forked from tireddy2/split-horizon-dns
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdraft-reddy-dnsop-dns-error-page-07.xml
651 lines (540 loc) · 31 KB
/
draft-reddy-dnsop-dns-error-page-07.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
<?xml version="1.0" encoding="US-ASCII"?>
<!-- This template is for creating an Internet Draft using xml2rfc,
which is available here: http://xml.resource.org. -->
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!-- One method to get references from the online citation libraries.
There has to be one entity for each item to be referenced.
An alternate method (rfc include) is described in the references. -->
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<!-- used by XSLT processors -->
<!-- For a complete list and description of processing instructions (PIs),
please see http://xml.resource.org/authoring/README.html. -->
<!-- Below are generally applicable Processing Instructions (PIs) that most I-Ds might want to use.
(Here they are set differently than their defaults in xml2rfc v1.32) -->
<?rfc strict="yes" ?>
<!-- give errors regarding ID-nits and DTD validation -->
<!-- control the table of contents (ToC) -->
<?rfc toc="yes"?>
<!-- generate a ToC -->
<?rfc tocdepth="4"?>
<!-- the number of levels of subsections in ToC. default: 3 -->
<!-- control references -->
<?rfc symrefs="yes"?>
<!-- use symbolic references tags, i.e, [RFC2119] instead of [1] -->
<?rfc sortrefs="yes" ?>
<!-- sort the reference entries alphabetically -->
<!-- control vertical white space
(using these PIs as follows is recommended by the RFC Editor) -->
<?rfc compact="yes" ?>
<!-- do not start each main section on a new page -->
<?rfc subcompact="no" ?>
<!-- keep one blank line between list items -->
<!-- end of list of popular I-D processing instructions -->
<rfc category="std" docName="draft-reddy-dnsop-error-page-07"
ipr="trust200902">
<front>
<title abbrev="DNS Access Denied Error Page">DNS Access Denied Error
Page</title>
<author fullname="Tirumaleswar Reddy" initials="T." surname="Reddy">
<organization abbrev="McAfee">McAfee, Inc.</organization>
<address>
<postal>
<street>Embassy Golf Link Business Park</street>
<city>Bangalore</city>
<region>Karnataka</region>
<code>560071</code>
<country>India</country>
</postal>
<email>[email protected]</email>
</address>
</author>
<author fullname="Neil Cook" initials="N." surname="Cook">
<organization>Open-Xchange</organization>
<address>
<postal>
<street></street>
<country>UK</country>
</postal>
<email>[email protected]</email>
</address>
</author>
<author fullname="Dan Wing" initials="D." surname="Wing">
<organization abbrev="Citrix">Citrix Systems, Inc.</organization>
<address>
<postal>
<street></street>
<country>USA</country>
</postal>
<email>[email protected]</email>
</address>
</author>
<author fullname="Mohamed Boucadair" initials="M." surname="Boucadair">
<organization>Orange</organization>
<address>
<postal>
<street></street>
<city>Rennes</city>
<code>35000</code>
<country>France</country>
</postal>
<email>[email protected]</email>
</address>
</author>
<date />
<workgroup>DNSOP WG</workgroup>
<abstract>
<t>When a DNS server filters a query, the response to such query conveys
no detailed explanation that elaborates why that query was blocked,
leading thus to end-user confusion. A solution to this problem is needed
in order to enhance the user experience.</t>
<t>This document defines a method to return an URI that explains the
reason why a DNS query was filtered by a DNS server.</t>
</abstract>
</front>
<middle>
<section anchor="intro" title="Introduction">
<t>DNS filters are deployed for a variety of reasons, including endpoint
security, parental filtering, and filtering required by law enforcement.
Some of these reasons are discussed in more detail below:</t>
<t><list style="symbols">
<t>Various network security services are provided by Enterprise
networks to protect endpoints (e.g., Hosts including IoT devices).
Network-based security solutions such as firewalls and Intrusion
Prevention Systems (IPS) rely upon network traffic inspection to
implement perimeter-based security policies. The network security
services may, for example, prevent malware download, block known
malicious domains, block phishing sites, etc. <vspace
blankLines="1" />These network security services act on DNS queries
originating from endpoints. For example, DNS firewalls, a method of
expressing DNS response policy information inside specially
constructed DNS zones, known as Response Policy Zones (RPZs) allows
DNS servers to modify their DNS responses in real time in order to
stop access to malware and phishing domains. Note that some of the
commonly known types of malware are viruses, worms, trojans, bots,
ransomware, backdoors, spyware, and adware.</t>
<t>Network devices in a home network offer network security to
protect the devices within the home network by performing DNS-based
content filtering. The network security service may, for example,
block access to specific domains to enforce parental control, block
access to malware sites, etc.</t>
<t>Internet Service Providers (ISPs) typically block access to some
DNS domains due to a requirement imposed by an external entity
(e.g., Law Enforcement Agency). Such blocking is performed using
DNS-based content filtering.</t>
</list></t>
<t>DNS responses can be filtered by sending a bogus (also called,
"forged") A or AAAA response, NXDOMAIN error or empty answer, or an
extended DNS error (EDE) code defined in <xref target="RFC8914"></xref>.
Each of these methods have advantages and disadvantages that are
discussed below:</t>
<t><list style="numbers">
<t>The DNS response is forged to provide a list of IP addresses that
points to an HTTP(S) server alerting the end user about the reason
for blocking access to the requested domain (e.g., malware). When an
HTTP(S) enabled domain name is blocked, the network security device
(e.g., CPE, firewall) presents a block page instead of the HTTP
response from the content provider hosting that domain. If an HTTP
enabled domain name is blocked, the network security device
intercepts the HTTP request and returns a block page over HTTP. If
an HTTPS enabled domain is blocked, the block page is also served
over HTTPS. In order to return a block page over HTTPS, man in the
middle (MITM) is enabled on endpoints by generating a local root
certificate and an accompanying (local) public/private key pair. The
local root certificate is installed on the endpoint while the
network security device(s) stores a copy of the private key. During
the TLS handshake, the network security device modifies the
certificate provided by the server and (re)signs it using the
private key from the local root certificate. <list style="symbols">
<t>However, configuring the local root certificate on endpoints
is not a viable option in several deployments like home
networks, schools, Small Office/Home Office (SOHO), and Small/
Medium Enterprise (SME). In these cases, the typical behavior is
that the forged DNS response directs the user towards a server
hosted to display the block page which breaks the TLS
connection. For web-browsing this then results in an HTTPS
certificate error message indicating that a secure connection
could not be established, which gives no information to the
end-user about the reason for the error.<vspace
blankLines="1" />The typical errors are "The security
certificate presented by this website was not issued by a
trusted certificate authority" (Internet Explorer/Edge"), "The
site's security certificate is not trusted" (Chrome), "This
Connection is Untrusted" (Firefox), “Safari can't verify
the identity of the website…” (Safari on
MacOS)".</t>
<t>Enterprise networks do not assume that all the connected
devices are managed by the IT team or Mobile Device Management
(MDM) devices, especially in the quite common Bring Your Own
Device (BYOD) scenario. In addition, the local root certificate
cannot be installed on IoT devices without a device management
tool.</t>
<t>An end user does not know why the connection was reset and,
consequently, may repeatedly try to reach the domain but with no
success. Frustrated, the end user may switch to an alternate
network that offers no DNS-level protection against malware and
phishing, potentially compromising both security and privacy.
Furthermore, certificate errors train users to click through
certificate errors, which is a bad security practice. To
eliminate the need for an end user to click through certificate
errors, an end user may manually install a local root
certificate on a host device (e.g. <xref
target="Chrome-Install-Cert"></xref>). Doing so, however, is
also a bad security practice as it creates a security
vulnerability that may be exploited by a MITM attack. When a
manually installed local root certificate expires, the user has
to (again) manually install the new local root certificate.</t>
</list></t>
<t>The DNS response is forged to provide a NXDOMAIN response to
cause the DNS lookup to terminate in failure. In this case, an end
user does not know why the domain cannot be reached and may
repeatedly try to reach the domain but with no success. Frustrated,
the end user may use insecure connections to reach the domain,
potentially compromising both security and privacy.</t>
<t>The extended error codes Blocked, Censored, and Filtered defined
in Section 4 of <xref target="RFC8914"></xref> can be returned by a
DNS server to provide additional information about the cause of an
DNS error. If the extended error code "Forged Answer" defined in
Section 4.5 of <xref target="RFC8914"></xref> is returned by the DNS
server, the client can identify the DNS response is forged together
with the reason for HTTPS certificate error. <vspace
blankLines="1" />These extended error codes do not suffer from the
limitations discussed in bullets (1) and (2), but the user still
does not know the exact reason nor he/she is aware of the exact
entity blocking the access to the domain. For example, a DNS server
may block access to a domain based on the content category such as
"Adult Content" to enforce parental control, "Violence &
Terrorism" due to an external requirement imposed by an external
entity (e.g., Law Enforcement Agency), etc. These content categories
cannot be standardized because the classification of domains into
content categories is vendor specific, typically ranges from 40 to
100 types of categories depending on the vendor and the categories
keep evolving. Furthermore, the threat data used to categorize
domains may sometimes misclassify domains (e.g., domains wrongly
classified as Domain Generation Algorithm (DGA) by deep learning
techniques, domain wrongly classified as phishing due to crowd
sourcing, new domains not categorized by the threat data). A user
needs to know the contact details of the IT/InfoSec team to raise a
complaint.</t>
<t>The EXTRA-TEXT field of the EDE option defined in Section 2 of
<xref target="RFC8914"></xref> can include additional textual
information about the cause of the error, but the information could
be provided in a language that is not understood by the user. When a
resolver or forwarder forwards the received EDE option, the
EXTRA-TEXT field only conveys the source of the error (Section 3 of
<xref target="RFC8914"></xref>) and does not provide additional
textual information about the cause of the error. Most importantly,
EDE option does not offer authenticated information; it can thus be
spoofed by an attacker. In addition, the additional textual
information may not be able to convey all of the required
information about the cause of the DNS error because lengthy
EXTRA-TEXT content would be truncated to prevent fragmentation
(Section 3 of <xref target="RFC8914"></xref>).</t>
</list></t>
<t>No matter which type of response is generated (forged IP address(es),
NXDOMAIN or empty answer, or an extended error code), the user who
triggered the DNS query has little chance to understand which entity
filtered the query, how to report a mistake in the filter, or why the
entity filtered it at all. This document describes a mechanism to
provide an URI which, when accessed, provides such information to the
user.</t>
<t>One of the other benefits of this approach is to eliminate the need
to "spoof" block pages for HTTPS resources. This is achieved as the
block page no longer needs to create a signed certificate when blocking
a destination. This approach avoids the need to install a local root
certificate authority on those IT-managed devices.</t>
</section>
<section anchor="notation" title="Terminology">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP 14
<xref target="RFC2119"></xref><xref target="RFC8174"></xref> when, and
only when, they appear in all capitals, as shown here.</t>
<t>This document makes use of the terms defined in <xref
target="RFC8499"></xref>.</t>
<t>'Encrypted DNS' refers to any encrypted scheme to convey DNS
messages, for example, DNS-over-HTTPS <xref target="RFC8484"></xref>,
DNS-over-TLS <xref target="RFC7858"></xref>, or DNS-over-QUIC <xref
target="I-D.ietf-dprive-dnsoquic"></xref>.</t>
</section>
<section anchor="format-sec" title="Error Page URI EDNS0 Option Format">
<t>This document uses an EDNS0 <xref target="RFC6891"></xref> option to
include the URI that provides additional information in a DNS response
about the cause of blocking access to a requested domain. This option is
structured as depicted in <xref target="format"></xref>.</t>
<figure align="center" anchor="format"
title="Error Page URI EDNS0 Option Format">
<artwork align="center"><![CDATA[ 1 1 1 1 1 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
| OPTION-CODE |
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
| OPTION-LENGTH |
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
| ERROR-PAGE-URI-LENGTH (fixed size) |
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
/ ERROR-PAGE-URI (variable size) /
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
]]></artwork>
</figure>
<t></t>
<t>The description of the fields is as follows:</t>
<t><list style="symbols">
<t>OPTION-CODE: TBD, indicates the code assigned for Error Page URI
(Section 6.1.2 of <xref target="RFC6891"></xref>). [RFC Editor:
change TBD to the proper code once assigned by IANA.]</t>
<t>OPTION-LENGTH: See Section 6.1.2 of <xref
target="RFC6891"></xref>. This field contains the length of the
payload (everything after OPTION-LENGTH) in octets. The variability
of the option length stems from the variable-length ERROR-PAGE-URI
field.</t>
<t>ERROR-PAGE-URI-LENGTH: This 16-bit field indicates the length of
ERROR-PAGE-URI. It MUST NOT be set to 0.</t>
<t>ERROR-PAGE-URI: A variable length UTF-8 encoded <xref
target="RFC5198"></xref> text field containing the URI Template
<xref target="RFC6570"></xref> that gives additional information
about the cause of blocking access to a domain. The ERROR-PAGE-URI
field MUST NOT be zero octets in length.</t>
</list></t>
<t>The Error Page URI option can be included in any response (SERVFAIL,
NXDOMAIN, REFUSED, and even NOERROR, etc.) to a query that includes OPT
Pseudo-RR <xref target="RFC6891"></xref>.</t>
<t>The URI Template defined in ERROR-PAGE-URI describes how to construct
the URL to fetch the error page. The agent acting as the HTTPS client on
the endpoint encodes an FQDN to which access is denied into an HTTP GET
request to retrieve the error page. The HTTPS server returning the error
page defines the URI used by the HTTP GET request through the use of a
URI Template. The URI Template is processed with a defined variable
"target-domain" whose value is set to the FQDN to which access is
denied.</t>
<t>The FQDN is encoded using base64url <xref target="RFC4648"></xref>
and then provided as the variable value for "target-domain" to expand
the URI Template into an URI reference in the HTTP GET request. Padding
characters for base64url MUST NOT be included.</t>
<t>An example is illustrated below:<list style="empty">
<t>If the URI Template is
"https://resolver.example.net/block-page{?target-domain}" for the
HTTPS server returning the error page and access to the target
domain "example.com" is blocked by the encrypted DNS server, the
variable "target-domain" has the value "example.com" base64url
encoded into an HTTP GET request. In the above example, the
expansion of the above URI Template is
"https://resolver.example.net/block-page?target-domain=ZXhhbXBsZS5jb20".</t>
</list></t>
<t>HTTP/2 <xref target="RFC7540"></xref> is the minimum RECOMMENDED HTTP
version to use to retrieve the error page. The HTTPS client retrieving
the error page MUST verify the entire certification path as per <xref
target="RFC5280"></xref>. The HTTPS client additionally uses validation
techniques described in <xref target="RFC6125"></xref> to compare the
domain name in the error page URI to the server certificate provided in
TLS handshake. See <xref target="RFC7525"></xref> for additional TLS
recommendations.</t>
</section>
<section title="Error Page URI Processing">
<t>The DNS client MUST follow the rules below to process the Error Page
URI EDNS0 option:<list style="symbols">
<t>If the DNS response contains more than one Error Page URI EDNS0
option, the DNS client MUST discard all Error Page URI EDNS0 options
in the DNS response.</t>
<t>The Error Page URI EDNS0 option MUST be processed by the DNS
client for a "Censored", “Blocked", “Filtered” or
“Forged" extended error codes and MUST be ignored for any
other type of extended DNS error code. When "Censored",
“Blocked”, "Filtered” or “Forged”
extended error code is returned in conjunction with an Error Page
URI EDNS0 option, any other resource records in the answer MUST be
ignored by clients supporting this specification.</t>
<t>The DNS client MUST reject the error page URI if the scheme is
not "https".</t>
</list></t>
<section title="Mitigating EDNS0 Forgery">
<t>The Error Page URI EDNS0 option is susceptible to forgery. An
attacker (e.g., a man in the middle (MITM)) could insert an extended
Error Page URI EDNS0 option into the DNS response causing a client to
attempt to visit that URI. For instance, the attacker can be located
between the stub resolver and DNS recursive server or between the DNS
proxy and the upstream resolver. To mitigate that attack, the
following measures are enforced:</t>
<t><list style="symbols">
<t>The DNS client MUST NOT process the DNS response with Error
Page URI EDNS0 option unless DNS messages exchanged are
cryptographically protected using encrypted DNS.</t>
<t>If a DNS client has enabled opportunistic privacy profile
(Section 5 of <xref target="RFC8310"></xref>) for DoT, the DNS
client will either fallback to an encrypted connection without
authenticating the DNS server provided by the local network or
fallback to clear text DNS, and cannot exchange encrypted DNS
messages. Both of these fallback mechanisms adversely impacts
security and privacy. If the DNS client has enabled opportunistic
privacy profile for DoT, the DNS client MUST ignore Error Page URI
EDNS0 option in responses, but SHOULD process other parts of the
response.</t>
<t>If a DNS client has enabled strict privacy profile (Section 5
of <xref target="RFC8310"></xref>) for DoT, the DNS client
requires an encrypted connection and successful authentication of
the DNS server; this mitigates both passive eavesdropping and
client redirection (at the expense of providing no DNS service if
an encrypted, authenticated connection is not available). If the
DNS client has enabled strict privacy profile for DoT, the client
can process the DNS response with Error Page URI EDNS0 option.
Note that the strict and opportunistic privacy profiles as defined
in <xref target="RFC8310"></xref> only applies to DoT protocol,
there has been no such distinction made for DoH protocol.</t>
<t>If the DNS client determines that the encrypted DNS server does
not offer DNS filtering service, it MUST reject the Error Page URI
EDNS0 option. For example, the DNS client can learn whether the
encrypted DNS resolver performs DNS-based content filtering or not
by retrieving resolver information using the method defined in
<xref target="I-D.reddy-add-resolver-info"></xref>.</t>
<t>DNS forwarders (or DNS proxies) are supposed to propagate
unknown EDNS0 options (Sections 4.1 and 4.4.1 of <xref
target="RFC5625"></xref>), the Error Page URI EDNS0 option may get
propagated by a DNS server that has not implemented this
specification. To detect this scenario, the DNS client MUST verify
the domain name in the Error Page URI matches the domain name of
the encrypted DNS resolver. If this match fails, the DNS client
MUST ignore Error Page URI EDNS0 option in the response, but
SHOULD process other parts of the response.</t>
</list></t>
</section>
</section>
<section title="Error Page">
<t>The following outlines the RECOMMENDED contents of an error page to
assist the operator developing the error page:</t>
<t><list style="symbols">
<t>The exact reason for blocking access to the domain. If the domain
is blocked based on some threat data, the threat type associated
with the blocked domain can be provided/displayed to the end user.
For example, the reason can indicate the type of malware blocked
like spyware and the damage it can do the security and privacy of
the user.</t>
<t>The domain name blocked.</t>
<t>If query was blocked by regulation, a pointer to a regulatory
text that mandates this query block.</t>
<t>The entity (or organization) blocking the access to the domain
and contact details of the IT/InfoSec team to raise a complaint.</t>
<t>The blocked error page to not include Ads and dynamic
content.</t>
</list>The content of the error page discussed above is non-normative,
the above text only provides the guidelines and template for the error
page and:<list style="symbols">
<t>does not attempt to offer an exhaustive list for the contents of
an error page.</t>
<t>it is not intended to form the basis of any legal/compliance for
developing the error page.</t>
</list></t>
</section>
<section title="Usability Considerations">
<t>The error page SHOULD be returned in the user's preferred language as
expressed by the Accept-Language HTTP header.</t>
</section>
<section anchor="Security" title="Security Considerations">
<t>Security considerations in Section 6 of <xref
target="RFC8914"></xref> and <xref target="RFC8624"></xref> need to be
taken into consideration.</t>
<t>The Error Page URI EDNS0 option causes an HTTPS retrieval by the
client. To prevent forgery of the Error Page URI EDNS0 option, this
specification requires it only be sent only over an encrypted DNS
channel with an authorized DNS server.</t>
<t>The client knows it is connecting to a HTTPS server returning the
error page. To reduce threat surface the client can retrieve the Error
Page URL using, for example, an isolated environment and take other
precautions such as clearly labeling the page as untrusted or prevent
user interaction with the page. Such isolation should prevent
transmitting cookies, block JavaScript, block auto-fill of credentials
or personal information, and be isolated from the user's normal
environment.</t>
<t>Browsers perform some of the above restrictions when accessing
captive portals (Section 5 of <xref target="RFC8910"></xref> or <xref
target="Safari-Cookie"></xref>), during private browsing, or using
containerization <xref target="Facebook-Container"></xref>.</t>
<t>Note that the means to use a sandbox environment and a user interface
presenting the error page are not covered in this document. By its
nature, these aspects are implementation specific and best left to the
application and user interface designers.</t>
<t>The encrypted DNS session provides transport security for the
interaction between the DNS client and server, but DNSSEC signing and
validation is not possible for the Error Page URI EDNS0 option returning
the Error Page URI Template. However, this specification mandates the
DNS client to not process DNS response with Error Page URI EDNS0 option
if domain name in the Error Page URI does not match the domain name of
the encrypted DNS server. The validation ensures both the servers are
operated by the same entity and have the same origin (similar to the
Same Origin Policy (SOP)).</t>
<t>By design, the object referenced by the error page URL potentially
exposes additional information about the DNS resolution process that may
leak information. An example of this is the reason for blocking the
access to the domain name and the entity blocking access to the
domain.</t>
</section>
<section anchor="IANA" title="IANA Considerations">
<section title="A New Error Page URI EDNS Option">
<t>This document defines a new EDNS(0) option, entitled "Error Page
URI", assigned a value of TBD from the "DNS EDNS0 Option Codes (OPT)"
registry [to be removed upon publication:
[http://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-11]</t>
<t><figure>
<artwork><![CDATA[Value Name Status Reference
----- ---------------- ------ ------------------
TBD Error Page URI Standard [ This document ]]]></artwork>
</figure></t>
</section>
</section>
<section title="Acknowledgements">
<t>Thanks to Vittorio Bertola, Wes Hardaker, Ben Schwartz, Erid Orth,
Viktor Dukhovni, Warren Kumari and Bob Harold for the comments.</t>
</section>
</middle>
<!-- *****BACK MATTER ***** -->
<back>
<references title="Normative References">
<?rfc include='reference.RFC.2119'?>
<?rfc include='reference.RFC.8174'?>
<?rfc include='reference.RFC.4648'?>
<?rfc include='reference.RFC.7540'?>
<?rfc include='reference.RFC.6891'?>
<?rfc include='reference.RFC.8310'?>
<?rfc include='reference.RFC.8624'?>
<?rfc include='reference.RFC.5198'?>
<?rfc include='reference.RFC.5280'?>
<?rfc include='reference.RFC.6125'?>
<?rfc include='reference.RFC.7525'?>
<?rfc include='reference.RFC.5625'?>
<?rfc include='reference.RFC.6570'?>
<?rfc include='reference.RFC.8914' ?>
</references>
<references title="Informative References">
<?rfc include='reference.RFC.8499'?>
<?rfc include='reference.RFC.8484'?>
<?rfc include='reference.RFC.7858'?>
<?rfc include='reference.RFC.8910'?>
<?rfc include='reference.I-D.ietf-dprive-dnsoquic'?>
<?rfc include='reference.I-D.reddy-add-resolver-info'?>
<reference anchor="Chrome-Install-Cert"
target="support.securly.com/hc/en-us/articles/206081828-How-to-manually-install-the-Securly-SSL-certificate-in-Chrome">
<front>
<title>How to manually install the Securly SSL certificate in
Chrome</title>
<author></author>
<date day="" month="" year="" />
</front>
</reference>
<reference anchor="Facebook-Container"
target="https://www.mozilla.org/en-US/firefox/facebookcontainer/">
<front>
<title>Facebook container for Firefox</title>
<author></author>
<date day="" month="" year="" />
</front>
</reference>
<reference anchor="Safari-Cookie"
target="https://support.apple.com/en-us/HT205732">
<front>
<title>Isolated cookie store (CVE-2016-1730)</title>
<author></author>
<date day="" month="" year="" />
</front>
</reference>
</references>
</back>
</rfc>