (Section 3), the DNS server can return extended error codes Blocked, Censored, Filtered, or Forged Answer defined in Section 4 of @@ -157,19 +153,6 @@ Internet-Draft Data for Filtered DNS February 2023 mechanism for better transparency to explain to the users why some DNS queries are filtered. - - - - - - - - -Wing, et al. Expires 7 August 2023 [Page 3] - -Internet-Draft Data for Filtered DNS February 2023 - - 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", @@ -180,6 +163,13 @@ Internet-Draft Data for Filtered DNS February 2023 This document uses terms defined in DNS Terminology [RFC8499]. + + +Wing, et al. Expires 7 August 2023 [Page 3] + +Internet-Draft Data for Filtered DNS February 2023 + + "Requestor" refers to the side that sends a request. "Responder" refers to an authoritative, recursive resolver or other DNS component that responds to questions. Other terminology is used here as @@ -218,14 +208,6 @@ Internet-Draft Data for Filtered DNS February 2023 * However, configuring the local root certificate on endpoints is not a viable option in several deployments like home networks, schools, Small Office/Home Office (SOHO), and Small/ - - - -Wing, et al. Expires 7 August 2023 [Page 4] - -Internet-Draft Data for Filtered DNS February 2023 - - Medium Enterprise (SME). In these cases, the typical behavior is that the filtered DNS response points to a server that will display the block page. If the client is using HTTPS (via web @@ -236,6 +218,14 @@ Internet-Draft Data for Filtered DNS February 2023 website was not issued by a trusted certificate authority" (Internet Explorer/Edge"), "The site's security certificate is not trusted" (Chrome), "This Connection is Untrusted" + + + +Wing, et al. Expires 7 August 2023 [Page 4] + +Internet-Draft Data for Filtered DNS February 2023 + + (Firefox), "Safari can't verify the identity of the website..." (Safari on MacOS). Applications might display even more cryptic error messages. @@ -269,6 +259,16 @@ Internet-Draft Data for Filtered DNS February 2023 Frustrated, the end user may use insecure connections to reach the domain, potentially compromising both security and privacy. + 3. The extended error codes Blocked, Censored, and Filtered defined + in Section 4 of [RFC8914] can be returned by a DNS server to + provide additional information about the cause of an DNS error. + If the extended error code "Forged Answer" defined in Section 4.5 + of [RFC8914] is returned by the DNS server, the client can + identify the DNS response is forged together with the reason for + HTTPS certificate error. + + + @@ -282,14 +282,6 @@ Wing, et al. Expires 7 August 2023 [Page 5] Internet-Draft Data for Filtered DNS February 2023 - 3. The extended error codes Blocked, Censored, and Filtered defined - in Section 4 of [RFC8914] can be returned by a DNS server to - provide additional information about the cause of an DNS error. - If the extended error code "Forged Answer" defined in Section 4.5 - of [RFC8914] is returned by the DNS server, the client can - identify the DNS response is forged together with the reason for - HTTPS certificate error. - 4. These extended error codes do not suffer from the limitations discussed in bullets (1) and (2), but the user still does not know the exact reason nor he/she is aware of the exact entity @@ -330,14 +322,6 @@ Internet-Draft Data for Filtered DNS February 2023 This field is optional. o: (organization) UTF-8-encoded human-friendly name of the - - - -Wing, et al. Expires 7 August 2023 [Page 6] - -Internet-Draft Data for Filtered DNS February 2023 - - organization that filtered this particular DNS query. This field is optional. @@ -347,12 +331,19 @@ Internet-Draft Data for Filtered DNS February 2023 U+0039, and U+002D). These names MUST be 63 characters or shorter and it is RECOMMENDED they be as short as possible. + + +Wing, et al. Expires 7 August 2023 [Page 6] + +Internet-Draft Data for Filtered DNS February 2023 + + The text in the "j" and "o" names can include international characters. If the text is displayed in a language not known to the end user, browser extensions to translate to user's native language - can be used. For example, "Google Translate" extension [Chrome- - Translate] provided by Google on Chrome can be used to translate the - text. + can be used. For example, "Google Translate" extension + [Chrome-Translate] provided by Google on Chrome can be used to + translate the text. To reduce packet overhead the generated JSON SHOULD be as short as possible: short domain names, concise text in the values for the "j" @@ -384,24 +375,24 @@ Internet-Draft Data for Filtered DNS February 2023 responses (e.g., 2 seconds) to handle domain category and reputation updates. +5.3. Client Processing Response + On receipt of a DNS response with an Extended DNS Error option, the + following actions are performed if the EXTRA-TEXT field contains + valid JSON: + * The response MUST be received over an encrypted DNS channel. If + not, the requestor MUST discard data in the EXTRA-TEXT field. -Wing, et al. Expires 7 August 2023 [Page 7] - -Internet-Draft Data for Filtered DNS February 2023 -5.3. Client Processing Response - On receipt of a DNS response with an Extended DNS Error option, the - following actions are performed if the EXTRA-TEXT field contains - valid JSON: +Wing, et al. Expires 7 August 2023 [Page 7] + +Internet-Draft Data for Filtered DNS February 2023 - * The response MUST be received over an encrypted DNS channel. If - not, the requestor MUST discard data in the EXTRA-TEXT field. * The response MUST be received from a DNS server which advertised EDE support via a trusted channel, e.g., RESINFO @@ -443,13 +434,6 @@ Internet-Draft Data for Filtered DNS February 2023 opportunistic privacy profiles as defined in [RFC8310] only apply to DoT; there has been no such distinction made for DoH. - - -Wing, et al. Expires 7 August 2023 [Page 8] - -Internet-Draft Data for Filtered DNS February 2023 - - * If the DNS client determines that the encrypted DNS server does not offer DNS filtering service, it MUST discard the EXTRA-TEXT field of the EDE response. For example, the DNS client can learn @@ -457,6 +441,15 @@ Internet-Draft Data for Filtered DNS February 2023 filtering or not by retrieving resolver information using the method defined in [I-D.reddy-add-resolver-info]. + + + + +Wing, et al. Expires 7 August 2023 [Page 8] + +Internet-Draft Data for Filtered DNS February 2023 + + * When a forwarder receives an EDE option, whether or not (and how) to pass along JSON information in the EXTRA-TEXT on to their client is implementation dependent [RFC5625]. Implementations MAY @@ -489,23 +482,6 @@ Internet-Draft Data for Filtered DNS February 2023 DNS "A" record query for 'example.org' is shown in Figure 1. - - - - - - - - - - - - -Wing, et al. Expires 7 August 2023 [Page 9] - -Internet-Draft Data for Filtered DNS February 2023 - - { "c": [ "tel:+358-555-1234567", @@ -523,6 +499,13 @@ Internet-Draft Data for Filtered DNS February 2023 In Figure 2 the same content is shown with minified JSON (no whitespace, no blank lines) with '\' line wrapping per [RFC8792]. + + +Wing, et al. Expires 7 August 2023 [Page 9] + +Internet-Draft Data for Filtered DNS February 2023 + + ============== NOTE: '\' line wrapping per RFC 8792 =============== {"c":["tel:+358-555-1234567","sips:bob@bobphone.example.com", \ @@ -554,14 +537,6 @@ Internet-Draft Data for Filtered DNS February 2023 When displaying the free-form text of "c" and "o", the browser SHOULD NOT make any of those elements into actionable (clickable) links. - - - -Wing, et al. Expires 7 August 2023 [Page 10] - -Internet-Draft Data for Filtered DNS February 2023 - - An attacker might inject (or modify) the EDE EXTRA-TEXT field with an DNS proxy or DNS forwarder that is unaware of EDE. Such a DNS proxy or DNS forwarder will forward that attacker-controlled EDE option. @@ -571,7 +546,7 @@ Internet-Draft Data for Filtered DNS February 2023 [I-D.reddy-add-resolver-info], RESINFO should be retrieved over an encrypted DNS channel or integrity protected with DNSSEC. -9. IANA Considerationsd +9. IANA Considerations This document requests IANA to register the "application/ json+structured-dns-error" media type in the "Media Types" registry @@ -582,38 +557,7 @@ Internet-Draft Data for Filtered DNS February 2023 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Wing, et al. Expires 7 August 2023 [Page 11] +Wing, et al. Expires 7 August 2023 [Page 10] Internet-Draft Data for Filtered DNS February 2023 @@ -669,7 +613,7 @@ Internet-Draft Data for Filtered DNS February 2023 -Wing, et al. Expires 7 August 2023 [Page 12] +Wing, et al. Expires 7 August 2023 [Page 11] Internet-Draft Data for Filtered DNS February 2023 @@ -718,77 +662,27 @@ Internet-Draft Data for Filtered DNS February 2023 Table 1 -11. Changes - - This section is to be removed before publishing as an RFC. -Wing, et al. Expires 7 August 2023 [Page 13] - -Internet-Draft Data for Filtered DNS February 2023 -11.1. Changes from 03 to 04 - * Clarified text content is for IT staff - - * Introduced 'suberror' terminology and associated IANA registration - -11.2. Changes from 02 to 03 - - * Require using RESINFO [I-D.reddy-add-resolver-info] in client - processing and added discussion of attack mitigation of using - RESINFO. - - * Removed validation of URI domain suffix, which we can't do for - some URLs (e.g., tel:), is difficult/impossible for others when - 3rd party is handling level one support (e.g., sips:). Instead - rely on RESINFO telling us if EDE is supported by the DNS server - and, if so, expect it to properly support EDE rather than blindly - forward an unknown DNS option. - - * Removed 'partial URI' text - -11.3. Changes from 01 to 02 - - * repurpose Extended DNS Error's EXTRA-TEXT field to carry JSON, - which also means this document updates RFC8914 - - * clarified DNS forwarders might forward EXTRA-TEXT without change - or might rewrite "j" and "d" - -11.4. Changes from 00 to 01 - - * removed support for multiple responsible parties - - * one-character JSON names to minimize JSON length - - * partial URI sent in "c" and "r" names, combined with "d" name sent - in JSON to minimize attack surface and minimize JSON length +Wing, et al. Expires 7 August 2023 [Page 12] + +Internet-Draft Data for Filtered DNS February 2023 - * moved EDNS(0) forgery-mitigation text, some Security - Considerations text, and some other text from - [I-D.reddy-dnsop-error-page] to this document -12. Acknowledgements +11. Acknowledgements Thanks to Vittorio Bertola, Wes Hardaker, Ben Schwartz, Erid Orth, Viktor Dukhovni, Warren Kumari, Paul Wouters, John Levine and Bob Harold for the comments. +12. References - - -Wing, et al. Expires 7 August 2023 [Page 14] - -Internet-Draft Data for Filtered DNS February 2023 - - -13. References - -13.1. Normative References +12.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, @@ -826,22 +720,23 @@ Internet-Draft Data for Filtered DNS February 2023 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . - [RFC8310] Dickinson, S., Gillmor, D., and T. Reddy, "Usage Profiles - for DNS over TLS and DNS over DTLS", RFC 8310, - DOI 10.17487/RFC8310, March 2018, - . -13.2. Informative References - -Wing, et al. Expires 7 August 2023 [Page 15] +Wing, et al. Expires 7 August 2023 [Page 13] Internet-Draft Data for Filtered DNS February 2023 + [RFC8310] Dickinson, S., Gillmor, D., and T. Reddy, "Usage Profiles + for DNS over TLS and DNS over DTLS", RFC 8310, + DOI 10.17487/RFC8310, March 2018, + . + +12.2. Informative References + [Chrome-Translate] "Google Translate", . - [I-D.reddy-dnsop-error-page] - Reddy.K, T., Cook, N., Wing, D., and M. Boucadair, "DNS - Access Denied Error Page", Work in Progress, Internet- - Draft, draft-reddy-dnsop-error-page-08, 4 June 2021, - . - [IANA-MediaTypes] IANA, "Media Types", . @@ -893,7 +781,7 @@ Internet-Draft Data for Filtered DNS February 2023 -Wing, et al. Expires 7 August 2023 [Page 16] +Wing, et al. Expires 7 August 2023 [Page 14] Internet-Draft Data for Filtered DNS February 2023 @@ -913,8 +801,7 @@ Internet-Draft Data for Filtered DNS February 2023 DOI 10.17487/RFC9250, May 2022, . - [RPZ] Wikipedia, "Response policy zone", - . + [RPZ] "Response Policy Zone", . Authors' Addresses @@ -949,4 +836,5 @@ Authors' Addresses -Wing, et al. Expires 7 August 2023 [Page 17] + +Wing, et al. Expires 7 August 2023 [Page 15]