Moin! On 16 Oct 2023, at 12:37, Peter Thomassen wrote: > I share this concern (and Eric's, where the error page is an impersonation of > the target page!), and am not convinced that the potential benefit is larger > than the harm.
As said before an interstitial page created by the browser before the actual block page seems like a better solution to me than not have. > An alternate route could be to make the error page "well-known", based on the > encrypted resolver's hostname (e.g. > https://dns.adguard.com/?malw.scalone.eu.), and have the browser display a > big warning ("This content does not come from the page you requested.). > DNS or even DoH resolvers are not general purpose web servers. So having the resolver issue a block page is a non starter at least for me. The whole point of using URLs is to point it somewhere where it can be served efficient. We could go down the road of requiring the resolver IP cert, but that would not work for DNR upgraded resolver. Overall I think the browser displaying the URL and the web page having the certificate over the domain of the URL seems sufficient to me. The browser could check for not allowing certain UTF characters or maybe having a reputation list, but that should be a secondary measurement. So long -Ralf --- Ralf Weber Principal Architect, Carrier Division Akamai Technologies GmbH Parkring 20-22, 85748 Garching phone: +49.89.9400.6174 mobile: +49.151.22659325 Geschäftsführer: David Matthew McDonald Aitken, Justyna Kalina Jankowska Sitz der Gesellschaft: Garching Amtsgericht München HRB 129886 _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
