draft-ietf-dmarc-psd-06.txt | draft-ietf-dmarc-psd-07.txt | |||
---|---|---|---|---|
Network Working Group S. Kitterman | Network Working Group S. Kitterman | |||
Internet-Draft fTLD Registry Services | Internet-Draft fTLD Registry Services | |||
Intended status: Experimental August 10, 2019 | Intended status: Experimental September 30, 2019 | |||
Expires: February 11, 2020 | Expires: April 2, 2020 | |||
DMARC (Domain-based Message Authentication, Reporting, and Conformance) | DMARC (Domain-based Message Authentication, Reporting, and Conformance) | |||
Extension For PSDs (Public Suffix Domains) | Extension For PSDs (Public Suffix Domains) | |||
draft-ietf-dmarc-psd-06 | draft-ietf-dmarc-psd-07 | |||
Abstract | Abstract | |||
DMARC (Domain-based Message Authentication, Reporting, and | DMARC (Domain-based Message Authentication, Reporting, and | |||
Conformance) is a scalable mechanism by which a mail-originating | Conformance) is a scalable mechanism by which a mail-originating | |||
organization can express domain-level policies and preferences for | organization can express domain-level policies and preferences for | |||
message validation, disposition, and reporting, that a mail-receiving | message validation, disposition, and reporting, that a mail-receiving | |||
organization can use to improve mail handling. The design of DMARC | organization can use to improve mail handling. The design of DMARC | |||
presumes that domain names represent either nodes in the tree below | presumes that domain names represent either nodes in the tree below | |||
which registrations occur, or nodes where registrations have | which registrations occur, or nodes where registrations have | |||
skipping to change at page 1, line 49 | skipping to change at page 1, line 49 | |||
Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
This Internet-Draft will expire on February 11, 2020. | This Internet-Draft will expire on April 2, 2020. | |||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
(https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
publication of this document. Please review these documents | publication of this document. Please review these documents | |||
skipping to change at page 2, line 51 | skipping to change at page 2, line 51 | |||
6.1. Subdomain Policy Tag . . . . . . . . . . . . . . . . . . 9 | 6.1. Subdomain Policy Tag . . . . . . . . . . . . . . . . . . 9 | |||
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
7.1. Normative References . . . . . . . . . . . . . . . . . . 10 | 7.1. Normative References . . . . . . . . . . . . . . . . . . 10 | |||
7.2. Informative References . . . . . . . . . . . . . . . . . 10 | 7.2. Informative References . . . . . . . . . . . . . . . . . 10 | |||
Appendix A. The Experiment . . . . . . . . . . . . . . . . . . . 11 | Appendix A. The Experiment . . . . . . . . . . . . . . . . . . . 11 | |||
A.1. PSD DMARC Privacy Concern Mitigation . . . . . . . . . . 11 | A.1. PSD DMARC Privacy Concern Mitigation . . . . . . . . . . 11 | |||
A.2. Non-Existent Subdomain Policy . . . . . . . . . . . . . . 12 | A.2. Non-Existent Subdomain Policy . . . . . . . . . . . . . . 12 | |||
Appendix B. DMARC PSD Registry Examples . . . . . . . . . . . . 12 | Appendix B. DMARC PSD Registry Examples . . . . . . . . . . . . 12 | |||
B.1. DMARC PSD DNS Query Service . . . . . . . . . . . . . . . 13 | B.1. DMARC PSD DNS Query Service . . . . . . . . . . . . . . . 13 | |||
B.2. DMARC Public Suffix Domain (PSD) Registry . . . . . . . . 13 | B.2. DMARC Public Suffix Domain (PSD) Registry . . . . . . . . 13 | |||
Appendix C. Implementation . . . . . . . . . . . . . . . . . . . 13 | B.3. DMARC PSD PSL Extension . . . . . . . . . . . . . . . . . 13 | |||
C.1. Authheaders Module . . . . . . . . . . . . . . . . . . . 13 | Appendix C. Implementations . . . . . . . . . . . . . . . . . . 14 | |||
C.1. Authheaders Module . . . . . . . . . . . . . . . . . . . 14 | ||||
C.2. Zdkimfilter Module . . . . . . . . . . . . . . . . . . . 14 | ||||
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 14 | Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 14 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
1. Introduction | 1. Introduction | |||
DMARC [RFC7489] provides a mechanism for publishing organizational | DMARC [RFC7489] provides a mechanism for publishing organizational | |||
policy information to email receivers. DMARC allows policy to be | policy information to email receivers. DMARC allows policy to be | |||
specified for both individual domains and for organizational domains | specified for both individual domains and for organizational domains | |||
and their sub-domains within a single organization. DMARC leverages | and their sub-domains within a single organization. DMARC leverages | |||
public suffix lists to determine which domains are organizational | public suffix lists to determine which domains are organizational | |||
skipping to change at page 5, line 43 | skipping to change at page 5, line 44 | |||
tree at which to register domain names "owned" by independent | tree at which to register domain names "owned" by independent | |||
organizations. Real-world examples are ".com", ".org", ".us", and | organizations. Real-world examples are ".com", ".org", ".us", and | |||
".gov.uk". Names at which such registrations occur are called Public | ".gov.uk". Names at which such registrations occur are called Public | |||
Suffix Domains (PSDs), and a registration consists of a label | Suffix Domains (PSDs), and a registration consists of a label | |||
selected by the registrant to which a desirable PSD is appended. For | selected by the registrant to which a desirable PSD is appended. For | |||
example, "ietf.org" is a registered domain name, and ".org" is its | example, "ietf.org" is a registered domain name, and ".org" is its | |||
PSD. | PSD. | |||
2.3. Longest PSD | 2.3. Longest PSD | |||
The longest PSD is the PSD matching more labels in the domain name | The longest PSD is the Organizational Domain with one label removed. | |||
under evaluation than any other public suffix list entry. | ||||
2.4. Public Suffix Operator (PSO) | 2.4. Public Suffix Operator (PSO) | |||
A Public Suffix Operator manages operations within its PSD. | A Public Suffix Operator manages operations within its PSD. | |||
2.5. PSO Controlled Domain Names | 2.5. PSO Controlled Domain Names | |||
PSO Controlled Domain Names are names in the DNS that are managed by | PSO Controlled Domain Names are names in the DNS that are managed by | |||
a PSO and are not available for use as Organizational Domains (the | a PSO and are not available for use as Organizational Domains (the | |||
term Organizational Domains is defined in DMARC [RFC7489] | term Organizational Domains is defined in DMARC [RFC7489] | |||
skipping to change at page 13, line 40 | skipping to change at page 13, line 40 | |||
+-------------+---------------+ | +-------------+---------------+ | |||
| PSD | Status | | | PSD | Status | | |||
+-------------+---------------+ | +-------------+---------------+ | |||
| .bank | current | | | .bank | current | | |||
+-------------+---------------+ | +-------------+---------------+ | |||
| .insurance | current | | | .insurance | current | | |||
+-------------+---------------+ | +-------------+---------------+ | |||
| .gov.uk | current | | | .gov.uk | current | | |||
+-------------+---------------+ | +-------------+---------------+ | |||
Appendix C. Implementation | B.3. DMARC PSD PSL Extension | |||
There is one known implementation of PSD DMARC available for testing. | [psddmarc.org] provides a PSL like file to enable to facilitate | |||
identification of PSD DMARC participants. Contents are functionally | ||||
identical to the IANA like registry, but presented in a different | ||||
format. | ||||
When using this approach, the input domain of the extension lookup is | ||||
supposed to be the output domain of the regular PSL lookup, i.e. the | ||||
organizational domain. This alternative data approach is potentially | ||||
useful since DMARC implementations already need to be able to parse | ||||
the data format, so it should be easier to implement. | ||||
Appendix C. Implementations | ||||
There are two known implementations of PSD DMARC available for | ||||
testing. | ||||
C.1. Authheaders Module | C.1. Authheaders Module | |||
The authheaders Python module and command line tool is available for | The authheaders Python module and command line tool is available for | |||
download or installation from Pypi (Python Packaging Index). | download or installation from Pypi (Python Packaging Index). | |||
It supports both use of the DNS based query service and download of | It supports both use of the DNS based query service and download of | |||
the CSV registry file from [psddmarc.org]. | the CSV registry file from [psddmarc.org]. | |||
C.2. Zdkimfilter Module | ||||
The zdkimfilter module is a separately available add-on to Courier- | ||||
MTA. | ||||
Mostly used for DKIM signing, it can be configured to also verify, | ||||
apply DMARC policies, and send aggregate reports. For PSD DMARC it | ||||
uses the PSL extension list approach, which is available from from | ||||
[psddmarc.org] | ||||
Acknowledgements | Acknowledgements | |||
Thanks to the following individuals for their contributions (both | Thanks to the following individuals for their contributions (both | |||
public and private) to improving this document. Special shout out to | public and private) to improving this document. Special shout out to | |||
Dave Crocker for naming the beast. | Dave Crocker for naming the beast. | |||
Kurt Andersen, Seth Blank, Dave Crocker, Heather Diaz, Tim Draegen, | Kurt Andersen, Seth Blank, Dave Crocker, Heather Diaz, Tim Draegen, | |||
Zeke Hendrickson, Andrew Kennedy, John Levine, Dr Ian Levy, Craig | Zeke Hendrickson, Andrew Kennedy, John Levine, Dr Ian Levy, Craig | |||
Schwartz, Alessandro Vesely, and Tim Wicinski | Schwartz, Alessandro Vesely, and Tim Wicinski | |||
End of changes. 8 change blocks. | ||||
11 lines changed or deleted | 35 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |