Skip to main content

Structured Error Data for Filtered DNS
draft-ietf-dnsop-structured-dns-error-25

Discuss


Yes


No Objection

Christopher Inacio
Jim Guichard
Ketan Talaulikar

Recuse


No Record

Gorry Fairhurst
Gunter Van de Velde
Tommy Jensen

Summary: Has a DISCUSS. Has enough positions to pass once DISCUSS positions are resolved.

Roman Danyliw
Discuss
Discuss (2026-07-06 for -24) Sent
Questions around the use of clear-text DNS and EXTRA-TEXT:

-- Section 5.3
   1.  If the integrity of the DNS response is not guaranteed, the DNS
       client MUST NOT act upon data in the EXTRA-TEXT field, as the
       data is vulnerable to modification by an on-path attacker.

What provides an adequate guarantee of integrity to act upon the data?  What happens if the stub resolver uses DOH, but the recursive resolver does not?

-- Section 10.1, “This specification assumes the use of authenticated, integrity-protected DNS transports (e.g., DoT, DoH, or DoQ).  Such transports MUST be based on TLS 1.3 [RFC8446] or later.”   This seems ambiguous.  Is “assuming the use of” the same thing as requiring the using of “authenticated, integrity-protected DNS transports” when the EXTRA-TEXT field is use?  If so, please be explicit. I ask because a few sections later (Section 10.4 note below) the text is unambiguous on the need for “encrypted DNS transport”.

-- (not DISCUSS feedback, here for reference) Section 10.4, “This specification requires the use of an encrypted DNS transport (e.g., DoT, DoH, or DoQ), which protects both the DNS query and the structured error response from passive observers.” This is unambiguous.  Thanks.
Comment (2026-07-06 for -24) Sent
Thank you to Stewart Bryant for the GENART review.

I support the DISCUSS position of Mike Bishop

** Section 1.  Editorial.
   One of the other benefits of the approach described in this document
   is to eliminate the need to "spoof" block pages for HTTPS resources.
   This is achieved since clients implementing this approach would be
   able to display a meaningful error message, and would not need to
   connect to such a block page.  This approach thus avoids the need to
   install a local root certificate authority on those IT-managed
   devices.

Given that this section discusses multiple deployment environments (e.g., enterprise, home networks) and this paragraph ends with referencing only an “IT-managed” environment, would it be appropriate to make that clearer?

OLD
   One of the other benefits of the approach described in this document
   is to eliminate the need to "spoof" block pages for HTTPS resources.

NEW
One of the other benefits of the approach described in this document is to eliminate the need to "spoof" block pages for HTTPS resources in enterprise environments.

** Section 3.  Editorial.
   Each of these methods have
   advantages and disadvantages that are discussed below:

As far as I can tell, only the disadvantages are listed in the 3 bullets under this text.  I can’t find the advantages.

** Section 3

-- Bullet #1:
         Frustrated, the end user may switch to an
         alternate network that offers no DNS filtering against malware
         and phishing, potentially compromising both security and
         privacy.
-- Bullet #2:
     Frustrated, the end
      user may resort to using insecure methods to reach the domain,
      potentially compromising both security and privacy.

Can this threat be more precisely articulated?  What is being described in bullet #1 and #2 seems like how web browsing looks in the real world.  For example, I am a student on a mobile device using the school’s Wi-Fi network but it blocks the social media site I want to use, so I switch to the cellular network.  I am employee on a restricted enterprise Wi-Fi network with a BYOD situation, but it blocks the shopping site where I want to make a purchase while  having lunch in the cafeteria, so I switch to the cellular network.  I try to access a web-site but it blocks me due to geofencing policies so I use a VPN to exit in a different geography.  This speaks nothing of users in places with censoring regimes implemented by carriers which regularly resort to alternative means of access.

** Section 3
    To eliminate the need for an end user to click
         through certificate errors, an end user may manually install a
         local root certificate on a host device.  Doing so, however, is
         also a bad security practice as it creates a security
         vulnerability that may be exploited by a MITM attack.  

What is the vulnerability being exposed?  Isn’t the device serving back this warning the enterprise’s own infrastructure? Isn’t the local root certificate from the enterprise or associated service provider? 

** Section 4
   j: (justification)  'UTF-8'-encoded [RFC5198] human-readable
      explanation for the DNS filtering decision.
…
      Returning non-UTF-8 data, syntactically invalid content, or
      deliberately meaningless values (including empty strings)
      indicates that a DNS server is misbehaving.

If this is human readable explanation not meant for automated processing, what is a “deliberately meaningless value”?
Éric Vyncke
Yes
Comment (2026-06-23 for -22) Not sent
FYI#1: as Med is a co-author, he asked me to be the responsible AD for this DNSOP draft

FYI#2: a first version of this I-D failed the IETF Last Call, and I returned it the I-D to the DNSOP WG

FYI#3: while the 2nd WGLC/IETF LC got consensus, there were some discussions about the usefulness of the human-readable string as it may not be displayed by browsers.
Andy Newton
No Objection
Comment (2026-07-07 for -24) Sent
# Andy Newton, ART AD, comments for draft-ietf-dnsop-structured-dns-error-24
CC @anewton1998

* line numbers:
  - https://author-tools.ietf.org/api/idnits?url=https://www.ietf.org/archive/id/draft-ietf-dnsop-structured-dns-error-24.txt&submitcheck=True

* comment syntax:
  - https://github.com/mnot/ietf-comments/blob/main/format.md

* "Handling Ballot Positions":
  - https://ietf.org/about/groups/iesg/statements/handling-ballot-positions/

## Thanks to the Reviewers

Thanks to Paul Kyzivat for the ARTART review.

And many thanks to the authors for addressing Paul's review comments.

## Comments

### New JSON Names

442        New JSON names may be defined in the future.  This section specifies
443        the requirements to take into account for such names.

IMHO, a reference to the IANA considerations section for this registry would be helpful.
Charles Eckel
No Objection
Comment (2026-07-07 for -24) Not sent
Thanks to Paul Kyzivat for multiple ARTART reviews and to the authors for resolving all the concerns.

Thanks to Benno Overeinder for the particularly helpful shepherd writeup.
Christopher Inacio
No Objection
Deb Cooley
(was Discuss) No Objection
Comment (2026-07-15) Sent
Thank you for addressing my discuss (although I would have appreciated an actual response so I didn't have to go searching for the change).  

My comment on Section 10.1 still stands.  While QUIC relies on the TLS handshake, it is not normally specified as 'use TLS 1.3' or later.  

Also, consider changing the RFC8446 reference to RFC9846, as it was published early this week. 

-------------------------------------------
Thanks to Joe Salowey for their secdir review - and follow up messages.

Section 10.1, para 1:  DOQ is mentioned parenthetically, is QUIC (RFC9000) an acceptable transport mechanism?
Jim Guichard
No Objection
Ketan Talaulikar
No Objection
Mahesh Jethanandani
No Objection
Comment (2026-07-06 for -24) Sent
Section 11.1, Structured DNS Error EDNS Option, and Section 11.5's RFC Editor note:

821 >       Notes to the RFC Editor: Please replace RFCXXXX with the RFC
822 >       number assigned to this document and "TBA1" with the value
823 >       assigned by IANA, and replace "TBD1" in Figure 3 with the value
824 >       assigned by IANA.

...

832 >    Value:  TBD

This is more of an NIT.

The placeholder in Section 11.1 is "TBD" but Figure 3 uses "TBD1" for the same
EDNS(0) Option Code, and the RFC Editor note only instructs the editor to replace
"TBD1" in Figure 3. As written, the note gives the RFC Editor no instruction to
replace the "TBD" value in Section 11.1 itself.

---

Section 11.4, New Registry for Extended DNS Sub-Error Codes, sub-error codes 1 and 2:

960 >        |   1    | Malware  | "Blocked", "Blocked | Section 5.5 of |
961 >        |        |          | by Upstream DNS     | [RFC5901]      |
962 >        |        |          | Server", "Filtered" |                |
963 >        +--------+----------+---------------------+----------------+
964 >        |   2    | Phishing | "Blocked", "Blocked | Section 5.5 of |
965 >        |        |          | by Upstream DNS     | [RFC5901]      |
966 >        |        |          | Server", "Filtered" |                |

I checked RFC 5901 Section 5.5, and it defines the FraudType attribute of an
IODEF PhraudReport, whose enumerated values happen to include "malware distribution"
and "phishing" among nine fraud-reporting categories. That section is defining values
for an incident-reporting data model, not originating general definitions of
"malware" or "phishing" as DNS-filtering categories. I am not asking for a DISCUSS
here, since the terms are in ordinary use and the registry entries are intelligible
without RFC 5901, but I would suggest the authors reconsider whether RFC 5901 is
really the right reference for these two rows, since a reader who follows the
citation to understand what "Malware" or "Phishing" means for this registry will find
an unrelated reporting schema instead.

---

Section 11.4, same table, sub-error codes 3 and 4:

968 >        |   3    | Spam     | "Blocked", "Blocked | Page 289 of    |
969 >        |        |          | by Upstream DNS     | [RFC4949]      |
970 >        |        |          | Server", "Filtered" |                |
971 >        +--------+----------+---------------------+----------------+
972 >        |   4    | Spyware  | "Blocked", "Blocked | Page 291 of    |
973 >        |        |          | by Upstream DNS     | [RFC4949]      |
974 >        |        |          | Server", "Filtered" |                |

RFC 4949 is a flat, alphabetically ordered glossary rather than a sectioned
document, which is presumably why these two rows cite page numbers instead. I was
not able to confirm pages 289 and 291 against the current RFC Editor rendering of
RFC 4949 to check that they still land on the "Spam" and "Spyware" entries. Page
numbers are tied to a specific paginated rendering and are a less stable locator
than the rest of this document's references, which all cite sections. I would ask
the authors not to use page numbers as references.

----------------------------------------------------------------------
NIT
----------------------------------------------------------------------

All comments below are about very minor potential issues that you may
choose to address in some way - or ignore - as you see fit. Some were
flagged by automated tools (via
https://github.com/larseggert/ietf-reviewtool), so there will likely
be some false positives. There is no need to let me know what you did
with these suggestions.

Section 4.2, Future JSON Names Requirements:

451 >    size.  Refer to [RFC9715] for a discusson on IP fragmentation
s/discusson/discussion/
Mike Bishop
(was Discuss) No Objection
Comment (2026-07-07 for -24) Sent
Thanks for your edits to address my previous DISCUSS ballot. A few of my comments still stand, but not enough to block the document.

### Section 4, paragraph 5
```
        Contact URIs conveyed in the "c" field MUST use URI schemes
        registered in Section 11.3.
```
I continue to think it's a bit
odd to create a registry of entries that are already in another
registry, and where client behavior is entirely gated on what values they
support in the field or not.

### Section 4, paragraph 26

Are clients required to enforce these requirements on names they don't
recognize? If so, what behavior is a client required to take when processing a
non-compliant error response? If not, why are these normative requirements?

The additional text makes clear that these requirements are intended to apply to
future specifications, but there's no enforcement mechanism or client behavior
specified here.
Mohamed Boucadair
Recuse
Comment (2026-06-23 for -22) Not sent
As I'm an author of this spec.
Gorry Fairhurst
No Record
Gunter Van de Velde
No Record
Tommy Jensen
No Record