[DNSOP] RFC7477 typo?

https://datatracker.ietf.org/doc/html/rfc7477#section-5 section 5. Security Considerations last paragraph "the SOA serial number MUST NOT be incremented by more than 2^16" 2^16 is a very small fraction of the 2^32 serial number space. It seems that half of the 2^32 would be sufficient, which is

Re: [DNSOP] NOTIFY: How to locate the target

On Thu, Nov 9, 2023 at 4:28 PM George Michaelson wrote: > I think we're conflating how you learn what endpoint to send NOTIFY > to, with the protocol extensions or changes to make it legal/normal to > do NOTIFY for this purpose. Agreed. > > I don't personally think the whole "but how do I kno

Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-07.txt

Thus far, I don't think we've heard from any browser vendors who believe that it would be prudent and worthwhile to display server-generated error pages of this kind to ordinary end-users on their personal devices. Absent that support, I think it would not be sensible for us to try to develop s

Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-07.txt

Hi Tim, sorry the comment was more for Ben :-) on the consumer users use case. Inviato da Outlook per Android C2 General From: Tim Wicinski Sent: Thursday, November 9, 2023 5:21:09 PM To: Gianpaolo Angelo Scalone, Vodafone Cc: Ben Schwa

Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-07.txt

Thanks both of you - I knew I was missing this when I hit send. tim On Thu, Nov 9, 2023 at 11:20 AM Gianpaolo Angelo Scalone, Vodafone < gianpaolo-angelo.scal...@vodafone.com> wrote: > Hi Tim , > I'm not proposing that the browser shows an https page in any use case, > Only as result of out of

Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-07.txt

Hi Tim , I'm not proposing that the browser shows an https page in any use case, Only as result of out of band request or if received from well known service, Eventually by creating a service for hosting well known high reputation static only blocking pages. Without this the user remain subject to

Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-07.txt

Tim, The EDE error codes cover that use case already, by allowing the browser to generate that error page, and without requiring the DNS filter to run an HTTP server at all. --Ben Schwartz From: DNSOP on behalf of Tim Wicinski Sent: Thursday, November 9, 2023

Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-07.txt

On Thu, Nov 9, 2023 at 10:02 AM Ben Schwartz wrote: > Note that "mailto" URIs can pre-populate subject and body contents, so > information about the specific blocked item and other metadata could be > populated automatically. This seems sufficient for enterprise use cases > like allowing employe

Re: [DNSOP] NOTIFY: How to locate the target

I think we're conflating how you learn what endpoint to send NOTIFY to, with the protocol extensions or changes to make it legal/normal to do NOTIFY for this purpose. I don't personally think the whole "but how do I know where to do it" is as important as some of you seem to think it is. But, havi

Re: [DNSOP] NOTIFY: How to locate the target

On 11/9/23 11:45, Jaap Akkerhuis wrote: > Therefore you need to know what endpoint of the registry you need to > send the NOTIFY to. This would just be a service listening for NOTIFYs > to re-initiate the scanning, but it's not a name server at all. Setting > this endpoint in the TLD z

Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-07.txt

Note that "mailto" URIs can pre-populate subject and body contents, so information about the specific blocked item and other metadata could be populated automatically. This seems sufficient for enterprise use cases like allowing employees to tell corporate IT that they are blocking something i

Re: [DNSOP] NOTIFY: How to locate the target

Named at least will forward UPDATE to the primary servers. It’s off by default because it hides the source address and UPDATE may be restricted by IP address but it works with both TSIG and SIG(0). This is standards defined behaviour. TSIG was designed to support this. SIG(0) requires a bit

Re: [DNSOP] NOTIFY: How to locate the target

> On 9 Nov 2023, at 13:17, John R Levine wrote: > > On Thu, 9 Nov 2023, Joe Abley wrote: >>> If we can get the registrars and registries to go for it, registry >>> forwarding is fine with me, but I don't think it would be a good idea to >>> specify it unless we are confident that people are wil

Re: [DNSOP] NOTIFY: How to locate the target

> On 9 Nov 2023, at 22:11, John R Levine wrote: > > On Thu, 9 Nov 2023, Joe Abley wrote: >>> Apropos Joe's message, the child could hypothetically try and send the >>> NOTIFTY to the parent SOA, e.g. a.gtld-servers.net for .com or .net. But >>> those are clouds of anycast servers and even if

Re: [DNSOP] Isolated-networks

> Le 9 nov. 2023 à 11:40, Manu Bretelle a écrit : > > > > On Thu, Nov 9, 2023 at 10:21 AM Marc Blanchet > wrote: >> Hello, >> I presented draft-many-dnsop-dns-isolated-networks Tuesday at the end of >> dnsop meeting. Thanks for letting me present. Wanted t

Re: [DNSOP] NOTIFY: How to locate the target

I had thought about this several years ago  (ICANN-59, Johannesburg, June 2017). I was (still am) part of the DNSSEC & Security Workshop planning committee - and live close by. Thought about an RFP, trip to IETF? etc.. My thought was for the DNS operator to signal the Parent at a well known loc

Re: [DNSOP] NOTIFY: How to locate the target

On Thu, 9 Nov 2023, Joe Abley wrote: If we can get the registrars and registries to go for it, registry forwarding is fine with me, but I don't think it would be a good idea to specify it unless we are confident that people are willing to do it. To be honest I have my doubts that any of this

Re: [DNSOP] NOTIFY: How to locate the target

Hi Libor, On 11/9/23 12:12, libor.peltan wrote: i think this issue shall be considered in two split cases: a) when the *registry* is to be notified. [...] b) when the *registrar* is to be notified. [...] The sender of the NOTIFY does not know whether, for this particular parent, the registr

Re: [DNSOP] NOTIFY: How to locate the target

On 9 Nov 2023, at 12:12, John R Levine wrote: > On Thu, 9 Nov 2023, Joe Abley wrote: >> I don't agree that it's impossible to use an anycast target for this, any >> more than it's impossible to distribute any service using anycast. > > I don't think it's impossible either, but it's swatting a

Re: [DNSOP] NOTIFY: How to locate the target

Hi, i think this issue shall be considered in two split cases: a) when the *registry* is to be notified. I think this can be achieved easily, the registry only creates a single target for child notifies. I'm not sure if current specs allow to do it safely (so that that target is separated eno

Re: [DNSOP] NOTIFY: How to locate the target

On Thu, 9 Nov 2023, Joe Abley wrote: Apropos Joe's message, the child could hypothetically try and send the NOTIFTY to the parent SOA, e.g. a.gtld-servers.net for .com or .net. But those are clouds of anycast servers and even if you can get that to work, they belong to the registry while the

Re: [DNSOP] NOTIFY: How to locate the target

Michael Bauland writes: > Therefore you need to know what endpoint of the registry you need to > send the NOTIFY to. This would just be a service listening for NOTIFYs > to re-initiate the scanning, but it's not a name server at all. Setting > this endpoint in the TLD zone's SOA record as

Re: [DNSOP] NOTIFY: How to locate the target

On 9 Nov 2023, at 11:13, John R Levine wrote: > On Wed, 8 Nov 2023, Brian Dickson wrote: >> The target for a NOTIFY would necessarily be found in the SOA record of the >> registrant's zone, not the parent's zone. I think that's where the >> confusion has arisen. > > There's definitely confusion

Re: [DNSOP] Isolated-networks

On Thu, Nov 9, 2023 at 10:21 AM Marc Blanchet wrote: > Hello, > I presented draft-many-dnsop-dns-isolated-networks Tuesday at the end of > dnsop meeting. Thanks for letting me present. Wanted to come back to a few > points raised. > > - About use cases, I see the dnsop Zulip chat that some peopl

Re: [DNSOP] NOTIFY: How to locate the target

Hi all, I agree with John here. Am 09.11.2023 um 11:11 schrieb John R Levine: On Wed, 8 Nov 2023, Brian Dickson wrote: The target for a NOTIFY would necessarily be found in the SOA record of the registrant's zone, not the parent's zone. I think that's where the confusion has arisen. There's

Re: [DNSOP] NOTIFY: How to locate the target

On Wed, 8 Nov 2023, Brian Dickson wrote: The target for a NOTIFY would necessarily be found in the SOA record of the registrant's zone, not the parent's zone. I think that's where the confusion has arisen. There's definitely confusion here but I don't think it's mine. The child (registrant) pu

[DNSOP] Isolated-networks

Hello, I presented draft-many-dnsop-dns-isolated-networks Tuesday at the end of dnsop meeting. Thanks for letting me present. Wanted to come back to a few points raised. - About use cases, I see the dnsop Zulip chat that some people were interested in the topic, noting about additional use ca

Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-07.txt

Hi, I still think that a mechanism to reach an HTTPS resource is needed. Considering the security implications of rendering directly an HTTPS URI, It could be an additional field, to be used by the client * For out of band connection to retrieve the needed page info from resolvers with high r