]> Cloudflare

Prahran Australia mnot@mnot.net https://www.mnot.net/

Internet-Draft introduces structured error data for DNS responses that have been filtered. This draft suggests additions to that mechanism. Discussion Venues Source for this draft and an issue tracker can be found at .

Introduction introduces structured error data for DNS responses that have been filtered. This draft suggests additions to that mechanism. These additions are informed by specific concerns that Web browsers have about providing information about DNS filtering events to end users. In particular, they are intended to address the risks associated with trusting information inserted by DNS resolvers into responses. Presenting information sourced from unauthenticated network elements to end users opens a variety of attacks. Given the variety of network deployments on the Internet, such information needs to be considered as attacker-controlled. This proposal mitigates these risks by minimising the amount and type of information carried into the DNS response to a "DNS Resolver Operator ID" and a "Filtering Incident ID." Neither is presented to end users: instead, they can be used to obtain (using HTTPS) a document that carries details of the specific filtering incident, for presentation to end users. This mechanism is not intended to scale to large numbers of DNS operators. Instead, it is expected that in typical use, the DNS Resolver Operator ID will be used to selectively present information from DNS resolvers operators that clients deem to be serving a public good role (e.g., publicly available open resolvers), to aid those parties in serving the public interest by making their operation more transparent.

Notational Conventions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

DNS Resolver Operator ID A DNS Resolver Operator ID is a short, textual string that uniquely identifies the operator of a DNS resolver. It is carried in the EXTRA-TEXT field of the Extended DNS Error with the JSON field name "ro". For example: The value of the "ro" field MUST be registered in the DNS Resolver Operator registry; see . Unregistered values MUST be ignored, and registered values MAY be ignored.

Filtering Incident ID A Filtering Incident ID is an opaque, string identifier for a particular filtering incident. It might be specific to a particular request, but need not be. It is carried in the EXTRA-TEXT field of the Extended DNS Error with the JSON field name "inc". For example:

Incident Resolution Templates An Incident Resolution Template is a URI Template that, upon expansion, provides a URI that can be dereferenced to obtain a Filtering Incident Description document (see ). It MUST be a Level 1 or Level 2 template (see ). It has the following variables available to it:

• ro: the DNS Resolver Operator ID (see {op-id})
• inc: the Filtering Incident ID (see {incident-id})

For example: ~~ https://resolver.example.com/filtering-incidents/{inc} ~~ When dereferencing this URL, HTTP content negotiation for language SHOULD be used; see .

The Filtering Incident Description Format The Filtering Incident Description Format is a JSON document format for returning information about a particular filtering incident. Its root is an Object, with the following members:

• inc: String; the Filtering Incident ID
• resolver: String; a short textual name for the resolver operator (RECOMMENDED to be no longer than 64 characters)
• authority: String; a short textual name for the authority that required the filtering (RECOMMENDED to be no longer than 64 characters)
• description: String; a short textual description of the incident (RECOMMENDED to be no longer than 256 characters)

All members above are mandatory. New members can be added by updating this specification.

IANA Considerations

EXTRA-TEXT JSON Names IANA will register the following fields in the "EXTRA-TEXT JSON Names" sub-registry established by :

• JSON Name: "ro"
• Short Description: a short, textual string that uniquely identifies the operator of a DNS resolver
• Mandatory: no
• Specification: [this document]
• JSON Name: "inc"
• Short Description: an opaque, string identifier for a particular filtering incident
• Mandatory: no
• Specification: [this document]

The DNS Resolver Identifier Registry IANA will establish a new registry, the "DNS Resolver Identifier Registry." Its registration policy is first-come, first-served (FCFS), although IANA may refuse registrations that are deemed to be deceptive or spurious. It contains the following fields:

• Name: The name of the DNS resolver operator
• Contact: an e-mail address or other appropriate contact mechanism
• DNS Resolver Operator ID: see
• Incident Resolution Template: see

Security Considerations This specification does not provide a way to authenticate that a particular filtering incident as experienced by a client was actually associated with the DNS resolver operator claimed. This means that an attacker (for example, one controlling a DNS resolver) can claim that a filtering incident is associated with an operator when it in fact was not. However, to be successful an attacker would need to reuse an existing incident identifier that is supported by a DNS resolver operator recognised by the client. It is not currently thought to be particularly advantageous to an attacker to do so.

Normative References Citrix Systems, Inc. Nokia Open-Xchange Orange DNS filtering is widely deployed for various reasons, including network security. However, filtered DNS responses lack structured information for end users to understand the reason for the filtering. Existing mechanisms to provide explanatory details to end users cause harm especially if the blocked DNS response is for HTTPS resources. This document updates RFC 8914 by signaling client support for structuring the EXTRA-TEXT field of the Extended DNS Error to provide details on the DNS filtering. Such details can be parsed by the client and displayed, logged, or used for other purposes. In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. A URI Template is a compact sequence of characters for describing a range of Uniform Resource Identifiers through variable expansion. This specification defines the URI Template syntax and the process for expanding a URI Template into a URI reference, along with guidelines for the use of URI Templates on the Internet. [STANDARDS-TRACK] The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes. This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230. JavaScript Object Notation (JSON) is a lightweight, text-based, language-independent data interchange format. It was derived from the ECMAScript Programming Language Standard. JSON defines a small set of formatting rules for the portable representation of structured data. This document removes inconsistencies with other specifications of JSON, repairs specification errors, and offers experience-based interoperability guidance.