IETF Logo Mail Archive

Re: [dmarc-ietf] NXDOMAIN

"Murray S. Kucherawy" <superuser@gmail.com> Tue, 06 April 2021 17:58 UTC

Return-Path: <superuser@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4932B3A2A83 for <dmarc@ietfa.amsl.com>; Tue, 6 Apr 2021 10:58:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mylv9sTGCvSF for <dmarc@ietfa.amsl.com>; Tue, 6 Apr 2021 10:58:40 -0700 (PDT)
Received: from mail-ua1-x92d.google.com (mail-ua1-x92d.google.com [IPv6:2607:f8b0:4864:20::92d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C018B3A2A81 for <dmarc@ietf.org>; Tue, 6 Apr 2021 10:58:40 -0700 (PDT)
Received: by mail-ua1-x92d.google.com with SMTP id u11so4896090uaw.2 for <dmarc@ietf.org>; Tue, 06 Apr 2021 10:58:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qM7wQs5uNDZD5pvdHeVzCboc3/Bm6UCPbqP6rRqWyfE=; b=ocDh5p7mN10E5+DxYnuIHDQMajf5SLjPxGf7GKiVzk6OXfNbVBxvr5XnhU+dkJwKpe 8BfH1doGyADAqUvJCxGgeXS6qWVao3eGhmWr3+0+BdSCdh2yulzC4mpC1qmgkNRQrSuT QHzJEemkxV/YmSrXpY1PBG4SYzQZUolV/c3blVSSw0+61/NW5ms2DPYnoOoYIEvAolEc 8BuGlbNXrZm3DMWUBDNZDX+ZgB2puT4al9n3ZRXNlRPCjN7xUoDXycmjh/gkc/ohfOfw mLK7nS+zOe5tyci/bJeEUQhfVIV/VIdqAKH+8bepUEmCeDbqYhU/Wlmy3ZPkcreaW8O7 qzYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qM7wQs5uNDZD5pvdHeVzCboc3/Bm6UCPbqP6rRqWyfE=; b=nhv4nhnQdL3vfOu+HITyU7wjaVNB18HmeDtnG0R8HMtKDCN1wLsBe3pasGMhIq/90g Ofo010ZWJjrfyPG7TcSudys6doUg9SBe0VcBwmUPeeAgxQHPK01swB2ItpK+ABgOMWmS /P5584Pn93YtLeASFBnndMlet0ordsRuZvwmapz9ltGCn8uLJWrq8OpbqYSzKtYsG4dw sEBIe0y/R29gH83/zgRDKHx4xaZdPqZXudmWJBp2xEdvJKnv9bjMGrCYyxJQanonp4aw /dg3HSQbVggpEERyVk+QtfotRp9F3gNbTJmvxdsW9RJDjrHJQvoVZCf0AIsuIvoajRHY lExw==
X-Gm-Message-State: AOAM531NpRDY8N7pkTsnPuVc2W4NyLdjhYmsm2MMnWA6x8kkSvodfbHL xw0d0Y/yazcBkZ7olXFlGqwSHjNvInOstjVAVcU=
X-Google-Smtp-Source: ABdhPJwN+n44Oc3CRxs/6mJ0O9gOGz6f+YRTW4BeQh2SiSGl1SJBc8tzYWKSVZm52CRRi0OXrNIGqO72xOaJxSvfFsg=
X-Received: by 2002:ab0:44c3:: with SMTP id n61mr17220337uan.47.1617731918153; Tue, 06 Apr 2021 10:58:38 -0700 (PDT)
MIME-Version: 1.0
References: <CAH48ZfxjotxU8G4ZucGTqERP0ZXSF8i9EH9vvQyi2SacbPxvvw@mail.gmail.com> <CAL0qLwa-ZkwxF=-9T42_d-pPrmVpMTZ0gMyq+4i1zXrZGPK1fQ@mail.gmail.com> <CAH48Zfx6mdmwiBtD0nRKMsuxwPkh7Wm7aX_qdUEt=4+OM6DG2g@mail.gmail.com>
In-Reply-To: <CAH48Zfx6mdmwiBtD0nRKMsuxwPkh7Wm7aX_qdUEt=4+OM6DG2g@mail.gmail.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Tue, 06 Apr 2021 10:58:26 -0700
Message-ID: <CAL0qLwYmu20PB-HRjLNtnuykoJDerQ2NryEc5SdBD759Muoc7Q@mail.gmail.com>
To: Douglas Foster <dougfoster.emailstandards@gmail.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000052cf6905bf5190ad"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/19i3_6DDN3HUC0ncfH6foAdR3DY>
Subject: Re: [dmarc-ietf] NXDOMAIN
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Apr 2021 17:58:46 -0000

On Tue, Apr 6, 2021 at 4:54 AM Douglas Foster <
dougfoster.emailstandards@gmail.com> wrote:

> If the SPF Policy lookup returns NXDOMAIN, then we are at a full stop with
> all the information needed to make a decision.   (The sender is violating
> ICANN name registration policies).   Ignoring NXDOMAIN and continuing to
> look for MX/A/AAAA is a waste of information and a waste of resources.
>

I agree.

But clearly, the norm in this group is to check MX/A/AAA because it seems
> likely to be a more powerful filter.   I wonder if that is actually true.
>

In the context of the code doing the SPF evaluation, I don't think it is.
If TXT returns NXDOMAIN for a name, so will any other type.  That's the
definition of NXDOMAIN; there are no data of any type for this name.  See
also RFC 8020.  Fortunately, a properly functioning local nameserver will
cache the answer and just repeat it when subsequent MX, A, or AAAA queries
get issued, so the waste is relatively cheap.

I imagine some DNS APIs are ambiguous (i.e., lazy) about reporting "That
name does not exist (rcode=NXDOMAIN)" differently from "That name exists,
but there's no record of the type you requested (rcode=NOERROR,
ancount=0)", which can result in some wasted time, but I expect the end
result would be the same.

1)  A/AAAA is a pretty weak test, since many domains have A/AAAA records on
> the domain name for web purposes.
>

Independently of SPF, it's not a weak test since the standards allow
exactly this kind of setup for a domain that wants to receive mail.  Again,
Section 5.1 of RFC 5321.

I do respond to SPF NONE by applying a best-guess SPF policy which includes
> MX and A, and sometimes produces SPF PASS.   But I no longer do that for
> non-existent domains.
>

"Best guess SPF" is discouraged.  See
http://www.open-spf.org/FAQ/Best_guess_record/.

-MSK

v2.23.0 | Report a Bug | By Email