Re: [dbound] [DNSOP] Related Domains By DNS (RDBD) Draft

"Brotman, Alexander" <> Wed, 27 February 2019 15:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 43280130FDB; Wed, 27 Feb 2019 07:32:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id EiL5m6Bu8eE1; Wed, 27 Feb 2019 07:32:15 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5725A1200B3; Wed, 27 Feb 2019 07:32:15 -0800 (PST)
X-AuditID: 44571fa7-9f3ff70000021550-f4-5c76ad7e8e4f
Received: from ( []) (using TLS with cipher AES256-SHA256 (256/256 bits)) (Client did not present a certificate) by (SMTP Gateway) with SMTP id 2F.EB.05456.E7DA67C5; Wed, 27 Feb 2019 10:32:14 -0500 (EST)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1395.4; Wed, 27 Feb 2019 10:32:12 -0500
Received: from ([fe80::3aea:a7ff:fe36:8304]) by ([fe80::3aea:a7ff:fe36:8304%19]) with mapi id 15.00.1395.000; Wed, 27 Feb 2019 10:32:12 -0500
From: "Brotman, Alexander" <>
To: Paul Wouters <>
CC: "" <>, "" <>, "Stephen Farrell" <>, "" <>
Thread-Topic: [dbound] [DNSOP] Related Domains By DNS (RDBD) Draft
Date: Wed, 27 Feb 2019 15:32:12 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Forward
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrCKsWRmVeSWpSXmKPExsUiocEzUbdubVmMwfqLwhYr7npY7Lp8jd3i 7pvLLBbvb11ispi+9xq7A6vH2u6rbB5Llvxk8vg+jymAOaqB0aYkoyg1scQlNS01rzjVjksB A9gkpablF6W6JhblVAal5qQmYlcGUpmSmpNZllqkj9UYfazmJHQxZcy4t4Ot4Llgxc/fF9ga GI/zdTFyckgImEgsPXiJpYuRi0NIYAeTRPuSnewQzi5Gib2bG1hBqoQETgI513lAbDYBK4m3 /9uZQWwRAUWJSWcegXUzC8xilGi9tQSsQVjAUWLLlo1QRU4SDRunsULYVhJTzx5iA7FZBFQl /hw9wAJi8wp4Sfyat4sJYnMDo8Sb9U/AGjgFHCTm7tsGNohRQEzi+6k1TCA2s4C4xK0n85kg fhCQWLLnPDOELSrx8vE/VgjbQGLr0n0sELaCRM+E6cwQvToSC3Z/YoOwtSWWLXzNDHGEoMTJ mU+g6sUlDh/ZwTqBUWIWknWzkLTPQtI+C0n7AkaWVYw8ZhZ6FuZ6xoZ6hmbmmxiBacclXH75 DsbtszIOMQpwMCrx8KovKosRYk0sK67MPcQowcGsJMIrsBooxJuSWFmVWpQfX1Sak1p8iFGa g0VJnPfirdIYIYH0xJLU7NTUgtQimCwTB6dUA6P847rrSRu+HHWXvX8lbifzwn0Gzx9NnV7k atbCdPPLk0V7plhcm75l7ZRLcgxpWjw3dV6nlW0Rkru4L5RHrfB/r/NeqQXbfY4zCCY3nmO/ c+GewM+Pm66sz96g8uqZ4NNfTv/UFpVL5Gj94+uc8bjN6MvHKf1i698uPHyp4qOLrAOLwLor k2MklViKMxINtZiLihMB3l4CcDcDAAA=
Archived-At: <>
Subject: Re: [dbound] [DNSOP] Related Domains By DNS (RDBD) Draft
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS tree bounds <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 27 Feb 2019 15:32:18 -0000

I'm supportive of doing this in other ways, but also understand that DNSSEC is not widely deployed.  I suppose that's ultimately a crutch, though it is the current situation.  With that being said, we thought this would be one reasonable approach to being able to show that relationship.  We could potentially have a non-DNSSEC and DNSSEC method in the same draft, if that's something that might be agreeable?

Alex Brotman
Sr. Engineer, Anti-Abuse & Messaging Policy

-----Original Message-----
From: dbound <> On Behalf Of Paul Wouters
Sent: Wednesday, February 27, 2019 9:25 AM
To: Brotman, Alexander <>
Cc:;; Stephen Farrell <>ie>;
Subject: Re: [dbound] [DNSOP] Related Domains By DNS (RDBD) Draft

On Mon, 25 Feb 2019, Brotman, Alexander wrote:

> Stephen and I have spent a bit of time working on a draft to be able to show a relationship between two domains.  We're aware this subject has been covered a few times previously, especially in the DBOUND drafts, but we're hopeful that a more simple approach might be more acceptable.   The secondary domain will create a DNS record that shows a link to a primary domain, and the text should be able to be validated using the public key in a DNS record the primary domain shares.  This is something akin to DKIM, a mechanism that the email world uses to ensure the contents of a message have not been tampered with.

I've read the draft, and I have my usual complaints.

If we put stuff into the DNS for security decisions, saying "its better if you use this data when it is DNSSEC signed" is just too weak. We are splashing TOFU everywhere and putting CT bandaids on it. It's long overdue that we stop with that. Just require DNSSEC.

And if you require DNSSEC validation, then the solution becomes much simpler and could be encoded in a single bit, see:


dbound mailing list