EDNS options for filtering information

Introduction Some DNS nameservers return forged answers with different IP addresses when they filter, block, or censor access to an internet domain name. A service is typically setup to run at the forged address and return information about the filtering that was performed. This practice causes transport security-related errors at clients, such as the case where a HTTPS server serving at the forged answer's address does not have a valid TLS certificate configured for the domain name. A security error about a certificate mismatch is displayed by the web browser. This draft introduces EDNS options for nameservers to provide more information to clients about the filtering as part of the DNS response itself, making the need to return forged answers unnecessary when domain names are filtered. By using these options instead of forged answers, security errors due to forged answers may be avoided at clients, and the information provided in these new EDNS options may be used to diagnose filtering or contact administrators of the DNS nameservers that performed filtering.

Requirements notation The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in when, and only when, they appear in all capitals, as shown here.

EDE-EXTRA-TEXT-LANGUAGE EDNS option This option specifies the language that is used in the EXTRA-TEXT field of EDNS Extended DNS Error options in the same DNS message. It is not limited to DNS filtering, but may be used in any DNS message that contains EDNS Extended DNS Error options. There MAY be zero or one EDE-EXTRA-TEXT-LANGUAGE EDNS option in a message. If a human-readable message is generated in the EXTRA-TEXT field of EDNS Extended DNS Error options, the nameserver MAY also include an EDE-EXTRA-TEXT-LANGUAGE EDNS option in the response. If the EDE-EXTRA-TEXT-LANGUAGE EDNS option is included, the language in its option data MUST match the language used in the EXTRA-TEXT field of the EDNS Extended DNS Error option. The EDNS OPTION-CODE of EDE-EXTRA-TEXT-LANGUAGE is provided in . The OPTION-DATA MUST contain a language tag as described in .

FILTERING-CONTACT EDNS option When DNS queries cause filtering to be performed by nameservers and negative responses to be returned due to it, the nameserver MAY return zero or more FILTERING-CONTACT EDNS options in responses, containing contact information of the party that performed the filtering. DNS nameservers MAY generate these options as described in . DNS clients MAY use the information in these options as described in . The EDNS OPTION-CODE of FILTERING-CONTACT is provided in . The OPTION-DATA is a UTF-8 encoded string (that is not nul-terminated) containing a contact URI using a contact URI scheme listed in TBD: add a link to the contact URI scheme registry.

FILTERING-ORGANIZATION EDNS option When DNS queries cause filtering to be performed by nameservers and negative responses to be returned due to it, the nameserver MAY return zero or one FILTERING-ORGANIZATION EDNS option in responses, containing the name of the organization that performed the filtering. DNS nameservers MAY generate this option as described in . DNS clients MAY use the information in this option as described in . The EDNS OPTION-CODE of FILTERING-ORGANIZATION is provided in . The OPTION-DATA is a UTF-8 encoded string (that is not nul-terminated) containing the name of the organization that performed the filtering. The language used must match that specified in the EDE-EXTRA-TEXT-LANGUAGE EDNS option if the latter option is also included.

FILTERING-DB EDNS option When DNS queries cause filtering to be performed by nameservers and negative responses to be returned due to it, the nameserver MAY return zero or one FILTERING-DB EDNS option in responses, containing the identifier, name, or description of the filtering database against which a matched query caused the filtering to occur. DNS nameservers MAY generate this option as described in . DNS clients MAY use the information in this option as described in . The EDNS OPTION-CODE of FILTERING-DB is provided in . The OPTION-DATA is a UTF-8 encoded string (that is not nul-terminated) containing the identifier, name, or description of the filtering database against which a matched query caused the filtering to occur.

DNS nameserver behavior When DNS nameservers filter/block/censor queries to domain names, it is RECOMMENDED that they do not return forged positive answers (e.g., containing a different IP address) to filtered queries, but instead return negative responses (NODATA or NXDOMAIN) containing an EDNS Extended DNS Error option with corresponding INFO-CODE accurately indicating the kind of filtering that was performed. When such negative reponses are returned as a result of DNS filtering, DNS nameservers MAY include in DNS responses zero or more FILTERING-CONTACT EDNS options, and a FILTERING-ORGANIZATION EDNS option to provide information about the party that performed the filtering. The nameserver MAY return a human-readable message describing the filtering action that was performed in the EXTRA-TEXT field of the EDNS Extended DNS Error option. If a human-readable message is generated in the EXTRA-TEXT field, the nameserver MAY also include an EDE-EXTRA-TEXT-LANGUAGE EDNS option in the response.

DNS client behavior DNS clients do not have to specify anything in their queries to nameservers to receive DNS filtering-related information. Nameservers would automatically return DNS filtering-related information in EDNS responses if they are setup to do so. When clients query DNS nameservers, they may receive DNS filtering-related information as part of the nameserver's responses. This information may be contained in the EDNS options described in this draft, as well as EDNS Extended DNS Error option fields (INFO-CODE and EXTRA-TEXT) . It is strongly RECOMMENDED that clients use DNS transport security protocols to query Privacy-enabling DNS servers as defined in to protect the authenticity and integrity during transport of the DNS answer as well as the DNS filtering-related information that may be contained in it. DNS clients may receive zero or more FILTERING-CONTACT EDNS options in reponses. DNS clients MAY make use of the information in these options as they would like to. An example may be to display the contact information in a dialog message with hyperlinks, so that users may contact filtering parties. DNS clients may receive zero or more FILTERING-ORGANIZATION EDNS options in reponses. DNS clients MAY make use of the information in the first such EDNS option in the OPT RR as they would like to, and ignore any other FILTERING-ORGANIZATION options. An example may be to display the contact information in a dialog message with hyperlinks, so that users may contact filtering parties.

Security considerations It is strongly RECOMMENDED that clients use DNS transport security protocols to query Privacy-enabling DNS servers as defined in to protect the authenticity and integrity during transport of the DNS answer as well as the DNS filtering-related information that may be contained in it. TBD: Any other details that the dnsop WG and authors of draft-ietf-dnsop-structured-dns-error want to include.

IANA considerations IANA is requested to allocate the following code points in the "DNS EDNS0 Option Codes (OPT)" registry in the "Domain Name System (DNS) Parameters" registry group.

Value	Name	Status	Reference
TBD	EDE-EXTRA-TEXT-LANGUAGE	Optional	See .
TBD	FILTERING-CONTACT	Optional	See .
TBD	FILTERING-ORGANIZATION	Optional	See .
TBD	FILTERING-DB	Optional	See .

Acknowledgements The FILTERING-CONTACT, FILTERING-ORGANIZATION, and EDE-EXTRA-TEXT-LANGUAGE EDNS options are based on the "c", "o", and "l" JSON fields respectively as listed in Section I-JSON in EXTRA-TEXT Field of .