-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathdnsop-structured-dns-error-page.txt
896 lines (587 loc) · 34.8 KB
/
dnsop-structured-dns-error-page.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
DNSOP WG D. Wing
Internet-Draft Citrix
Updates: 8914 (if approved) T. Reddy
Intended status: Standards Track Nokia
Expires: 25 March 2023 N. Cook
Open-Xchange
M. Boucadair
Orange
21 September 2022
Structured Data for Filtered DNS
draft-wing-dnsop-structured-dns-error-page-05
Abstract
DNS filtering is widely deployed for network security, but filtered
DNS responses lack information for the end user to understand the
reason for the filtering. Existing mechanisms to provide detail to
end users cause harm especially if the blocked DNS response is to an
HTTPS website.
This document updates the EXTRA-TEXT field of Extended DNS Error to
provide details on the DNS filtering. This information can be parsed
by the client and displayed, logged, or used for other purposes.
This document updates RFC 8914.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 25 March 2023.
Wing, et al. Expires 25 March 2023 [Page 1]
Internet-Draft Data for Filtered DNS September 2022
Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Limitations of Filtering techniques . . . . . . . . . . . . . 4
4. I-JSON in EXTRA-TEXT field . . . . . . . . . . . . . . . . . 6
5. Protocol Operation . . . . . . . . . . . . . . . . . . . . . 7
5.1. Client Generating Request . . . . . . . . . . . . . . . . 7
5.2. Server Generating Response . . . . . . . . . . . . . . . 7
5.3. Client Processing Response . . . . . . . . . . . . . . . 7
6. Interoperation with RPZ Servers . . . . . . . . . . . . . . . 9
7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 9
8. Security Considerations . . . . . . . . . . . . . . . . . . . 10
9. IANA Considerationsd . . . . . . . . . . . . . . . . . . . . 10
9.1. New registry for SubError Codes . . . . . . . . . . . . . 11
10. Initial Sub-errors . . . . . . . . . . . . . . . . . . . . . 12
11. Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 13
12.1. Normative References . . . . . . . . . . . . . . . . . . 13
12.2. Informative References . . . . . . . . . . . . . . . . . 14
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction
DNS filters are deployed for a variety of reasons including endpoint
security, parental filtering, and filtering required by law
enforcement. Network-based security solutions such as firewalls and
Intrusion Prevention Systems (IPS) rely upon network traffic
inspection to implement perimeter-based security policies and operate
by filtering DNS responses. In a home, DNS filtering is used for the
same reasons as above and additionally for parental control.
Internet Service Providers typically block access to some DNS domains
due to a requirement imposed by an external entity (e.g., law
enforcement agency) also performed using DNS-based content filtering.
Wing, et al. Expires 25 March 2023 [Page 2]
Internet-Draft Data for Filtered DNS September 2022
Users of DNS services which perform filtering may wish to receive
more information about such filtering to resolve problems with the
filter -- for example to contact the administrator to allowlist a
domain that was erroneously filtered or to understand the reason a
particular domain was filtered. With that information, the user can
choose another network, open a trouble ticket with the DNS
administrator to resolve erroneous filtering, log the information, or
other uses.
For both DNS filtering mechanisms described in Section 4 of
(Section 3), the DNS server can return extended error codes Blocked,
Censored, Filtered, or Forged Answer defined in Section 4 of
[RFC8914]. However, these codes only explain that filtering occurred
but lack detail for the user to diagnose erroneous filtering.
No matter which type of response is generated (forged IP address(es),
NXDOMAIN or empty answer, even with an extended error code), the user
who triggered the DNS query has little chance to understand which
entity filtered the query, how to report a mistake in the filter, or
why the entity filtered it at all. This document describes a
mechanism to provide such detail.
One of the other benefits of this approach is to eliminate the need
to "spoof" block pages for HTTPS resources. This is achieved since
clients implementing this approach would be able to display a
meaningful error message, and would not need to connect to such a
block page. This approach thus avoids the need to install a local
root certificate authority on those IT-managed devices.
This document describes a format for computer-parsable data in the
EXTRA-TEXT field of Extended DNS Errors [RFC8914].
This document does not recommend DNS filtering but provides a
mechanism for better transparency to explain to the users why some
DNS queries are filtered.
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119][RFC8174] when, and only when, they appear in all
capitals, as shown here.
This document uses terms defined in DNS Terminology [RFC8499].
Wing, et al. Expires 25 March 2023 [Page 3]
Internet-Draft Data for Filtered DNS September 2022
"Requestor" refers to the side that sends a request. "Responder"
refers to an authoritative, recursive resolver or other DNS component
that responds to questions. Other terminology is used here as
defined in the RFCs cited by this document.
"Encrypted DNS" refers to any encrypted scheme to convey DNS
messages, for example, DNS-over-HTTPS [RFC8484], DNS-over-TLS
[RFC7858], or DNS-over-QUIC [RFC9250].
3. Limitations of Filtering techniques
DNS responses can be filtered by sending a bogus (also called,
"forged") A or AAAA response, NXDOMAIN error or empty answer, or an
extended DNS error (EDE) code defined in [RFC8914]. Each of these
methods have advantages and disadvantages that are discussed below:
1. The DNS response is forged to provide a list of IP addresses that
points to an HTTP(S) server alerting the end user about the
reason for blocking access to the requested domain (e.g.,
malware). When an HTTP(S) enabled domain name is blocked, the
network security device (e.g., CPE, firewall) presents a block
page instead of the HTTP response from the content provider
hosting that domain. If an HTTP enabled domain name is blocked,
the network security device intercepts the HTTP request and
returns a block page over HTTP. If an HTTPS enabled domain is
blocked, the block page is also served over HTTPS. In order to
return a block page over HTTPS, man in the middle (MITM) is
enabled on endpoints by generating a local root certificate and
an accompanying (local) public/private key pair. The local root
certificate is installed on the endpoint while the network
security device(s) stores a copy of the private key. During the
TLS handshake, the network security device modifies the
certificate provided by the server and (re)signs it using the
private key from the local root certificate.
* However, configuring the local root certificate on endpoints
is not a viable option in several deployments like home
networks, schools, Small Office/Home Office (SOHO), and Small/
Medium Enterprise (SME). In these cases, the typical behavior
is that the filtered DNS response points to a server that will
display the block page. If the client is using HTTPS (via web
browser or another application) this results in a certificate
validation error which gives no information to the end-user
about the reason for the DNS filtering. Browsers will display
errors such as "The security certificate presented by this
website was not issued by a trusted certificate authority"
(Internet Explorer/Edge"), "The site's security certificate is
not trusted" (Chrome), "This Connection is Untrusted"
Wing, et al. Expires 25 March 2023 [Page 4]
Internet-Draft Data for Filtered DNS September 2022
(Firefox), "Safari can't verify the identity of the
website..." (Safari on MacOS). Applications might display
even more cryptic error messages.
* Enterprise networks do not assume that all the connected
devices are managed by the IT team or Mobile Device Management
(MDM) devices, especially in the quite common Bring Your Own
Device (BYOD) scenario. In addition, the local root
certificate cannot be installed on IoT devices without a
device management tool.
* An end user does not know why the connection was prevented
and, consequently, may repeatedly try to reach the domain but
with no success. Frustrated, the end user may switch to an
alternate network that offers no DNS filtering against malware
and phishing, potentially compromising both security and
privacy. Furthermore, certificate errors train users to click
through certificate errors, which is a bad security practice.
To eliminate the need for an end user to click through
certificate errors, an end user may manually install a local
root certificate on a host device. Doing so, however, is also
a bad security practice as it creates a security vulnerability
that may be exploited by a MITM attack. When a manually
installed local root certificate expires, the user has to
(again) manually install the new local root certificate.
2. The DNS response is forged to provide a NXDOMAIN response to
cause the DNS lookup to terminate in failure. In this case, an
end user does not know why the domain cannot be reached and may
repeatedly try to reach the domain but with no success.
Frustrated, the end user may use insecure connections to reach
the domain, potentially compromising both security and privacy.
3. The extended error codes Blocked, Censored, and Filtered defined
in Section 4 of [RFC8914] can be returned by a DNS server to
provide additional information about the cause of an DNS error.
If the extended error code "Forged Answer" defined in Section 4.5
of [RFC8914] is returned by the DNS server, the client can
identify the DNS response is forged together with the reason for
HTTPS certificate error.
Wing, et al. Expires 25 March 2023 [Page 5]
Internet-Draft Data for Filtered DNS September 2022
4. These extended error codes do not suffer from the limitations
discussed in bullets (1) and (2), but the user still does not
know the exact reason nor he/she is aware of the exact entity
blocking the access to the domain. For example, a DNS server may
block access to a domain based on the content category such as
"Malware" to protect the endpoint from malicious software,
"Phishing" to prevent the user from revealing sensitive
information to the attacker, etc. A user needs to know the
contact details of the IT/InfoSec team to raise a complaint.
5. When a resolver or forwarder forwards the received EDE option,
the EXTRA-TEXT field only conveys the source of the error
(Section 3 of [RFC8914]) and does not provide additional textual
information about the cause of the error.
4. I-JSON in EXTRA-TEXT field
Servers that are compliant with this specification send I-JSON data
in the EXTRA-TEXT field [RFC8914] using the Internet JSON (I-JSON)
message format [RFC7493].
| Note that [RFC7493] was based on [RFC7159], but [RFC7159] was
| replaced by [RFC8259].
This document defines the following JSON names:
c: (contact) The contact details of the IT/InfoSec team to report
mis-classified DNS filtering. This field is structured as an
array of contact URIs (e.g., tel, sips, https). At least one
contact URI MUST be included. This field is mandatory.
j: (justification) the textual justification for this particular DNS
filtering. The field should be treated only as diagnostic
information for IT staff. This field is mandatory.
s: (suberror) the suberror code for this particular DNS filtering.
This field is optional.
o: (organization) human-friendly name of the organization that
filtered this particular DNS query. This field is optional.
New JSON names MUST be defined in the IANA registry (Section 9),
consist only of lower-case ASCII characters, digits, and hyphens
(that is, Unicode characters U+0061 through 007A, U+0030 through
U+0039, and U+002D). These names MUST be 63 characters or shorter
and it is RECOMMENDED they be as short as possible.
Wing, et al. Expires 25 March 2023 [Page 6]
Internet-Draft Data for Filtered DNS September 2022
To reduce packet overhead the generated JSON SHOULD be as short as
possible: short domain names, concise text in the values for the "j"
and "o" names, and minified JSON (that is, without spaces or line
breaks between JSON elements).
The JSON data can be parsed to display to the user, logged, or
otherwise used to assist the end-user or IT staff with
troubleshooting and diagnosing the cause of the DNS filtering.
5. Protocol Operation
5.1. Client Generating Request
When generating a DNS query, the client includes the Extended DNS
Error option Section 2 of [RFC8914] in the OPT pseudo-RR [RFC6891] to
elicit the Extended DNS Error option in the DNS response.
5.2. Server Generating Response
When the DNS server filters its DNS response to an A or AAAA record
query, the DNS response MAY contain an empty answer, NXDOMAIN, or a
forged A or AAAA response, as desired by the DNS server. In
addition, if the query contained the OPT pseudo-RR the DNS server MAY
return more detail in the EXTRA-TEXT field as described in
Section 5.3.
Servers may decide to return small TTL values in filtered DNS
responses (e.g., 2 seconds) to handle domain category and reputation
updates.
5.3. Client Processing Response
On receipt of a DNS response with an Extended DNS Error option, the
following actions are performed if the EXTRA-TEXT field contains
valid JSON:
* The response MUST be received over an encrypted DNS channel. If
not, the requestor MUST discard data in the EXTRA-TEXT field.
* The response MUST be received from a DNS server which advertised
EDE support via a trusted channel, e.g., RESINFO
[I-D.reddy-add-resolver-info].
* Servers which don't support this specification might use plain
text in the EXTRA-TEXT field so that requestors SHOULD properly
handle both plaintext and JSON text in the EXTRA-TEXT field.
Wing, et al. Expires 25 March 2023 [Page 7]
Internet-Draft Data for Filtered DNS September 2022
* The DNS response MUST also contain an extended error code of
"Censored", "Blocked", "Filtered" or "Forged" [RFC8914], otherwise
the EXTRA-TEXT field is discarded.
* If either of the mandatory JSON names "c" and "j" are missing or
have empty values in the EXTRA-TEXT field, the entire JSON is
discarded.
* The JSON name "s" MUST NOT be present with the extended error code
"Censored".
* If a DNS client has enabled opportunistic privacy profile
(Section 5 of [RFC8310]) for DoT, the DNS client will either
fallback to an encrypted connection without authenticating the DNS
server provided by the local network or fallback to clear text
DNS, and cannot exchange encrypted DNS messages. Both of these
fallback mechanisms adversely impacts security and privacy. If
the DNS client has enabled opportunistic privacy profile for DoT,
the DNS client MUST ignore the EXTRA-TEXT field of the EDE
responses, but SHOULD process other parts of the response.
* If a DNS client has enabled strict privacy profile (Section 5 of
[RFC8310]) for DoT, the DNS client requires an encrypted
connection and successful authentication of the DNS server; this
mitigates both passive eavesdropping and client redirection (at
the expense of providing no DNS service if an encrypted,
authenticated connection is not available). If the DNS client has
enabled strict privacy profile for DoT, the client MAY process the
EXTRA-TEXT field of the DNS response. Note that the strict and
opportunistic privacy profiles as defined in [RFC8310] only apply
to DoT; there has been no such distinction made for DoH.
* If the DNS client determines that the encrypted DNS server does
not offer DNS filtering service, it MUST discard the EXTRA-TEXT
field of the EDE response. For example, the DNS client can learn
whether the encrypted DNS resolver performs DNS-based content
filtering or not by retrieving resolver information using the
method defined in [I-D.reddy-add-resolver-info].
* When a forwarder receives an EDE option, whether or not (and how)
to pass along JSON information in the EXTRA-TEXT on to their
client is implementation dependent [RFC5625]. Implementations MAY
choose to not forward the JSON information, or they MAY choose to
create a new EDE option that conveys the information in the "c",
"s" and "j" fields encoded in the JSON object.
Wing, et al. Expires 25 March 2023 [Page 8]
Internet-Draft Data for Filtered DNS September 2022
6. Interoperation with RPZ Servers
This section discusses operation with an RPZ server [RPZ] that
indicates filtering with a NXDOMAIN response with the Recursion
Available bit cleared (RA=0).
When the DNS client supports this specification but the server does
not, the server will continue replying when a query is RPZ filtered
with NXDOMAIN and RA=0. An DNS client upgraded to support this
specification can continue to accept responses with NXDOMAIN and RA=0
from the RPZ server that does not support this specification.
When the DNS client supports this specification and the server
supports this specification, the client learns of the server's
support via [I-D.reddy-add-resolver-info] and the client includes the
EDE OPT pseudo-RR in the query. This allows the server to
differentiate EDE-aware clients from EDE-unaware clients and respond
appropriately.
7. Examples
An example showing the nameserver at 'ns.example.net' that filtered a
DNS "A" record query for 'example.org' is shown in Figure 1.
{
"c": ["tel:+358-555-1234567", "sips:[email protected]",
"https://ticket.example.com?d=example.org&t=1650560748"],
"j": "malware present for 23 days",
"s": 1,
"o": "example.net Filtering Service"
}
Figure 1: JSON returned in EXTRA-TEXT field of Extended DNS Error
response
In Figure 2 the same content is shown with minified JSON (no
whitespace, no blank lines) with '\' line wrapping per [RFC8792].
============== NOTE: '\' line wrapping per RFC 8792 ===============
{"c":["tel:+358-555-1234567","sips:[email protected]", \
"https://ticket.example.com?d=example.org&t=1650560748"],"s":1, \
"j":"malware present for 23 days","o":"example.net Filtering \
Service"}
Figure 2: Minified response
Wing, et al. Expires 25 March 2023 [Page 9]
Internet-Draft Data for Filtered DNS September 2022
8. Security Considerations
Security considerations in Section 6 of [RFC8914] apply to this
document.
To minimize impact of active on-path attacks on the DNS channel, the
client validates the response as described in Section 5.3.
A client might choose to display the information in the EXTRA-TEXT
field if and only if the encrypted resolver has sufficient
reputation, according to some local policy (e.g. user configuration,
administrative configuration, or a built-in list of respectable
resolvers). This limits the ability of a malicious encrypted
resolver to cause harm. If the client decides not to display the all
of the information in the EXTRA-TEXT field, it can be logged for
diagnostics purpose and the client can only display the resolver
hostname that blocked the domain, error description for the EDE code
and the suberror description for the "s'" field to the end-user.
When displaying the free-form text of "c" and "o", the browser SHOULD
NOT make any of those elements into actionable (clickable) links.
An attacker might inject (or modify) the EDE EXTRA-TEXT field with an
DNS proxy or DNS forwarder that is unaware of EDE. Such a DNS proxy
or DNS forwarder will forward that attacker-controlled EDE option.
To prevent such an attack, clients supporting this document MUST
discard the EDE option if their DNS server does not signal EDE
support via RESINFO [I-D.reddy-add-resolver-info]. As recommended in
[I-D.reddy-add-resolver-info], RESINFO should be retrieved over an
encrypted DNS channel or integrity protected with DNSSEC.
9. IANA Considerationsd
This document requests IANA to register the "application/
json+structured-dns-error" media type in the "Media Types" registry
[IANA-MediaTypes]. This registration follows the procedures
specified in [RFC6838]:
Wing, et al. Expires 25 March 2023 [Page 10]
Internet-Draft Data for Filtered DNS September 2022
Type name: application
Subtype name: json+structured-dns-error
Required parameters: N/A
Optional parameters: N/A
Encoding considerations: as defined in Section NN of [RFCXXXX].
Security considerations: See Section NNN of [RFCXXXX].
Interoperability considerations: N/A
Published specification: [RFCXXXX]
Applications that use this media type: Section NNNN of [RFCXXXX].
Fragment identifier considerations: N/A
Additional information: N/A
Person & email address to contact for further information: IETF,
Intended usage: COMMON
Restrictions on usage: none
Author: See Authors' Addresses section.
Change controller: IESG
Provisional registration? No
9.1. New registry for SubError Codes
IANA is requested to create a new registry, entitled "SubError Codes"
under "Domain Name System (DNS) Parameters, Extended DNS Error Codes"
registry. A registration procedure for suberror codes MUST include
the following fields:
* Number: wire format suberror code (range 0-255)
* Meaning: a short description
* Reference: pointer to the specification text
Wing, et al. Expires 25 March 2023 [Page 11]
Internet-Draft Data for Filtered DNS September 2022
* Change Controller: Person or entity, with contact information if
appropriate.
New entries in this registry are subject to an Expert Review
registration policy [RFC8126]. The designated expert MUST ensure
that the Reference is stable and publicly available, and that it
specifies the suberror code and a short description. The Format
Reference may be any individual's Internet-Draft, or a document from
any other source with similar assurances of stability and
availability.
10. Initial Sub-errors
The registry shall initially be populated with the following suberror
codes. :
+========+=============================+===========+============+
| Number | Meaning | Reference | Change |
| | | | Controller |
+========+=============================+===========+============+
| 0 | Reserved | This | IETF |
| | | document | |
+--------+-----------------------------+-----------+------------+
| 1 | Malware | This | IETF |
| | | document | |
+--------+-----------------------------+-----------+------------+
| 2 | Phishing | This | IETF |
| | | document | |
+--------+-----------------------------+-----------+------------+
| 3 | Spam | This | IETF |
| | | document | |
+--------+-----------------------------+-----------+------------+
| 4 | Spyware | This | IETF |
| | | document | |
+--------+-----------------------------+-----------+------------+
| 5 | Adware | This | IETF |
| | | document | |
+--------+-----------------------------+-----------+------------+
| 6 | Network policy imposed by | This | IETF |
| | the operator of the network | document | |
+--------+-----------------------------+-----------+------------+
Table 1
11. Changes
This section is to be removed before publishing as an RFC.
Wing, et al. Expires 25 March 2023 [Page 12]
Internet-Draft Data for Filtered DNS September 2022
11.1. Changes from 03 to 04
* Clarified text content is for IT staff
* Introduced 'suberror' terminology and associated IANA registration
11.2. Changes from 02 to 03
* Require using RESINFO [I-D.reddy-add-resolver-info] in client
processing and added discussion of attack mitigation of using
RESINFO.
* Removed validation of URI domain suffix, which we can't do for
some URLs (e.g., tel:), is difficult/impossible for others when
3rd party is handling level one support (e.g., sips:). Instead
rely on RESINFO telling us if EDE is supported by the DNS server
and, if so, expect it to properly support EDE rather than blindly
forward an unknown DNS option.
* Removed 'partial URI' text
11.3. Changes from 01 to 02
* repurpose Extended DNS Error's EXTRA-TEXT field to carry JSON,
which also means this document updates RFC8914
* clarified DNS forwarders might forward EXTRA-TEXT without change
or might rewrite "j" and "d"
11.4. Changes from 00 to 01
* removed support for multiple responsible parties
* one-character JSON names to minimize JSON length
* partial URI sent in "c" and "r" names, combined with "d" name sent
in JSON to minimize attack surface and minimize JSON length
* moved EDNS(0) forgery-mitigation text, some Security
Considerations text, and some other text from
[I-D.reddy-dnsop-error-page] to this document
12. References
12.1. Normative References
Wing, et al. Expires 25 March 2023 [Page 13]
Internet-Draft Data for Filtered DNS September 2022
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC6838] Freed, N., Klensin, J., and T. Hansen, "Media Type
Specifications and Registration Procedures", BCP 13,
RFC 6838, DOI 10.17487/RFC6838, January 2013,
<https://www.rfc-editor.org/info/rfc6838>.
[RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms
for DNS (EDNS(0))", STD 75, RFC 6891,
DOI 10.17487/RFC6891, April 2013,
<https://www.rfc-editor.org/info/rfc6891>.
[RFC7159] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
Interchange Format", RFC 7159, DOI 10.17487/RFC7159, March
2014, <https://www.rfc-editor.org/info/rfc7159>.
[RFC7493] Bray, T., Ed., "The I-JSON Message Format", RFC 7493,
DOI 10.17487/RFC7493, March 2015,
<https://www.rfc-editor.org/info/rfc7493>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8310] Dickinson, S., Gillmor, D., and T. Reddy, "Usage Profiles
for DNS over TLS and DNS over DTLS", RFC 8310,
DOI 10.17487/RFC8310, March 2018,
<https://www.rfc-editor.org/info/rfc8310>.
12.2. Informative References
[I-D.reddy-add-resolver-info]
Reddy, T. and M. Boucadair, "DNS Resolver Information",
Work in Progress, Internet-Draft, draft-reddy-add-
resolver-info-06, 31 August 2022,
<https://www.ietf.org/archive/id/draft-reddy-add-resolver-
info-06.txt>.
Wing, et al. Expires 25 March 2023 [Page 14]
Internet-Draft Data for Filtered DNS September 2022
[I-D.reddy-dnsop-error-page]
Reddy, T., Cook, N., Wing, D., and M. Boucadair, "DNS
Access Denied Error Page", Work in Progress, Internet-
Draft, draft-reddy-dnsop-error-page-08, 4 June 2021,
<https://www.ietf.org/archive/id/draft-reddy-dnsop-error-
page-08.txt>.
[IANA-MediaTypes]
IANA, "Media Types",
<https://www.iana.org/assignments/media-types>.
[RFC5625] Bellis, R., "DNS Proxy Implementation Guidelines",
BCP 152, RFC 5625, DOI 10.17487/RFC5625, August 2009,
<https://www.rfc-editor.org/info/rfc5625>.
[RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D.,
and P. Hoffman, "Specification for DNS over Transport
Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May
2016, <https://www.rfc-editor.org/info/rfc7858>.
[RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
Interchange Format", STD 90, RFC 8259,
DOI 10.17487/RFC8259, December 2017,
<https://www.rfc-editor.org/info/rfc8259>.
[RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS
(DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018,
<https://www.rfc-editor.org/info/rfc8484>.
[RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS
Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499,
January 2019, <https://www.rfc-editor.org/info/rfc8499>.
[RFC8792] Watsen, K., Auerswald, E., Farrel, A., and Q. Wu,
"Handling Long Lines in Content of Internet-Drafts and
RFCs", RFC 8792, DOI 10.17487/RFC8792, June 2020,
<https://www.rfc-editor.org/info/rfc8792>.
[RFC8914] Kumari, W., Hunt, E., Arends, R., Hardaker, W., and D.
Lawrence, "Extended DNS Errors", RFC 8914,
DOI 10.17487/RFC8914, October 2020,
<https://www.rfc-editor.org/info/rfc8914>.
[RFC9250] Huitema, C., Dickinson, S., and A. Mankin, "DNS over
Dedicated QUIC Connections", RFC 9250,
DOI 10.17487/RFC9250, May 2022,
<https://www.rfc-editor.org/info/rfc9250>.
Wing, et al. Expires 25 March 2023 [Page 15]
Internet-Draft Data for Filtered DNS September 2022
[RPZ] Wikipedia, "Response policy zone",
<https://en.wikipedia.org/w/index.php>.
Authors' Addresses
Dan Wing
Citrix Systems, Inc.
United States of America
Email: [email protected]
Tirumaleswar Reddy
Nokia
Bangalore
Karnataka
India
Email: [email protected]
Neil Cook
Open-Xchange
United Kingdom
Email: [email protected]
Mohamed Boucadair
Orange
35000 Rennes
France
Email: [email protected]
Wing, et al. Expires 25 March 2023 [Page 16]