The significant changes in -03 are: a. EDE length=2 with INFO-CODE=0 (to improve interoperation as highlighted by Tommy Pauly).
b. Significant reduction of discussion of the threat of a non-EDE-aware DNS server forwarding along bogus EDE information which it didn't generate itself. It now only has this mention in Security Considerations: An attacker might inject (or modify) the EDE EXTRA-TEXT field with a DNS proxy or DNS forwarder that is unaware of EDE. Such a DNS proxy or DNS forwarder will forward that attacker-controlled EDE option. To prevent such an attack, clients can be configured to process EDE from explicitly configured DNS servers or utilize RESINFO [I-D.ietf-add-resolver-info]. As Joe suggested, we can certainly dump that paragraph from Security Considerations, as well. The threat is of similar nature to the threat of other bogus data that might be cached and returned by a DNS responder through cache poisoning attacks, such as bogus resource records themselves. -d > On May 26, 2023, at 7:50 PM, internet-dra...@ietf.org wrote: > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. This Internet-Draft is a work item of the Domain Name System > Operations (DNSOP) WG of the IETF. > > Title : Structured Error Data for Filtered DNS > Authors : Dan Wing > Tirumaleswar Reddy > Neil Cook > Mohamed Boucadair > Filename : draft-ietf-dnsop-structured-dns-error-03.txt > Pages : 21 > Date : 2023-05-26 > > Abstract: > DNS filtering is widely deployed for various reasons, including > network security. However, filtered DNS responses lack information > for end users to understand the reason for the filtering. Existing > mechanisms to provide explanatory details to end users cause harm > especially if the blocked DNS response is to an HTTPS server. > > This document updates RFC 8914 by signaling client support for > structuring the EXTRA-TEXT field of the Extended DNS Error to provide > details on the DNS filtering. Such details can be parsed by the > client and displayed, logged, or used for other purposes. > > The IETF datatracker status page for this Internet-Draft is: > https://datatracker.ietf.org/doc/draft-ietf-dnsop-structured-dns-error/ > > There is also an HTML version available at: > https://www.ietf.org/archive/id/draft-ietf-dnsop-structured-dns-error-03.html > > A diff from the previous version is available at: > https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-structured-dns-error-03 > > Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
