idnits 2.17.1 draft-reddy-dnsop-error-page-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (August 24, 2020) is 1341 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 6125 (Obsoleted by RFC 9525) ** Downref: Normative reference to an Informational RFC: RFC 6979 ** Obsolete normative reference: RFC 7525 (Obsoleted by RFC 9325) ** Obsolete normative reference: RFC 7540 (Obsoleted by RFC 9113) -- Possible downref: Non-RFC (?) normative reference: ref. 'TLS-SIG-SCHEME' == Outdated reference: A later version (-12) exists of draft-ietf-dprive-dnsoquic-00 == Outdated reference: A later version (-09) exists of draft-reddy-add-server-policy-selection-04 -- Obsolete informational reference (is this intentional?): RFC 8499 (Obsoleted by RFC 9499) Summary: 4 errors (**), 0 flaws (~~), 3 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 DNSOP WG T. Reddy 3 Internet-Draft McAfee 4 Intended status: Standards Track N. Cook 5 Expires: February 25, 2021 Open-Xchange 6 D. Wing 7 Citrix 8 M. Boucadair 9 Orange 10 August 24, 2020 12 DNS Access Denied Error page 13 draft-reddy-dnsop-error-page-03 15 Abstract 17 When a DNS server filters a query the response conveys no detailed 18 explanation of why the query was blocked, leading to end-user 19 confusion. This document defines a method to return an URI that 20 explains the reason the DNS query was filtered. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on February 25, 2021. 39 Copyright Notice 41 Copyright (c) 2020 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (https://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 58 3. Error page URI EDNS0 option format . . . . . . . . . . . . . 5 59 4. Error page URL Processing . . . . . . . . . . . . . . . . . . 7 60 5. Sign and Verify . . . . . . . . . . . . . . . . . . . . . . . 9 61 6. ERROR Page . . . . . . . . . . . . . . . . . . . . . . . . . 10 62 7. Usability Considerations . . . . . . . . . . . . . . . . . . 10 63 8. Security Considerations . . . . . . . . . . . . . . . . . . . 11 64 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 65 9.1. A New Error Page URL EDNS Option . . . . . . . . . . . . 12 66 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12 67 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 68 11.1. Normative References . . . . . . . . . . . . . . . . . . 12 69 11.2. Informative References . . . . . . . . . . . . . . . . . 14 70 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 72 1. Introduction 74 DNS filters are deployed for a variety of reasons including endpoint 75 security, parental filtering, and filtering required by law 76 enforcement. These are discussed in more detail below: 78 o Various network security services are provided by Enterprise 79 networks to protect endpoints (e.g., Hosts including IoT devices). 80 Network-based security solutions such as firewalls and Intrusion 81 Prevention Systems (IPS) rely on network traffic inspection to 82 implement perimeter-based security policies. The network security 83 services may, for example, prevent malware download, block known 84 malicious domains, block phishing sites, etc. These network 85 security services act on DNS queries originating from endpoints. 86 For example, DNS firewalls, a method of expressing DNS response 87 policy information inside specially constructed DNS zones, known 88 as Response Policy Zones (RPZs) allows DNS servers to modify DNS 89 responses in real time to stop access to malware and phishing 90 domains. Note that some of the commonly known types of malware 91 are viruses, worms, trojans, bots, ransomware, backdoors, spyware, 92 and adware. 94 o Network devices in a home network offer network security to 95 protect the devices connected to the home network by performing 96 DNS-based content filtering. The network security service may, 97 for example, block access to specific domains to enforce parental 98 control, block access to malware sites, etc. 100 o ISPs typically block access to some domains due to a requirement 101 imposed by an external entity (e.g., Law Enforcement Agency) by 102 performing DNS-based content filtering. 104 DNS responses can be filtered by sending a bogus ("forged") A or AAAA 105 response, NXDOMAIN error or empty answer, or an extended error code 106 defined in [I-D.ietf-dnsop-extended-error]. Each of these have 107 advantages and disadvantages, discussed below: 109 1. The DNS response is forged providing IP addresses that points to 110 a HTTP(S) server alerting the end user of the reason for blocking 111 access to the domain (e.g., malware). When a HTTP(S) enabled 112 domain name is blocked, the network security device presents a 113 block page instead of the HTTP response from the content 114 provider. If an HTTP enabled domain name is blocked, the network 115 security device intercepts the HTTP request and returns a block 116 page over HTTP. If an HTTPS enabled domain is blocked, the block 117 page is also served over HTTPS. In order to return a block page 118 over HTTPS, man in the middle (MITM) is enabled on endpoints by 119 generating a local root certificate and an accompanying (local) 120 public/private key pair. The local root certificate is installed 121 on the endpoint, and the network security device(s) store a copy 122 of the private key. During the TLS handshake, the network 123 security device modifies the certificate provided by the server 124 and (re)signs it with the private key from the local root 125 certificate. 127 * However, configuring the local root certificate on endpoints 128 is not viable option in several deployments like Home 129 networks, Schools, Small Office/Home Office (SOHO), and Small/ 130 Medium Enterprise (SME). In these cases, the typical behavior 131 is that the forged DNS response directs the user towards a 132 server hosted to display the block page which breaks the TLS 133 connection. For web-browsing this then results in an HTTPS 134 certificate error message indicating that a secure connection 135 could not be established, which gives no information to the 136 end-user about the reason for the error. The typical errors 137 are "The security certificate presented by this website was 138 not issued by a trusted certificate authority" (Internet 139 Explorer/Edge"), "The site's security certificate is not 140 trusted" (Chrome), "This Connection is Untrusted" (Firefox), 141 "Safari can't verify the identity of the website..." (Safari 142 on MacOS)". 144 * Enterprise networks do not assume that all the devices 145 connected to their network are managed by the IT team or 146 Mobile Device Management (MDM) devices, especially in the 147 quite common BYOD ("Bring Your Own Device") scenario. In 148 addition, the local root certificate cannot be installed on 149 IoT devices without a device management tool. 151 * An end user does not know why the connection was reset and, 152 consequently, may repeatedly try to unsuccessfully reach the 153 domain. Frustrated, the end user may use insecure interfaces 154 to reach the domain, potentially compromising both security 155 and privacy. Furthermore, certificate errors train users to 156 click through certificate errors, which is poor security 157 practice. To eliminate the need for an end user to click 158 through certificate errors, an end user may manually install a 159 local root certificate [Chrome-Install-Cert] on a host device. 160 Doing so, however, is also poor security practice as it 161 creates a security vulnerability that may be exploited by a 162 MITM attack. When the manually installed local root 163 certificate expires, the user has to (again) manually install 164 the new local root certificate. 166 2. The DNS response is forged to provide a NXDOMAIN response to 167 cause the DNS lookup to terminate in failure. In this case, an 168 end user does not know why the domain cannot be reached, and may 169 repeatedly try to unsuccessfully reach the domain. Frustrated, 170 the end user may use insecure interfaces to reach the domain, 171 potentially compromising both security and privacy. 173 3. The extended error codes Blocked, Censored, and Filtered defined 174 in [I-D.ietf-dnsop-extended-error] can be returned by the DNS 175 server to provide additional information about the cause of an 176 DNS error. If the extended error code "Forged answer" defined in 177 [I-D.ietf-dnsop-extended-error] is returned by the DNS server, 178 the client can identify the DNS response is forged and the reason 179 for HTTPS certificate error. These extended error codes do not 180 suffer from the limitations discussed in (1) and (2) but the user 181 still does not know the exact reason nor the user is aware of the 182 exact entity blocking the access to the domain. For example, a 183 DNS server may block access domain based on the content category 184 like "Adult Content" to enforce parental control, "Violence & 185 Terrorism" due to an external requirement imposed by an external 186 entity (e.g., Law Enforcement Agency), etc. The content 187 categories for domains cannot be standardized because the 188 classification of domains into content categories is vendor 189 specific, typically ranges from 40 to 100 types of categories 190 depending on the vendor and the categories keep evolving. 191 Further, the threat data used to categorize domains may sometimes 192 mis-classify domains (e.g., Domains wrongly classified as DGA 193 (Domain Generation Algorithm) by deep learning techniques, domain 194 wrongly classified as phishing due to crowd sourcing, new domains 195 not categorized by the threat data, etc.). The end user needs to 196 know the contact details of the IT/InfoSec team to raise a 197 complaint. 199 No matter which type of response is generated (forged IP address, 200 NXDOMAIN or empty answer, or an extended error code), the user who 201 generated the query has little chance to understand which entity 202 filtered the query, how to report a mistake in the filter, or why the 203 entity filtered it at all. This document describes a mechanism to 204 provide a URI which, when accessed, provides such information to the 205 user. 207 One of the other benefits of this document is eliminating the need to 208 "spoof" block pages for HTTPS resources, as the block page no longer 209 needs to create a signed certificate when blocking a destination. 210 This avoids the need to install an local root certificate authority 211 on those IT-managed devices. 213 2. Terminology 215 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 216 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 217 "OPTIONAL" in this document are to be interpreted as described in BCP 218 14 [RFC2119][RFC8174] when, and only when, they appear in all 219 capitals, as shown here. 221 This document makes use of the terms defined in [RFC8499] and 222 [I-D.ietf-dnsop-terminology-ter]. 224 'Encrypted DNS' refers to DNS-over-HTTPS [RFC8484], DNS-over-TLS 225 [RFC7858], or DNS-over-QUIC [I-D.ietf-dprive-dnsoquic]. 227 3. Error page URI EDNS0 option format 229 This draft uses an EDNS0 ([RFC6891]) option to include the URI that 230 gives additional information about the cause of blocking access to a 231 domain in a DNS response. The option is structured as follows: 233 1 1 1 1 1 1 234 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 235 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 236 | OPTION-CODE | 237 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 238 | OPTION-LENGTH | 239 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 240 | ERROR-PAGE-URI-LENGTH (fixed size) | 241 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 242 / ERROR-PAGE-URI (variable size) | 243 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 244 | ERROR-PAGE-SIG-ALG (fixed size) | 245 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 246 / ERROR-PAGE-SIG (variable size) | 247 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 249 Field definition details: 251 o OPTION-CODE, 2-octets/16-bits (defined in [RFC6891]) for Error 252 page URI, value is TBD. [RFC Editor: change TBD to the proper 253 code once assigned by IANA.] 255 o OPTION-LENGTH, 2-octets/16-bits (defined in [RFC6891]) contains 256 the length of the payload (everything after OPTION-LENGTH) in 257 octets. The variability of the option length stems from the 258 variable-length ERROR-PAGE-URI and ERROR-PAGE-SIG fields. 260 o ERROR-PAGE-URI-LENGTH, 2-octets/16-bits representing the length of 261 ERROR-PAGE-URI. It MUST NOT be set to 0. 263 o ERROR-PAGE-URI, a variable length UTF-8 encoded [RFC5198] text 264 field containing the URI Template that gives additional 265 information about the cause of blocking access to a domain. The 266 ERROR-PAGE-URI field MUST NOT be zero octets in length. 268 o ERROR-PAGE-SIG-ALG, 16-bits, which is the signature algorithm used 269 to generate the signature for the Error page URI Template. The 270 values are defined in the TLS SignatureScheme [TLS-SIG-SCHEME] 271 with limitations described in Section 5. 273 o ERROR-PAGE-SIG, a variable length field containing the signature 274 of the Error page URI Template. The signature generation process 275 is discussed in Section 5. 277 The Error page URI option MUST only be included in error responses 278 SERVFAIL, NXDOMAIN or REFUSED to a query that included the OPT 279 Pseudo-RR [RFC6891]. 281 The URI Template defined in ERROR-PAGE-URI describes how to construct 282 the URL to fetch the error page. The agent acting as HTTPS client on 283 the endpoint encodes a FQDN to which access is denied into an HTTP 284 GET request to retrieve the error page. The HTTPS server returning 285 the error page defines the URI used by the HTTP GET request through 286 the use of a URI template. The URI Template is processed with a 287 defined variable "target-domain" whose value is set to the FQDN to 288 which access is denied. The FQDN is encoded with base64url [RFC4648] 289 and then provided as the variable value for "target-domain" to expand 290 the URI Template into a URI reference in the HTTP GET request. 291 Padding characters for base64url MUST NOT be included. 293 An example is illustrated below: 295 If the URI template is "https://block.example.net/block-page{?target- 296 domain}" for the HTTPS server returning the error page and access to 297 the target domain "example.com" is blocked by the encrypted DNS 298 server, the variable "target-domain" has the value "example.com" 299 base64url encoded into an HTTP GET request. In the above example, 300 the expansion of the above URI Template is 301 "https://block.example.net/block-page?target-domain=ZXhhbXBsZS5jb20". 303 HTTP/2 [RFC7540] is the minimum RECOMMENDED version of HTTP to use to 304 retrieve the error page. The HTTPS client retrieving the error page 305 MUST verify the entire certification path per [RFC5280]. The HTTPS 306 client additionally uses validation techniques as described in 307 [RFC6125] to compare the domain name in the error page URI to the 308 server certificate provided in TLS handshake. See [RFC7525] for 309 additional TLS recommendations. 311 4. Error page URL Processing 313 The DNS client MUST follow the following rules to process the Error 314 page URI EDNS0 option: 316 o The Error page URI EDNS0 option is susceptible to forgery. In 317 order to defend against this attack the DNS client MUST NOT 318 process the DNS response with Error page URI EDNS0 option unless 319 DNS messages exchanged are cryptographically protected using 320 encrypted DNS. 322 o If an DNS client has enabled opportunistic privacy profile 323 (Section 5 of [RFC8310]) for DoT, the DNS client will either 324 fallback to an encrypted connection without authenticating the DNS 325 server provided by the local network or fallback to clear text 326 DNS, and cannot exchange encrypted DNS messages. The fallback 327 adversely impacts security and privacy. If the DNS client has 328 enabled opportunistic privacy profile for DoT, the client MUST NOT 329 process the DNS response with Error page URI EDNS0 option. 331 o If an DNS client has enabled strict privacy profile (Section 5 of 332 [RFC8310]) for DoT, the DNS client requires an encrypted 333 connection and successful authentication of the DNS server; this 334 mitigates both passive eavesdropping and client redirection (at 335 the expense of providing no DNS service if an encrypted, 336 authenticated connection is not available). If the DNS client has 337 enabled strict privacy profile for DoT, the client can process the 338 DNS response with Error page URI EDNS0 option. Note that the 339 strict and opportunistic privacy profiles as defined in [RFC8310] 340 only applies to DoT protocol, there has been no such distinction 341 made for DoH protocol. 343 o If the DNS response contains more than one Error page URI EDNS0 344 option, the DNS client MUST discard multiple Error page URI EDNS0 345 options in the DNS response. 347 o The Error page URI EDNS0 option MUST be processed by the DNS 348 client for a "Censored", "Blocked" or "Filtered" extended error 349 codes and MUST be ignored for any other type of extended DNS error 350 code. When "Censored", "Blocked" or "Filtered" extended error 351 code is returned in conjunction with an Error page URI EDNS0 352 option, any other resource records in the answer MUST be ignored 353 by clients supporting this specification. 355 o If the encrypted DNS server does not offer DNS filtering service 356 (e.g., prevent access to malware sites or objectionable content 357 (e.g., legal obligation)), the DNS client MUST reject the Error 358 page URI EDNS0 option. The mechanism discussed in 359 [I-D.reddy-add-server-policy-selection] can be used by the DNS 360 client to assess whether the encrypted DNS server performs DNS- 361 based content filtering. 363 o If the Error page URI EDNS0 option is included in a NOERROR RCODE 364 message, the DNS client MUST reject the Error page URI EDNS0 365 option. 367 o The DNS client MUST reject the error page URI if the scheme is not 368 "https". 370 o The DNS client verifies the signature in the ERROR-PAGE-SIG field 371 following the mechanism discussed in Section 5. If the signature 372 is valid, the client can positively identify that the Error page 373 URI EDNS0 option has been generated by the encrypted DNS server 374 and the encrypted DNS server did not forward the Error Page URI 375 EDNS0 option from an upstream resolver. If signature validation 376 fails, the DNS client MUST reject the Error page URI EDNS0 option. 378 Because EDNS is a hop-by-hop extension to DNS and EDNS responses are 379 not cached (Section 6.2.1 of [RFC6891]), a DNS resolver MUST NOT 380 propagate a received Error Page URI EDNS0 option, because an attacker 381 could insert a bogus URI; instead, if access to a domain is denied, 382 the DNS resolver MUST generate its own Error Page URI. Because DNS 383 forwarders (or DNS proxies) are supposed to propagate unknown EDNS0 384 options (Section 4.1 and Section 4.4.1 of [RFC5625]), the Error Page 385 URI EDNS0 option may get propagated. To detect both of these 386 scenarios, the Error Page URI Template is protected with an object 387 signature as described in Section 5. 389 5. Sign and Verify 391 The signature algorithms for generating signature for DNS resource 392 record sets (RRsets) are defined in [DNSKEY-IANA]. The "mandatory- 393 to-implement" algorithms are defined in [RFC8624] are RSA, ECDSA and 394 EdDSA. Along similar lines, the encrypted DNS server's end-entity 395 certificate's public key and the signature algorithm with which the 396 key can be used are RSA, ECDSA and EdDSA [RFC8446]. If ECDSA is 397 used, it is RECOMMENDED to use the deterministic digital signature 398 generation procedure of the Elliptic Curve Digital Signature 399 Algorithm (ECDSA), specified in [RFC6979]. 401 The signature is generated by the encrypted DNS server using the 402 Error page URI Template, private key of the encrypted DNS server's 403 end-entity certificate as inputs to the signature algorithm. The 404 signature algorithm in the ERROR-PAGE-SIG-ALG field MUST be 405 compatible with the key in the DNS server's end-entity certificate. 406 The implementation MUST support the same set of algorithms in the TLS 407 client for validating the signature in the CertificateVerify message 408 from the server in the TLS handshake and in the DNS client to 409 validate the signature for the Error page URI Template. As a 410 reminder, the server's end-entity certificate's public key will be 411 compatible with the selected authentication algorithm from the 412 client's "signature_algorithms" TLS extension (Section 4.4.2.2 of 413 [RFC8624]). 415 If the signature algorithm in the ERROR-PAGE-SIG-ALG field is not 416 compatible with the key in the DNS server's end-entity certificate, 417 the DNS client MUST reject the Error page URI EDNS0 option. The DNS 418 client verifies the signature using the signature in the ERROR-PAGE- 419 SIG field, error page URI Template and DNS server's end-entity 420 certificate's public key as inputs to the signature algorithm. For 421 example, if Ed25519 is used, Ed25519 signature algorithm and 422 verification of the Ed25519 signature are described in Sections 5.1.6 423 and 5.1.7 of [RFC8032], respectively. 425 6. ERROR Page 427 The following text outlines the RECOMMENDED contents of an error page 428 to assist the operator developing the error page. 430 o The exact reason for blocking access to the domain. If the domain 431 is blocked based on some threat data, the threat type associated 432 with the blocked domain can be provided/displayed to the end user. 433 For example, the reason can indicate the type of malware blocked 434 like spyware and the damage it can do the security and privacy of 435 the user. 437 o The domain name blocked. 439 o If query was blocked by regulation, a pointer to a regulatory text 440 that mandates this query block. 442 o The entity (or organization) blocking the access to the domain and 443 contact details of the IT/InfoSec team to raise a complaint. 445 o The blocked error page to not include Ads and dynamic content. 447 The content of the error page discussed above is non-normative, the 448 above text only provides the guidelines and template for the error 449 page and. 451 o Does not attempt to offer an exhaustive list for the contents of 452 an error page. 454 o It is not intended to form the basis of any legal/compliance for 455 developing the error page. 457 7. Usability Considerations 459 The error page SHOULD be returned in the user's preferred language as 460 expressed by the Accept-Language header. If the error page is 461 displayed in a language not known to the end user and assuming 462 Internationalization features failed, browser extensions to translate 463 to user's native language can be used. For example, "Google 464 Translate" extension [Chrome-Translate] provided by Google on Chrome 465 can be used by the user to translate the error page. The "Google 466 Translate" extension automatically detects whether the language of a 467 page is different from the language the user has selected. If it is 468 in a different language, a banner appears at the top of the page. 470 The user can click on the Translate button in the banner to have all 471 the text on the page appear in the language selected by the user. 473 8. Security Considerations 475 Security considerations in [I-D.ietf-dnsop-extended-error] and 476 [RFC8624] need to be taken into consideration. 478 The Error page URI EDNS0 option causes an HTTPS retrieval by the 479 client. To prevent forgery of the Error page URI EDNS0 option, this 480 specification requires it only be sent only over an encrypted DNS 481 channel with an authorized DNS server. 483 The DNS client can learn the filtering capability of an encrypted DNS 484 server using [I-D.reddy-add-server-policy-selection]. 485 [I-D.reddy-add-server-policy-selection] also discusses how a DNS 486 client can authenticate it is connecting to an encrypted DNS server 487 hosted by a specific organization (e.g., ISP). This information is 488 cryptographically signed to attest its authenticity. It is 489 particularly useful when the encrypted DNS server is insecurely 490 discovered and prevents the client from connecting to an attacker's 491 encrypted DNS server. 493 To reduce threat surface when retrieving the Error page URL over 494 HTTPS, the client SHOULD perform the retrieval using an isolated 495 environment. Such isolation should prevent transmitting cookies, 496 block JavaScript, block auto-fill of credentials or personal 497 information, and be isolated from the user's normal environment. 498 Browsers perform some of these limitations today when accessing 499 captive portals [Safari-Cookie], during private browsing, or using 500 containerization [Facebook-Container]). 502 The encrypted DNS session provides transport security for the 503 interaction between the DNS client and server, but DNSSEC signing and 504 validation is not possible for the Error Page URI EDNS0 option 505 returning the error page URI template. For example, if access to a 506 doman is blocked, the encrypted DNS resolver can rewrite the response 507 to send NXDOMAIN error and Error page URI EDNS0 option in the DNS 508 response, it will omit DNSSEC RRsets, because the modified responses 509 cannot be verified by DNSSEC signatures. However, the signature in 510 the Error Page URI EDNS0 option provides data origin authentication 511 of the Error Page URI EDNS0 option. Nevertheless, the Error Page URI 512 EDNS0 option returning the error page URI Template should be treated 513 only as diagnostic information and MUST NOT alter DNS protocol 514 processing. 516 By design, the object referenced by the error page URL potentially 517 exposes additional information about the DNS resolution process that 518 may leak information. An example of this is the reason for blocking 519 the access to the domain name and the entity blocking access to the 520 domain. 522 9. IANA Considerations 524 9.1. A New Error Page URL EDNS Option 526 This document defines a new EDNS(0) option, entitled "Error Page 527 URI", assigned a value of TBD from the "DNS EDNS0 Option Codes (OPT)" 528 registry [to be removed upon publication: 529 [http://www.iana.org/assignments/dns-parameters/dns- 530 parameters.xhtml#dns-parameters-11] 532 Value Name Status Reference 533 ----- ---------------- ------ ------------------ 534 TBD Error Page URI Standard [ This document ] 536 10. Acknowledgements 538 Thanks to Vittorio Bertola, Wes Hardaker, Ben Schwartz, Erid Orth, 539 Viktor Dukhovni and Bob Harold for the comments. 541 11. References 543 11.1. Normative References 545 [I-D.ietf-dnsop-extended-error] 546 Kumari, W., Hunt, E., Arends, R., Hardaker, W., and D. 547 Lawrence, "Extended DNS Errors", draft-ietf-dnsop- 548 extended-error-16 (work in progress), May 2020. 550 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 551 Requirement Levels", BCP 14, RFC 2119, 552 DOI 10.17487/RFC2119, March 1997, 553 . 555 [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data 556 Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, 557 . 559 [RFC5198] Klensin, J. and M. Padlipsky, "Unicode Format for Network 560 Interchange", RFC 5198, DOI 10.17487/RFC5198, March 2008, 561 . 563 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 564 Housley, R., and W. Polk, "Internet X.509 Public Key 565 Infrastructure Certificate and Certificate Revocation List 566 (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, 567 . 569 [RFC5625] Bellis, R., "DNS Proxy Implementation Guidelines", 570 BCP 152, RFC 5625, DOI 10.17487/RFC5625, August 2009, 571 . 573 [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and 574 Verification of Domain-Based Application Service Identity 575 within Internet Public Key Infrastructure Using X.509 576 (PKIX) Certificates in the Context of Transport Layer 577 Security (TLS)", RFC 6125, DOI 10.17487/RFC6125, March 578 2011, . 580 [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms 581 for DNS (EDNS(0))", STD 75, RFC 6891, 582 DOI 10.17487/RFC6891, April 2013, 583 . 585 [RFC6979] Pornin, T., "Deterministic Usage of the Digital Signature 586 Algorithm (DSA) and Elliptic Curve Digital Signature 587 Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, August 588 2013, . 590 [RFC7525] Sheffer, Y., Holz, R., and P. Saint-Andre, 591 "Recommendations for Secure Use of Transport Layer 592 Security (TLS) and Datagram Transport Layer Security 593 (DTLS)", BCP 195, RFC 7525, DOI 10.17487/RFC7525, May 594 2015, . 596 [RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext 597 Transfer Protocol Version 2 (HTTP/2)", RFC 7540, 598 DOI 10.17487/RFC7540, May 2015, 599 . 601 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 602 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 603 May 2017, . 605 [RFC8310] Dickinson, S., Gillmor, D., and T. Reddy, "Usage Profiles 606 for DNS over TLS and DNS over DTLS", RFC 8310, 607 DOI 10.17487/RFC8310, March 2018, 608 . 610 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 611 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 612 . 614 [RFC8624] Wouters, P. and O. Sury, "Algorithm Implementation 615 Requirements and Usage Guidance for DNSSEC", RFC 8624, 616 DOI 10.17487/RFC8624, June 2019, 617 . 619 [TLS-SIG-SCHEME] 620 "IANA, TLS SignatureScheme", 621 . 624 11.2. Informative References 626 [Chrome-Install-Cert] 627 "How to manually install the Securly SSL certificate in 628 Chrome", . 632 [Chrome-Translate] 633 "Google Translate", 634 . 638 [DNSKEY-IANA] 639 "IANA, Domain Name System Security (DNSSEC) Algorithm 640 Numbers", 641 . 643 [Facebook-Container] 644 "Facebook container for Firefox", 645 . 648 [I-D.ietf-dnsop-terminology-ter] 649 Hoffman, P., "Terminology for DNS Transports and 650 Location", draft-ietf-dnsop-terminology-ter-02 (work in 651 progress), August 2020. 653 [I-D.ietf-dprive-dnsoquic] 654 Huitema, C., Mankin, A., and S. Dickinson, "Specification 655 of DNS over Dedicated QUIC Connections", draft-ietf- 656 dprive-dnsoquic-00 (work in progress), April 2020. 658 [I-D.reddy-add-server-policy-selection] 659 Reddy.K, T., Wing, D., Richardson, M., and M. Boucadair, 660 "DNS Server Selection: DNS Server Information with 661 Assertion Token", draft-reddy-add-server-policy- 662 selection-04 (work in progress), July 2020. 664 [RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., 665 and P. Hoffman, "Specification for DNS over Transport 666 Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May 667 2016, . 669 [RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital 670 Signature Algorithm (EdDSA)", RFC 8032, 671 DOI 10.17487/RFC8032, January 2017, 672 . 674 [RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS 675 (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018, 676 . 678 [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS 679 Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499, 680 January 2019, . 682 [Safari-Cookie] 683 "Isolated cookie store (CVE-2016-1730)", 684 . 686 Authors' Addresses 688 Tirumaleswar Reddy 689 McAfee, Inc. 690 Embassy Golf Link Business Park 691 Bangalore, Karnataka 560071 692 India 694 Email: kondtir@gmail.com 696 Neil Cook 697 Open-Xchange 698 UK 700 Email: neil.cook@noware.co.uk 701 Dan Wing 702 Citrix Systems, Inc. 703 USA 705 Email: dwing-ietf@fuggles.com 707 Mohamed Boucadair 708 Orange 709 Rennes 35000 710 France 712 Email: mohamed.boucadair@orange.com