]> Citrix Systems, Inc.

United States of America danwing@gmail.com

Nokia

Bangalore Karnataka India kondtir@gmail.com

Open-Xchange

United Kingdom neil.cook@noware.co.uk

Orange

Rennes 35000 France mohamed.boucadair@orange.com

Internet DNS Operations Working Group Customer experience Informed decision transparency enriched feedback DNS filtering is widely deployed for various reasons, including network security and policy enforcement. However, filtered DNS responses lack structured information for end users to understand the reason for the filtering. Existing mechanisms to provide explanatory details to end users cause harm especially if the blocked DNS response is for HTTPS resources. This document updates RFC 8914 by signaling client support for structuring the EXTRA-TEXT field of the Extended DNS Error to provide details on the DNS filtering. Such details can be parsed by the client and displayed, logged, or used for other purposes. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the dnsop Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Introduction DNS filters are deployed for a variety of reasons, e.g., endpoint security, parental filtering, and filtering required by law enforcement. Network-based security solutions such as firewalls and Intrusion Prevention Systems (IPS) rely upon network traffic inspection to implement perimeter-based security policies and operate by filtering DNS responses. In a home network, DNS filtering is used for the same reasons as above and additionally for parental control. Internet Service Providers (ISPs) typically block access to some DNS domains due to a requirement imposed by an external entity (e.g., law enforcement agency) also performed using DNS-based content filtering. End users or network administrators leveraging DNS services that perform filtering may wish to receive more explanatory information about such a filtering to resolve problems with the filter -- for example, to contact the DNS service administrator to allowlist a DNS domain that was erroneously filtered or to understand the reason a particular domain was filtered. With that information, they can choose to use another network, open a trouble ticket with the DNS service administrator to resolve erroneous filtering, log the information, etc. For the DNS filtering mechanisms described in , the DNS server can return extended error codes Blocked, Filtered, Censored, or Forged Answer defined in . However, these codes only explain that filtering occurred but lack detail for the user to diagnose erroneous filtering. No matter which type of response is generated (forged IP address(es), NXDOMAIN or empty answer, even with an extended error code), the end user who triggered the DNS query has little chance to understand which entity filtered the query, how to report a mistake in the filter, or why the entity filtered it at all. This document describes a mechanism to provide such detail. As noted in , promptly informing the endpoint that blocking has occurred provides necessary transparency to redress any errors, particularly as they relate to collateral damage introduced by errant filters. One of the other benefits of the approach described in this document is to eliminate the need to "spoof" block pages for HTTPS resources. This is achieved since clients implementing this approach would be able to display a meaningful error message, and would not need to connect to such a block page. This approach thus avoids the need to install a local root certificate authority on those IT-managed devices. This document describes a format for machine-readable data in the EXTRA-TEXT field of . The document updates which says the information in EXTRA-TEXT field is intended for human consumption (not automated parsing). This document does not recommend DNS filtering but provides a mechanism for better transparency to explain to the end users why some DNS queries are filtered.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. This document uses terms defined in DNS Terminology . "Encrypted DNS" refers to any encrypted scheme to convey DNS messages, for example, DNS over HTTPS (DoH) , DNS over TLS (DoT) , or DNS over QUIC (DoQ) . The document refers to an Extended DNS Error (EDE) using its purpose, not its INFO-CODE as per Table 3 of . "Forged Answer", "Blocked", "Censored", and "Filtered" are thus used to refer to "Forged Answer (4)", "Blocked (15)", "Censored (16)", and "Filtered (17)". In this document, "client security policy evaluation" refers to implementation-defined decision-making performed by the DNS client or consuming application (e.g., web browser) to determine how, or whether, structured error information is used, displayed, or acted upon. Structured DNS Error (SDE) is an EDNS(0) option indicating support for structured encoding of the EXTRA-TEXT field. See also . "DNS administrator" refers to the party responsible for operating and configuring the DNS server, including the definition of filtering policies. "IT/InfoSec team" refers to the organizational team responsible for receiving and handling end-user reports of misclassified DNS filtering, including decisions on allowlisting domains or revising filtering policies.

DNS Filtering Techniques and Their Limitations DNS responses can be filtered by sending, e.g., a bogus (also called "forged") response, NXDOMAIN error, or empty answer. Also, clients can be informed that filtering occurred by sending an Extended DNS Error code defined in . Each of these methods have advantages and disadvantages that are discussed below:

• The DNS response is forged to provide a list of IP addresses that points to an HTTP(S) server alerting the end user about the reason for blocking access to the requested domain (e.g., malware). If the host component of an HTTP URL is blocked, the network security device (e.g., Customer Premises Equipment (CPE) or firewall) presents a block page instead of the HTTP response from the content provider hosting that domain. This works successfully with HTTP.
  
  If this is an HTTPS URL, the network security device attempts to serve the block page over HTTPS. In order to return a block page over HTTPS, the network security device uses a locally generated root certificate and corresponding key pair. The local root certificate is installed on the endpoint while the network security device stores a copy of the private key. During the TLS handshake, the on-path network security device modifies the certificate provided by the server and (re)signs it using the private key from the local root certificate.
  • In deployments where DNSSEC is used, this approach becomes ineffective because DNSSEC ensures the integrity and authenticity of DNS responses, preventing forged DNS responses from being accepted.
  • The HTTPS server hosted on the network security device will have access to the client's IP address, the hostname, and the URL path component of the request. This information will be sensitive, as it will expose the end user's identity and the specific resource that an end user attempted to access.
  • Configuring a local root certificate on endpoints is not a viable option in several deployments like home networks, schools, Small Office/Home Office (SOHO), or Small/Medium Enterprise (SME). In these cases, the typical behavior is that the filtered DNS response points to a server that will display the block page. If the client is using HTTPS (via a web browser or another application) this results in a certificate validation error which gives no information to the end user about the reason for the DNS filtering.
  • Enterprise networks do not always assume that all the connected devices are managed by the IT team or Mobile Device Management (MDM) devices, especially in the quite common Bring Your Own Device (BYOD) scenario. In addition, the local root certificate cannot be installed on IoT devices without a device management tool.
  • An end user does not know why the connection was prevented and, consequently, may repeatedly try to reach the domain but with no success. Frustrated, the end user may switch to an alternate network that offers no DNS filtering against malware and phishing, potentially compromising both security and privacy. Furthermore, certificate errors train end users to click through certificate errors, which is a bad security practice. To eliminate the need for an end user to click through certificate errors, an end user may manually install a local root certificate on a host device. Doing so, however, is also a bad security practice as it creates a security vulnerability that may be exploited by a MITM attack. When a manually installed local root certificate expires, the end user has to (again) manually install the new local root certificate.
• The DNS response is forged to provide an NXDOMAIN answer, causing the DNS lookup to fail. This approach is incompatible with DNSSEC when the client performs validation, as the forged response will fail DNSSEC checks. However, in deployments where the client relies on the DNS server to perform DNSSEC validation, a filtering DNS server can forge an NXDOMAIN response for a valid domain, and the client will trust it. This undermines the integrity guarantees of DNSSEC, as the client has no way to distinguish between a genuine and a forged response. Further, the end user may not understand why a domain cannot be reached and may repeatedly attempt access without success. Frustrated, the end user may resort to using insecure methods to reach the domain, potentially compromising both security and privacy.
• The extended error codes Blocked and Filtered defined in can be returned by a DNS server to provide additional information about the cause of a DNS error. These extended error codes do not suffer from the limitations discussed in bullets (1) and (2), but the user still does not know the exact reason nor is aware of the exact entity blocking the access to the domain. For example, a DNS server may block access to a domain based on the content category such as "Malware" to protect the endpoint from malicious software, "Phishing" to prevent the end user from revealing sensitive information to the attacker, etc. An end user may need to know the contact details of the IT/InfoSec team to raise a complaint. Further, the information conveyed by is intended for diagnostic purposes and is not structured for automated processing, localization, or extensibility.

This document defines a structured, machine-readable format for conveying such details in the EXTRA-TEXT field, enabling clients to process the information programmatically and present it to end users (e.g., with localization support), while allowing for extensibility and more granular, client security policy-driven handling of the information. This specification requires that clients only act upon such information when it is received over an integrity-protected DNS response.

I-JSON in EXTRA-TEXT Field DNS servers that are compliant with this specification and have received an indication that the client also supports this specification as per send data in the EXTRA-TEXT field as a JSON object encoded using the Internet JSON (I-JSON) message format . This document defines the following JSON names:

c: (contact)

The contact details of the IT/InfoSec team to report misclassified DNS filtering. This information is important for transparency and also to ease unblocking a legitimate domain name that got blocked due to wrong classification.

The field is a JSON array of contact URIs. When multiple contact details are provided, each contact URI is represented as a separate array element in the JSON array.

Contact URIs conveyed in the "c" field MUST use URI schemes registered in .

This field is optional.

j: (justification)

'UTF-8'-encoded human-readable explanation for the DNS filtering decision.

This field is particularly useful when no applicable sub-error code is defined or provided for the returned Extended DNS Error.

The information conveyed in this field MUST NOT be used as input to automated processing that affects security policy enforcement or DNS protocol behavior.

The DNS client determines, according to its client security policy, whether the contents of this field are displayed to the end user, logged, or ignored.

Returning non-UTF-8 data, syntactically invalid content, or deliberately meaningless values (including empty strings) indicates that a DNS server is misbehaving.

This field is optional.

s: (sub-error)

An integer representing the sub-error code for this particular DNS filtering case.

The integer values are defined in the IANA-managed registry for DNS Sub-Error Codes in .

This field is optional.

When multiple blocking causes apply simultaneously (e.g., a domain is blocked for both malware and phishing reasons), a single SDE response is returned. The "s" field MUST convey the primary blocking cause. The "j" field MUST be used to provide additional context describing all applicable causes.

o: (organization)

'UTF-8'-encoded human-friendly name of the organization that filtered this particular DNS query.

This field is optional.

l: (language)

The "l" field indicates the language used for the JSON-encoded "j" and "o" fields. The value of this field MUST conform to the language tag syntax specified in .

This field is optional but MUST be included when either the "j" or "o" fields are present.

The text in the "j" and "o" names can include international characters. The text will be in natural language, chosen by the DNS administrator to match its expected audience. The "o" field MAY be displayed to end users, subject to the conditions described in . To avoid exceeding the maximum EDNS0 size the generated JSON values SHOULD be as short as possible: short domain names, concise text in the values for the "j" and "o" names, and minified JSON (that is, without spaces or line breaks between JSON elements). The JSON data can be parsed to display to the user, logged, or otherwise used to assist troubleshooting and diagnosis of DNS filtering. The sub-error codes provide a structured way to communicate more detailed and precise description of the cause of an error (e.g., distinguishing between malware-related blocking and phishing-related blocking under the general blocked error).

• An alternate design for conveying the sub-error would be to define new EDE codes for these errors. However, such design is suboptimal because it requires replicating an error code for each EDE code to which the sub-error applies (e.g., "Malware" sub-error in would consume three EDE codes).

New JSON names MUST consist only of lower-case ASCII characters, digits, and hyphen-minus (that is, Unicode characters U+0061 through 007A, U+0030 through U+0039, and U+002D). Also, these names MUST be 63 characters or shorter and it is RECOMMENDED they be as short as possible to reduce contribution to exceeding maximum EDNS0 response size. Refer to for a discusson on IP fragmentation avoidance in DNS.

Protocol Operation

Client Generating Request When generating a DNS query, a client that supports this specification SHOULD include the Structured DNS Error (SDE) option defined in , unless instructed by local policy otherwise. The presence of the SDE option indicates that the client desires the DNS server to include an EDE option in the DNS response when DNS filtering is performed, and that any data conveyed in the EXTRA-TEXT field of the EDE option is encoded and processed in accordance with this specification. A client that wishes to express a preferred response language MUST populate the OPTION-DATA of the SDE option with an ordered list of RFC 5646 language tags, listed from most to least preferred, using the format defined in . The list SHOULD contain no more than 4 entries and MUST NOT contain more than 8 entries. To accommodate two languages with two language tags per language (e.g., American English often uses the two tags "en-US" and "en"), the list SHOULD contain no more than 4 entries. The hard limit of 8 entries bounds the contribution of the SDE option to the DNS query size (see ) and ensures predictable server processing as described in . A client that has no language preference MUST set OPTION-LENGTH to 0. This is the default behavior. For privacy reasons, clients MAY send fewer language entries than the user has configured or omit the language list entirely by setting OPTION-LENGTH to 0. The "l" field in the JSON body of the EXTRA-TEXT response () remains the authoritative indicator of the language used in the "j" and "o" fields and MUST continue to be used by clients for localisation and machine translation decisions.

Server Generating Response When the DNS server filters its DNS response to a query (e.g., A or AAAA resource record query), the DNS response MAY contain an empty answer, NXDOMAIN, or (less ideally) forged response, as desired by the DNS server. If the query contained the SDE EDNS option (), and the DNS server returns an EDE code of "Blocked", "Filtered", "Censored", or "Blocked by Upstream DNS Server", the DNS server SHOULD include additional detail in the EXTRA-TEXT field encoded as structured and machine-readable data in accordance with the present specification, unless configured otherwise. If including the additional detail would cause the response to exceed the EDNS0 size (and thus setting TC=1), the server SHOULD first attempt to reduce the response size by omitting the "j" and "o" fields before omitting the EXTRA-TEXT entirely. In deployments using DoT, DoH, or DoQ, transport size limitations are unlikely to necessitate omission of structured data in the EXTRA-TEXT field. If the SDE option OPTION-DATA is non-empty and the server intends to populate the "j" or "o" fields, the server MUST perform lookup matching against the language entries in the order they appear, selecting the first entry for which localised text is available. If a match is found, the server SHOULD populate the "j" and "o" fields in the matched language; either field MAY be omitted if the server has no value to convey for it. If either field is present, the server MUST set the "l" field to the matched language tag. If no match is found, the server MUST fall back to its default language. A failure to match a preferred language MUST NOT prevent the server from returning a response. Language negotiation adversely affects caching, as different clients may request different languages for the same filtered domain. A server receiving an SDE option with unrecognised or malformed OPTION-DATA MUST silently ignore the OPTION-DATA and process the option as if OPTION-LENGTH were 0. If the SDE option was not present in the DNS request, the DNS server MUST process the request in accordance with and MUST NOT assume that the client supports this specification. This preserves compatibility with clients and servers that implement but do not support this specification. Servers MAY decide to return small TTL values in filtered DNS responses (e.g., 10 seconds) to handle domain category and reputation updates. Short TTLs allow for quick adaptation to dynamic changes in domain filtering decisions, but can result in increased query traffic. In cases where updates are less frequent, TTL values of 30 to 60 seconds MAY provide a better balance, reducing server load while still ensuring reasonable flexibility for updates. If the query includes the SDE option as per , the server MUST NOT return the "Forged Answer" extended error code because the client can take advantage of EDE's more sophisticated error reporting (e.g., "Filtered" or "Blocked"). Continuing to send "Forged Answer" even to an EDE-supporting client will cause the persistence of the drawbacks described in . When the "Censored" extended error code is included in the DNS response, the "c", "j", "o", and "l" fields may be conveyed in the EXTRA-TEXT field. The sub-error codes defined in this specification are not applicable to the "Censored" extended error code and MUST NOT be used in conjunction with it. Future specifications may update this behavior by defining sub-error codes applicable to "Censored".

Client Processing Response On receipt of a DNS response with an EDE option from a DNS server, the following ordered actions are performed on the EXTRA-TEXT field:

1. If the integrity of the DNS response is not guaranteed, the DNS client MUST NOT act upon data in the EXTRA-TEXT field, as the data is vulnerable to modification by an on-path attacker. An attacker can inject or modify a structured DNS error response in transit without detection, enabling fabrication of filtering information (e.g., misleading contact information or false resolver identity information) that appears to originate from the resolver. The data MAY be retained for diagnostic or client security policy evaluation purposes.
2. The DNS response MUST also contain an EDE code of "Blocked by Upstream DNS Server", "Blocked", "Censored", or "Filtered" , otherwise the EXTRA-TEXT field is discarded.
3. Servers that do not support this specification might use plain text in the EXTRA-TEXT field. DNS clients SHOULD handle both plaintext and structured content. The client attempts to parse the EXTRA-TEXT field as I-JSON. If parsing fails or the content is not valid I-JSON, the client MUST treat the data as invalid, MUST NOT process it according to this specification. The client MAY instead process the EXTRA-TEXT field as unstructured text as specified in .
4. If the JSON object contains an "s" field and the sub-error code is not defined as applicable to the accompanying Extended DNS Error (EDE) code, the client MUST ignore the value of the "s" field and continue processing the remaining fields in accordance with this specification.
5. If the EXTRA-TEXT field does not contain at least one of the JSON names "c", "j", or "s", or if all of the fields that are present have empty values, the entire JSON object MUST be discarded.
6. If the JSON object contains a "c" field any of its Contact URIs with schemes not registered in the registry are ignored. Remaining Contact URIs using registered schemes can be processed.
7. If the identity of the DNS server cannot be verified (e.g., when using opportunistic privacy such as or opportunistic discovery ), the DNS client MUST ignore the "c", "j", and "o" fields, as these fields may influence end user behavior and are vulnerable to active attacks in the absence of resolver authentication. If the DNS response was received over an encrypted connection without server authentication, the client MAY process the "s" field and other parts of the response, as the "s" field is a registry-defined, enumerated value and does not contain free-form text.
8. If the DNS client uses an authenticated connection to the DNS server (e.g., when using a strict privacy profile for DoT () or an authenticated DoH or DoQ connection), this mitigates both passive eavesdropping and client redirection (at the expense of providing no DNS service if such a connection is not available). In such cases, the DNS client MAY process the EXTRA-TEXT field of the DNS response.
9. The DNS client MUST ignore any other JSON names that it does not support.

• Note that the strict and opportunistic privacy profiles as defined in only apply to DoT; there has been no such distinction made for DoH.

Structured DNS Error (SDE) EDNS(0) Option Format The Structured DNS Error (SDE) EDNS(0) option is used by a client to indicate support for I-JSON encoding in the EXTRA-TEXT field of an Extended DNS Error (EDE) option. The SDE option MAY carry an OPTION-DATA field containing an ordered list of preferred languages. The OPTION-LENGTH field indicates the total length of the OPTION-DATA in octets. An OPTION-LENGTH of 0 indicates no language preference and is semantically equivalent to the absence of OPTION-DATA. The OPTION-DATA, when present, contains a comma-separated list of language tags, ordered from most to least preferred, bounded by OPTION-LENGTH. The language tags never contain commas, making the comma an unambiguous delimiter. Parsing MUST be bounded by OPTION-LENGTH to prevent buffer overread. For example, a client preferring US English then French encodes: The presence of the SDE option in a query indicates that the client supports processing the EXTRA-TEXT field in accordance with this specification.

New Sub-Error Codes Definition The document defines the following new IANA-registered Sub-Error codes. See .

Reserved This sub-error code value MUST NOT be sent. If received, it has no meaning.

Network Operator Policy The code indicates that the request was filtered according to a policy imposed by the operator of the local network (where local network is a relative term, e.g., it may refer to a Local Area Network or to the network of the ISP selected by the end user).

DNS Operator Policy The code indicates that the request was filtered according to policy determined by the operator of the DNS server. This is different from the "Network Operator Policy" code when a third-party DNS resolver is used.

New Extended DNS Errors This document defines an addition to the EDE codes defined in .

Extended DNS Error Code TBA1 - Blocked by Upstream DNS Server The DNS server is unable to respond to the request because the domain is on a blocklist due to an internal security policy imposed by an upstream DNS server. This error code is useful in deployments where a network-provided DNS forwarder is configured to use an external resolver that filters malicious domains. When the DNS forwarder receives a Blocked (15) error code from the upstream DNS server, it can replace it with "Blocked by Upstream DNS Server" (TBA1) before forwarding the reply to the DNS client. Additionally, the EXTRA-TEXT field may be forwarded to the DNS client. Implementations should ensure that the communication channel with the upstream DNS server provides adequate integrity protection to mitigate the threats described in step 1 of .

Examples An example showing the nameserver at 'ns.example.net' that filtered a DNS "A" record query for 'example.org' is provided in .

JSON Returned in EXTRA-TEXT Field of Extended DNS Error Response

In the same content is shown with minified JSON (no whitespace, no blank lines) with '\' line wrapping per .

Minified Response

shows how the SDE and EDE options appear in a dig response for the same query.

dig Response Showing SDE and EDE Options >HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 12345 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; OPT=TBD1 (Structured DNS Error): [en-US, fr] ; EDE: 15 (Blocked): ({"c":["tel:+358-555-1234567",\ "sips:bob@bobphone.example.com"],"j":"malware present for 23 days",\ "s":1,"o":"example.net Filtering Service","l":"en"}) ]]>

Operational Considerations When a forwarder receives an EDE option, whether or not (and how) to pass along JSON information in the EXTRA-TEXT field to its client is implementation-dependent and depends on operator policy. Implementations MAY choose not to forward the JSON information, or they MAY choose to create a new EDE option that conveys the information in the "c", "s", and "j" fields encoded in the JSON object. The application that triggered the DNS request may have a client security policy to override the contact information (e.g., redirect all complaint calls to a single contact point). In such cases, the content of the "c" attribute MAY be ignored.

Backward Compatibility Future extensions MUST NOT introduce mandatory JSON attributes, as existing implementations are required to ignore unknown JSON names (see ).

Security Considerations

Authentication and Confidentiality Security considerations in apply to this document. cautions against relying on EDE information because it may be unauthenticated and transmitted in cleartext. This specification assumes the use of authenticated, integrity-protected DNS transports (e.g., DoT, DoH, or DoQ). Such transports MUST be based on TLS 1.3 or later. Under these conditions, EDE information is integrity-protected, reducing the risks associated with relying on structured EDE content. To minimize impact of active on-path attacks on the DNS channel, the client validates the response as described in .

Restrictions on Display of "c", "o", and "j" Fields A client might choose to display the information in the "c" field to the end user if and only if the encrypted resolver has sufficient reputation, according to some client security policy (e.g., administrative configuration, or a built-in list of respectable resolvers). This limits the ability of a malicious encrypted resolver to cause harm. For example, an end user can use the details in the "c" field to contact an attacker to solve the problem of being unable to reach a domain. The attacker can mislead the end user to install malware or spyware to compromise the device security posture or mislead the end user to reveal personal data. If the client decides not to display all of the information in the EXTRA-TEXT field, it can be logged for diagnostics purpose and the client can only display the resolver hostname that blocked the domain, error description for the EDE code and the sub-error description for the "s" field to the end user. The same client security policy considerations apply to the display of the "j" field, as it contains free-form, human-readable text that may influence end user behavior. When displaying the free-form text of "o", the client MUST NOT make any of those elements into actionable (clickable) links and these fields need to be rendered as text, not as HTML. The contact details of "c" can be made into clickable links to provide a convenient way for end users to initiate, e.g., voice calls. The client might choose to display the contact details only when the identity of the DNS server is verified. Clients MUST NOT automatically initiate connections to URIs derived from the EXTRA-TEXT field. Doing so could allow a resolver to silently report client activity to third parties, enable denial-of-service reflection attacks, or be used to entrap a client. The restriction of Contact URI schemes to "sips", "tel", and "mailto" is intentional, as these schemes do not result in automatic HTTP connections. Further, clients MUST NOT display the value of the "o" field to the end user unless one of the following conditions is met:

• The value matches a registered organization name listed in the OR
• The value consists solely of an organization name and does not contain any additional free-form content such as instructions, URLs, or messaging intended to influence end user behavior, as determined by client security policy or heuristics.

If the organization name cannot be verified through registry checks or heuristics, the client MUST NOT display the "o" field to the end user. DNS clients MAY keep all fields conveyed in the EXTRA-TEXT field for evaluation according to the client security policy. Such data MUST NOT be automatically trusted, displayed to end users, or used to influence security decisions without appropriate validation.

Security Risks from Legacy DNS Forwarders An attacker might inject (or modify) the EDE EXTRA-TEXT field with a DNS proxy or DNS forwarder that is unaware of EDE. Such a DNS proxy or DNS forwarder will forward that attacker-controlled EDE option. To prevent such an attack, clients can be configured to process EDE from explicitly configured DNS servers or utilize RESINFO .

Privacy Considerations The EXTRA-TEXT field may reveal details about the filtering organization and its policies. Clients MUST NOT log or transmit the contents of the EXTRA-TEXT field to third parties without the end user's knowledge. This specification requires the use of an encrypted DNS transport (e.g., DoT, DoH, or DoQ), which protects both the DNS query and the structured error response from passive observers.

IANA Considerations This document requests five IANA actions as described in the following subsections.

• Notes to the RFC Editor: Please replace RFCXXXX with the RFC number assigned to this document and "TBA1" with the value assigned by IANA, and replace "TBD1" in with the value assigned by IANA.

Structured DNS Error EDNS Option IANA is requested to register the following new EDNS(0) Option Code in the "DNS EDNS0 Option Codes (OPT)" registry under the "Domain Name System (DNS) Parameters" registry group :

Value:

TBD

Name:

Structured DNS Error

Status:

Standard

Reference:

RFC XXXX

Note: The OPTION-DATA for this option carries an optional ordered list of preferred languages as defined in . An OPTION-LENGTH of 0 indicates no language preference.

New Registry for JSON Names This document requests IANA to create a new registry, entitled "EXTRA-TEXT JSON Names" under "Extended DNS Error Codes" registry, which is under the "Domain Name System (DNS) Parameters" registry group . The registration request for a new JSON name must include the following fields:

JSON Name:

Specifies the name of an attribute that is present in the JSON data enclosed in EXTRA-TEXT field. The name must follow the guidelines in .

Field Meaning:

Provides a brief, human-readable label summarizing the purpose of the JSON attribute.

Short description:

Includes a short description of the requested JSON name.

Specification:

Provides a pointer to the reference document that specifies the attribute.

The registry is initially populated with the following values: Initial JSON Names Registry

JSON Name	Field Meaning	Description	Specification
c	contact	The contact details of the IT/InfoSec team to report misclassified DNS filtering	of RFCXXXX
j	justification	UTF-8-encoded textual justification for a particular DNS filtering	of RFCXXXX
s	sub-error	Integer representing the sub-error code for this DNS filtering case	of RFCXXXX
o	organization	UTF-8-encoded human-friendly name of the organization that filtered this particular DNS query	of RFCXXXX
l	language	Indicates the language of the "j" and "o" fields as defined in	of RFCXXXX

New JSON names are registered via IETF Review () and their formatting constraints are described in .

New Registry for Contact URI Scheme This document requests IANA to create a new registry, entitled "Contact URI Schemes" under "Extended DNS Error Codes" registry, which is under the "Domain Name System (DNS) Parameters" registry group . The registration request for a new Contact URI scheme has to include the following fields:

• Name: URI scheme name.
• Meaning: Provides a short description of the scheme.
• Reference: Provides a pointer to an IETF-approved specification that defines the URI scheme.

The Contact URI scheme registry is initially populated with the following schemes:

Name	Meaning	Reference
sips	SIP Call
tel	Telephone Number
mailto	Internet mail

The registration procedure for adding new Contact URI schemes to the "Contact URI Schemes" registry is "IETF Review" as defined in .

New Registry for DNS Sub-Error Codes This document requests IANA to create a new registry, entitled "Sub-Error Codes" under "Extended DNS Error Codes" registry, which is under the "Domain Name System (DNS) Parameters" registry group . The registration request for a new sub-error code must include the following fields:

• Number: Is the wire format sub-error code (range 0-255).
• Meaning: Provides a short description of the sub-error.
• EDE Codes Applicability: Indicates which Extended DNS Error (EDE) Codes apply to this sub-error code.
• Reference: Provides a pointer to an IETF-approved specification that registered the code and/or an authoritative specification that describes the meaning of this code.

The Sub-Error Code registry is initially populated with the following values: Initial Sub-Error Code Registry

Number	Meaning	EDE Codes Applicability	Reference
0	Reserved	Not used	of this document
1	Malware	"Blocked", "Blocked by Upstream DNS Server", "Filtered"	Section 5.5 of
2	Phishing	"Blocked", "Blocked by Upstream DNS Server", "Filtered"	Section 5.5 of
3	Spam	"Blocked", "Blocked by Upstream DNS Server", "Filtered"	Page 289 of
4	Spyware	"Blocked", "Blocked by Upstream DNS Server", "Filtered"	Page 291 of
5	Network operator policy	"Blocked"	of this document
6	DNS operator policy	"Blocked"	of this document

The registration procedure to add New Sub-Error Codes is IETF Review as defined in .

New Extended DNS Error Code IANA is requested to assign the following Extended DNS Error code from the "Extended DNS Error Codes" registry under the "Domain Name System (DNS) Parameters" registry group : New DNS Error Code

INFO-CODE	Purpose	Reference
TBA1	Blocked by Upstream DNS Server	RFCXXXX

References Normative References This document defines an extensible method to return additional information about the cause of DNS errors. Though created primarily to extend SERVFAIL to provide additional information about the cause of DNS and DNSSEC failures, the Extended DNS Errors option defined in this document allows all response types to contain extended error information. Extended DNS Error information does not change the processing of RCODEs. In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. The Domain Name System (DNS) is defined in literally dozens of different RFCs. The terminology used by implementers and developers of DNS protocols, and by operators of DNS systems, has changed in the decades since the DNS was first defined. This document gives current definitions for many of the terms used in the DNS in a single document. This document updates RFC 2308 by clarifying the definitions of "forwarder" and "QNAME". It obsoletes RFC 8499 by adding multiple terms and clarifications. Comprehensive lists of changed and new definitions can be found in Appendices A and B. I-JSON (short for "Internet JSON") is a restricted profile of JSON designed to maximize interoperability and increase confidence that software can process it successfully with predictable results. The Internet today is in need of a standardized form for the transmission of internationalized "text" information, paralleling the specifications for the use of ASCII that date from the early days of the ARPANET. This document specifies that format, using UTF-8 with normalization and specific line-ending sequences. [STANDARDS-TRACK] This document describes the structure, content, construction, and semantics of language tags for use in cases where it is desirable to indicate the language used in an information object. It also describes how to register values for use in language tags and the creation of user-defined extensions for private interchange. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. This document describes a syntax, called a "language-range", for specifying items in a user's list of language preferences. It also describes different mechanisms for comparing and matching these to language tags. Two kinds of matching mechanisms, filtering and lookup, are defined. Filtering produces a (potentially empty) set of language tags, whereas lookup produces a single language tag. Possible applications include language negotiation or content selection. This document, in combination with RFC 4646, replaces RFC 3066, which replaced RFC 1766. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. This document discusses usage profiles, based on one or more authentication mechanisms, which can be used for DNS over Transport Layer Security (TLS) or Datagram TLS (DTLS). These profiles can increase the privacy of DNS transactions compared to using only cleartext DNS. This document also specifies new authentication mechanisms -- it describes several ways that a DNS client can use an authentication domain name to authenticate a (D)TLS connection to a DNS server. Additionally, it defines (D)TLS protocol profiles for DNS clients and servers implementing DNS over (D)TLS. This document updates RFC 7858. This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations. Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA). To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry. This is the third edition of this document; it obsoletes RFC 5226. This document provides clarifications and guidelines concerning the use of the SIPS URI scheme in the Session Initiation Protocol (SIP). It also makes normative changes to SIP. [STANDARDS-TRACK] This document specifies the URI (Uniform Resource Identifier) scheme "tel". The "tel" URI describes resources identified by telephone numbers. This document obsoletes RFC 2806. [STANDARDS-TRACK] This document defines the format of Uniform Resource Identifiers (URIs) to identify resources that are reached using Internet mail. It adds better internationalization and compatibility with Internationalized Resource Identifiers (IRIs; RFC 3987) to the previous syntax of 'mailto' URIs (RFC 2368). [STANDARDS-TRACK] This document extends the Incident Object Description Exchange Format (IODEF) defined in RFC 5070 to support the reporting of phishing events, which is a particular type of fraud. These extensions are flexible enough to support information gleaned from activities throughout the entire electronic fraud cycle -- from receipt of the phishing lure to the disablement of the collection site. Both simple reporting and complete forensic reporting are possible, as is consolidating multiple incidents. [STANDARDS-TRACK] This Glossary provides definitions, abbreviations, and explanations of terminology for information system security. The 334 pages of entries offer recommendations to improve the comprehensibility of written material that is generated in the Internet Standards Process (RFC 2026). The recommendations follow the principles that such writing should (a) use the same term or definition whenever the same concept is mentioned; (b) use terms in their plainest, dictionary sense; (c) use terms that are already well-established in open publications; and (d) avoid terms that either favor a particular vendor or favor a particular technology or mechanism over other, competing techniques that already exist or could be developed. This memo provides information for the Internet community. Informative References IANA The Internet is structured to be an open communications medium. This openness is one of the key underpinnings of Internet innovation, but it can also allow communications that may be viewed as undesirable by certain parties. Thus, as the Internet has grown, so have mechanisms to limit the extent and impact of abusive or objectionable communications. Recently, there has been an increasing emphasis on "blocking" and "filtering", the active prevention of such communications. This document examines several technical approaches to Internet blocking and filtering in terms of their alignment with the overall Internet architecture. When it is possible to do so, the approach to blocking and filtering that is most coherent with the Internet architecture is to inform endpoints about potentially undesirable services, so that the communicants can avoid engaging in abusive or objectionable communications. We observe that certain filtering and blocking approaches can cause unintended consequences to third parties, and we discuss the limits of efficacy of various approaches. This document defines a protocol for sending DNS queries and getting DNS responses over HTTPS. Each DNS query-response pair is mapped into an HTTP exchange. This document describes the use of Transport Layer Security (TLS) to provide privacy for DNS. Encryption provided by TLS eliminates opportunities for eavesdropping and on-path tampering with DNS queries in the network, such as discussed in RFC 7626. In addition, this document specifies two usage profiles for DNS over TLS and provides advice on performance considerations to minimize overhead from using TCP and TLS with DNS. This document focuses on securing stub-to-recursive traffic, as per the charter of the DPRIVE Working Group. It does not prevent future applications of the protocol to recursive-to-authoritative traffic. This document describes the use of QUIC to provide transport confidentiality for DNS. The encryption provided by QUIC has similar properties to those provided by TLS, while QUIC transport eliminates the head-of-line blocking issues inherent with TCP and provides more efficient packet-loss recovery than UDP. DNS over QUIC (DoQ) has privacy properties similar to DNS over TLS (DoT) specified in RFC 7858, and latency characteristics similar to classic DNS over UDP. This specification describes the use of DoQ as a general-purpose transport for DNS and includes the use of DoQ for stub to recursive, recursive to authoritative, and zone transfer scenarios. A Uniform Resource Identifier (URI) is a compact sequence of characters that identifies an abstract or physical resource. This specification defines the generic URI syntax and a process for resolving URI references that might be in relative form, along with guidelines and security considerations for the use of URIs on the Internet. The URI syntax defines a grammar that is a superset of all valid URIs, allowing an implementation to parse the common components of a URI reference without knowing the scheme-specific requirements of every possible identifier. This specification does not define a generative grammar for URIs; that task is performed by the individual specifications of each URI scheme. [STANDARDS-TRACK] The widely deployed Extension Mechanisms for DNS (EDNS(0)) feature in the DNS enables a DNS receiver to indicate its received UDP message size capacity, which supports the sending of large UDP responses by a DNS server. Large DNS/UDP messages are more likely to be fragmented, and IP fragmentation has exposed weaknesses in application protocols. It is possible to avoid IP fragmentation in DNS by limiting the response size where possible and signaling the need to upgrade from UDP to TCP transport where necessary. This document describes techniques to avoid IP fragmentation in DNS. This document defines Discovery of Designated Resolvers (DDR), a set of mechanisms for DNS clients to use DNS records to discover a resolver's encrypted DNS configuration. An Encrypted DNS Resolver discovered in this manner is referred to as a "Designated Resolver". These mechanisms can be used to move from unencrypted DNS to encrypted DNS when only the IP address of a resolver is known. These mechanisms are designed to be limited to cases where Unencrypted DNS Resolvers and their Designated Resolvers are operated by the same entity or cooperating entities. It can also be used to discover support for encrypted DNS protocols when the name of an Encrypted DNS Resolver is known. This document defines two strategies for handling long lines in width-bounded text content. One strategy, called the "single backslash" strategy, is based on the historical use of a single backslash ('\') character to indicate where line-folding has occurred, with the continuation occurring with the first character that is not a space character (' ') on the next line. The second strategy, called the "double backslash" strategy, extends the first strategy by adding a second backslash character to identify where the continuation begins and is thereby able to handle cases not supported by the first strategy. Both strategies use a self-describing header enabling automated reconstitution of the original content. This document provides guidelines for the implementation of DNS proxies, as found in broadband gateways and other similar network devices. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. This document specifies a method for DNS resolvers to publish information about themselves. DNS clients can use the resolver information to identify the capabilities of DNS resolvers. How DNS clients use such information is beyond the scope of this document.

Interoperation with RPZ Servers This appendix provides a non-normative guidance for operation with a Response Policy Zones (RPZ) server that indicates filtering with a NXDOMAIN response with the Recursion Available bit cleared (RA=0). This guidance is provided to ease interoperation with RPZ. When a DNS client supports this specification, it includes the SDE option in its DNS query. If the server does not support this specification and is performing RPZ filtering, the server ignores the SDE option in the DNS query and replies with NXDOMAIN and RA=0. The DNS client can continue to accept such responses. If the server does support this specification and is performing RPZ filtering, the server can use the SDE option in the query to identify an SDE-aware client and respond appropriately (that is, by generating a response described in ) as NXDOMAIN and RA=0 are not necessary when generating a response to such a client.

Implementation Status

• Note to the RFC Editor: please remove this appendix prior publication.

At IETF#116, Gianpaolo Scalone (Vodafone) and Ralf Weber (Akamai) presented an implementation of this specification. More details can be found at .

Acknowledgements Thanks to Vittorio Bertola, Wes Hardaker, Ben Schwartz, Erid Orth, Viktor Dukhovni, Warren Kumari, Paul Wouters, John Levine, Bob Harold, Mukund Sivaraman, Gianpaolo Angelo Scalone, Mark Nottingham, Stephane Bortzmeyer, Daniel Migault, and Stephen Farrell for the comments. Thanks to Ralf Weber and Gianpaolo Scalone for sharing details about their implementation. Thanks Petr Špaček, Di Ma and Matt Brown for the DNSDIR reviews, Joseph Salowey for the SECDIR review, and Paul Kyzivat for the ARTART review. Thanks to Éric Vyncke for the AD review.