Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd

Ian Levy <ian.levy@ncsc.gov.uk> Tue, 12 November 2019 06:59 UTC

Return-Path: <ian.levy@ncsc.gov.uk>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 092A4120133 for <dmarc@ietfa.amsl.com>; Mon, 11 Nov 2019 22:59:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ncsc.gov.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LiVTz62urx6j for <dmarc@ietfa.amsl.com>; Mon, 11 Nov 2019 22:59:12 -0800 (PST)
Received: from GBR01-LO2-obe.outbound.protection.outlook.com (mail-eopbgr100139.outbound.protection.outlook.com [40.107.10.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E46FE1200A4 for <dmarc@ietf.org>; Mon, 11 Nov 2019 22:59:11 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YOmw4CL0qVRL1KuQ5j47V9VT8Qf0R2L3czSyw0vOSO9RcFdv/xOc1bFP3cgnDYEkL10XT39U0s9v3GQuoft6FEmazvdqCzpFg7rHwCNOeAKbnHkvoZn/KHaejcnJSL1ogcegSl7OhMoDOO8si1EUuS2cIi9Ngf8uxJkzUDPPUusjQqYECzfouRXQpZeP2bWW3vNxxQ3z/YGh8fBna6Fi0L4QX3noswYkG/eQe0BYdnbNgQQ77g5T1/BC3oMKWe9dgTas4vMLzku74JLdRJATdj4cOL3oFGsW36ItvP6SeqVa8Kpje4iTd1DP+Zz8HYkIC+zZcATHEfSsvr4fFTOIiA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=osYXV0cgrpWOQJRVCaD/juO6w7Tnz0c1KIdJw13EQus=; b=DvBe82hPq59TXP9YKCquuIrQgA1Kw92ipqFPg9VGMoB7lWwYrH2ueRC/FpsdNTfHxMy52CBN4cXJZFZUFLMiqKKju8yPbhy4Qb8B4vVZ+o7zpXaDUpXpHOzUCSrejNL8hX802lu4LGgheB/N08VdhX2kGnYdu42vtiZsyDauuQ6uXVacXeaL7lnAyGR1fgdwTSVPhaWkNziXku8BGwdtG6B2ItBqXi0aoBJNfjYOgcMiZL+j/5UJ1/McIvEU3mlIa3Mu8aUAfkj87+QmDBKAeVmx72BTJdpG8vqE7J0obfHK3NTEONGWfUI2Y1eokMSsdXQ+DV68QJwCvoeN4dujDA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ncsc.gov.uk; dmarc=pass action=none header.from=ncsc.gov.uk; dkim=pass header.d=ncsc.gov.uk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ncsc.gov.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=osYXV0cgrpWOQJRVCaD/juO6w7Tnz0c1KIdJw13EQus=; b=EzKrGQOqCc6ITVlh0wBG+P2gHswv3SxCPMnNRDlPfMW/P9ZVjDHWwlcFwVH+GpmE/lYw2G9APE/IO5I6NTpIfiP39VdmO+MUmRb2L3qxpdi1OY54mOc8bnKr/l9vBzOOqLlFw70D8cb21NcWPA93NzEa0uk4a6ppDGd9uyF9a5s=
Received: from LO2P123MB2285.GBRP123.PROD.OUTLOOK.COM (20.176.157.151) by LO2P123MB1902.GBRP123.PROD.OUTLOOK.COM (20.176.155.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2430.25; Tue, 12 Nov 2019 06:59:09 +0000
Received: from LO2P123MB2285.GBRP123.PROD.OUTLOOK.COM ([fe80::55de:86ea:53e9:92ef]) by LO2P123MB2285.GBRP123.PROD.OUTLOOK.COM ([fe80::55de:86ea:53e9:92ef%6]) with mapi id 15.20.2430.027; Tue, 12 Nov 2019 06:59:09 +0000
From: Ian Levy <ian.levy@ncsc.gov.uk>
To: Alessandro Vesely <vesely@tana.it>, "dmarc@ietf.org" <dmarc@ietf.org>
Thread-Topic: [dmarc-ietf] Comment on draft-ietf-dmarc-psd
Thread-Index: AQHVUkRUHW06UOOZ+kq6kqLLLMMrLqcaPC6AgANurWOAaHWPgIAADzIAgAAY2wCAAGFPgIAAIrUAgADa9BI=
Date: Tue, 12 Nov 2019 06:59:09 +0000
Message-ID: <LO2P123MB2285B674B32C689CE2C1455DC9770@LO2P123MB2285.GBRP123.PROD.OUTLOOK.COM>
References: <728d7df1-d563-82f4-bfb3-a65a75fdd662@gmail.com> <CAL0qLwacbAT04tckpPcRcnOt=1QByOBeJ7uDf6rNK6NRwtxZYg@mail.gmail.com> <ffa2bf72-3024-237b-86ae-9cc04babeec6@gmail.com> <74a0ea49-7a46-4eb6-c297-cd703f63bd1b@gmail.com> <CAL0qLwbp2hNrgF_xxhKRRODQ6HP=U5_K-r3Wtm1wJZOZcKup3g@mail.gmail.com> <9DE9E7DC-FE60-4952-8595-B2D087A6B780@kitterman.com> <CADyWQ+GSP0K=Ci22ouE6AvdqCDGgUAg3jZHBOg3EwCmw=QG84A@mail.gmail.com> <CABuGu1obn55Y2=CuEYRYCEO3TYYNhYTsdkesQ67O61jRyfO=wA@mail.gmail.com>, <59947cf1-1851-af56-536e-f78530e79dd2@tana.it>
In-Reply-To: <59947cf1-1851-af56-536e-f78530e79dd2@tana.it>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ian.levy@ncsc.gov.uk;
x-originating-ip: [51.140.78.31]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 61d7e2ff-96f9-4bdc-7fe1-08d7673dd159
x-ms-traffictypediagnostic: LO2P123MB1902:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <LO2P123MB190294756081E19EE1B9EA8AC9770@LO2P123MB1902.GBRP123.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:7219;
x-forefront-prvs: 021975AE46
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(136003)(396003)(39850400004)(366004)(376002)(346002)(189003)(199004)(229853002)(8676002)(81156014)(446003)(76176011)(71200400001)(7696005)(71190400001)(11346002)(486006)(476003)(5660300002)(44832011)(102836004)(99286004)(76116006)(110136005)(316002)(66946007)(33656002)(52536014)(606006)(81166006)(2906002)(66446008)(64756008)(66556008)(66476007)(14444005)(256004)(186003)(74316002)(966005)(6246003)(8936002)(6116002)(26005)(9686003)(3846002)(7736002)(25786009)(6436002)(86362001)(6506007)(55236004)(6306002)(54896002)(55016002)(2501003)(53546011)(45080400002)(478600001)(236005)(14454004)(66066001); DIR:OUT; SFP:1102; SCL:1; SRVR:LO2P123MB1902; H:LO2P123MB2285.GBRP123.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ncsc.gov.uk does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 6r6+Zh0y8pPEK00Nzd8HdFCxcroQuV6q+Fg2dn0SrA3vTMX49Zk3SjyIeeGksjFImrzLaMYX6PpU0RQwPorPbQ+RIQoTudZFTCPeRTaSzgzNruAJdQY6VDtD0wzRLixWdfL+HklTRPxf7vVgR7jIKjNc9vVXsagP0WZrbwjjVSC430RbtR4L2g4q3lGutK03kAvsnw9TD8MfJPJAdKl6S3ExNnJ7v3hrHPKYAdEEhTcUaO1Lk72z5zQLUfXdpqx9idieACPj905Jr2AMH7shA7SgXnqUzQGCv5yDgL7DxEOGr57xtCggOXvveZndKVXfkVzwa0VdVKzIFPwg1PXnDYVYHOHCSlZN3P606D+vLSqFJXm9kcx5zHjYcmNLx4O2plrSPjPtPRdKrQ8OitzWZGET1YQE9OoWiD1WrKBFFON0TpC7ahbAasNU5QBNcKeSrbuTKoHb8gV4sgAdJxgHGeI7bZVPRC5oijgQrGNR7JE=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_LO2P123MB2285B674B32C689CE2C1455DC9770LO2P123MB2285GBRP_"
MIME-Version: 1.0
X-OriginatorOrg: ncsc.gov.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: 61d7e2ff-96f9-4bdc-7fe1-08d7673dd159
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Nov 2019 06:59:09.8874 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 14aa5744-ece1-474e-a2d7-34f46dda64a1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 494LYrYWmN87cTpQG3FjMHgzBIlbSCXtb+deanhws5DoxO7wfaKel6hJ8MI3KwUYJWYnk65gOxz+L68IJt0p2Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LO2P123MB1902
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/1gi1TNCtkn5c_n6utvJZJuVXqDk>
Subject: Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Nov 2019 06:59:16 -0000

> while _dmarc.gov.uk returns a valid record. The
> latter is a Nominet, already solved problem, AFAICS.

I can speak authoritatively about this. What we’ve got is an evil, hacky kludge that has some weird side effects (since we respond to *any* non existent sub domain, not just DMARC and SPF related ones). It’s just about passable as an interim, but we believe we need a better, targeted solution along the lines of Scott’s draft.

Ta.

I.

—
Dr Ian Levy
Technical Director
National Cyber Security Centre
ian@ncsc.gov.uk
________________________________
From: dmarc <dmarc-bounces@ietf.org>; on behalf of Alessandro Vesely <vesely@tana.it>;
Sent: Monday, November 11, 2019 5:50:30 PM
To: dmarc@ietf.org <dmarc@ietf.org>;
Subject: Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd

On Mon 11/Nov/2019 16:46:17 +0100 Kurt Andersen (b) wrote:
>
> I don't think that it is fair to say that anyone who refers to the org domain
> concept as cited in the DMARC spec is necessarily invoking the PSL.


Agreed.  The PSL just happens to be the only valid tool to do that.

For various reasons, large organizations administer many apparently unrelated
domains.  For example, _dmarc.youtube.com has a rua mailto ending in
@google.com.  We cannot infer an OD from that, but I think the concept is clear.


> I do have a problem with the conflation of the org domain with a
> super-organizational "realm" (?) that may impose conditions upon organizations
> that fall within their jurisdictional purview. My main concerns are with the
> potential usurpation of the org domain's policy declaration rights. "Moving"
> the org domain up one level disenfranchises the organizations and that is the
> wrong thing to do IMO.


The I-D definitions are clear enough.  Section 2.5, in particular, prevents the
conflation neatly.


> As to the proposed "let's run this as an experiment pending DMARCbis", I don't
> see how that satisfies Dave's concern about creating new work for receivers in
> order to help a small set of domain (realm) owners. I'm not opposed to it, but
> I just don't see how this solves the issue.


Isn't that an ICANN problem?  For the time being, dig _dmarc.bank txt returns
an empty NOERROR response, while _dmarc.gov.uk returns a valid record.  The
latter is a Nominet, already solved problem, AFAICS.


Best
Ale
--














_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fdmarc&amp;data=02%7C01%7Cian.levy%40ncsc.gov.uk%7C63443737a62a47a65f1008d766cfae3a%7C14aa5744ece1474ea2d734f46dda64a1%7C0%7C0%7C637090914473667320&amp;sdata=cOeg7QPSBP0Fzldb8a0RE3ZqsIrBmVG%2B4B2HOrCopaQ%3D&amp;reserved=0
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk. All material is UK Crown Copyright ©