[dconn] Re: do we really need warnPhishing?
Pawel Kowalik <kowalik@denic.de> Sun, 15 March 2026 16:28 UTC
Return-Path: <kowalik@denic.de>
X-Original-To: dconn@mail2.ietf.org
Delivered-To: dconn@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 1C478CA867CD for <dconn@mail2.ietf.org>; Sun, 15 Mar 2026 09:28:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=denic.de
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wDz3-P1D_9cN for <dconn@mail2.ietf.org>; Sun, 15 Mar 2026 09:28:47 -0700 (PDT)
Received: from mout-b-210.mailbox.org (mout-b-210.mailbox.org [195.10.208.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 7F476CA867C3 for <dconn@ietf.org>; Sun, 15 Mar 2026 09:28:47 -0700 (PDT)
Received: from smtp2.mailbox.org (smtp2.mailbox.org [IPv6:2001:67c:2050:b231:465::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-b-210.mailbox.org (Postfix) with ESMTPS id 4fYkDr2jnwzDwmw; Sun, 15 Mar 2026 17:28:44 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denic.de; s=MBO0001; t=1773592124; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=9tGmYTi/DudTrsK2quz15d+PXKxO/lZ95aL0DDkyVgg=; b=oEfVcoP9jPAoToGQMr4eYgiH7IzTzH0sRYw5QHX7JYAYuYZN/lUdQmmpZVKouMD278Lbt6 lVhLIdy6SkrG24NVJySv/gEVLb9Lc7PxqQ1YQLX4SOXoZGOkQFty8MhVQlihuwi9jG2shf 5FMdWUqF+BSz9DHhr/1Yxa35vawCcgaqd+VCJ2sj/+JisTWaTpRr+NEJdnz7QlYEiPh4TR wSmFB6hiQi8WRk1j/mEMUd/mQxrnXJSmwfqxIXDE50aXe6gMmluKXgaQzDQfvs2khSdC6V zR+lGrJh9urxABWehSVtI1hOtojZoSOuTYv/n8kzCt7cKDfrfMQBlN4mPG1Osw==
Message-ID: <34f973f8-68e8-490e-8f38-b45502e32c95@denic.de>
Date: Sun, 15 Mar 2026 17:28:43 +0100
MIME-Version: 1.0
From: Pawel Kowalik <kowalik@denic.de>
To: Sami Kerola <kerolasa=40cloudflare.com@dmarc.ietf.org>, Domain Connect <dconn@ietf.org>
References: <CAEnV9zo9kQ1HBTpzc0zbSwKD-L0HxiwUbWewbbLkJuF2yXWYiw@mail.gmail.com>
Content-Language: en-GB, de-DE
In-Reply-To: <CAEnV9zo9kQ1HBTpzc0zbSwKD-L0HxiwUbWewbbLkJuF2yXWYiw@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms000001090200060408010609"
X-MBO-RS-ID: 07c5cc740fb9c7be1ea
X-MBO-RS-META: 5n1jq4ms3q1ciiatqaoger4cak47cmrm
Message-ID-Hash: 3CJO7ZPG5HPQK4TLWQCGR4A52G55BHTM
X-Message-ID-Hash: 3CJO7ZPG5HPQK4TLWQCGR4A52G55BHTM
X-MailFrom: kowalik@denic.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [dconn] Re: do we really need warnPhishing?
List-Id: "Domain Connect is a protocol that makes it easy for a user to configure DNS for a domain running at a DNS provider to work with a Service running at an independent Service Provider." <dconn.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dconn/s1SVekytZ7BZhuSvG-Vc0B1_0qQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dconn>
List-Help: <mailto:dconn-request@ietf.org?subject=help>
List-Owner: <mailto:dconn-owner@ietf.org>
List-Post: <mailto:dconn@ietf.org>
List-Subscribe: <mailto:dconn-join@ietf.org>
List-Unsubscribe: <mailto:dconn-leave@ietf.org>
Hi Sami, response inline with [PK] On 12.03.26 17:21, Sami Kerola wrote: > Hello Pawel, and others, > > Yesterday (2026-03-11) in a change request to Domain Connect Templates > repository README.md warnPhishing was mentioned. > > https://github.com/Domain-Connect/Templates/pull/846#discussion_r2916649558 > > I do not think warnPhishing is useful in templates. If I understood the > rationality with that option correctly it was supposed to be used in > combination with The Asynchronous Flow, and particularly in situations where > some major Service Provider, such as Microsoft, can have partners who apply > template on behalf of the Service Provider. [PK] actually with Synchronous Flow. Asynchronous flow does not appear to be prone to the same kind of issue of link forging because of OAuth client authentication. In the beginning domain connect didn't have signing feature at all. It was added later and some templates were considered "safe" even if not using signing, if there were no variables in the template. For operational reasons of some provider setups indeed signing was not always possible for "insecure" templates, therefore warnPhishing flag was added. From the current perspective indeed almost 90% of the templates use signing these days and saying: either use signing or your template is insecure. This would mean declaring syncPubKeyDomain RECOMMENDED instead of OPTIONAL in Section 6.1. > It feels like the above workflow assumes Service Provider syncPubKeyDomain > cannot have per partner TXT records, for as many partners the Service > Provider wants. This way the Service Provider does not need to give some > sort of master key to anyone, and can break trust relations with a partner > when needed. [PK] I agree it is not impossible, therefore indeed it can be left to these providers to find solutions to these specific problems. > > So what is the impact to the warnPhising? When an apply request is not > using public key to confirm update is coming from trusted source the update > request should either be blocked or always warn it is suspicious. Meanwhile > if the signature checksum can be validated then there is no need to warn > user. In other words, warnPhising does not play a role in the decision > process whether to warn or not, and therefore this option can be deprecated. > > Any thoughts? > Agree. So far it was a 3-state situation. Signed / Unsigned Secure / Unsigned Insecure (warnPhishing). Changing it to 2 state is a good simplification. I am wondering if making it explicit by leaving warnPhishing flag and saying either warnPhishing or syncPubKeyDomain or syncBlock MUST be set. This way providers who rely today on warnPhishing will keep working same way, and also an explicit flag in the template has less probability to be missed out in processing, rather than rely on absence of other flags. Does it make sense to you? [1] https://stats.domainconnect.org/ Kind Regards, Pawel
- [dconn] do we really need warnPhishing? Sami Kerola
- [dconn] Re: do we really need warnPhishing? Pawel Kowalik
- [dconn] Re: do we really need warnPhishing? Pawel Kowalik
- [dconn] Re: do we really need warnPhishing? Peter Thomassen
- [dconn] Re: do we really need warnPhishing? Pawel Kowalik