IETF Logo Mail Archive

Re: [dmarc-ietf] Draft 10 notes: NXDOMAIN

Douglas Foster <dougfoster.emailstandards@gmail.com> Tue, 28 June 2022 19:02 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20188C15AD31 for <dmarc@ietfa.amsl.com>; Tue, 28 Jun 2022 12:02:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JmnLs0_nKdd8 for <dmarc@ietfa.amsl.com>; Tue, 28 Jun 2022 12:02:02 -0700 (PDT)
Received: from mail-ot1-x334.google.com (mail-ot1-x334.google.com [IPv6:2607:f8b0:4864:20::334]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF3CCC15D885 for <dmarc@ietf.org>; Tue, 28 Jun 2022 12:01:30 -0700 (PDT)
Received: by mail-ot1-x334.google.com with SMTP id q18-20020a9d7c92000000b00616b27cda7cso8803028otn.9 for <dmarc@ietf.org>; Tue, 28 Jun 2022 12:01:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=q/HYkKZe3PK4SwMOVo3xDbhAW3JXY1chItmV4ytFB14=; b=kG+TOAnxnrrLdPxXj68i8OE2YCkZFGKnRPWFDfxr0GIobD7hlzB1s9d4RelW+oJ6OW hIC2WdUgRJIH3TOq+S9IjNe7wHIPHnphDj3ySTWjFTxzffGPFygAhTTyDkddE4SBD44h mmZDOFRfxpAXtxfEPyR+KHlNHzKL63hUKXqD9hadgarYS+XcYDO8g0mbJhLZqFaQJ+D+ Rmu3tlILVhq9phXiD79+euyGgxJKIh2ScwMLYFJV5NYzo/v0Kj8TH6A7JjYkdcOM233j 90RPJSmASWbQMcT9f9MEGfk9E5iuQTs943HIsjgPC3PmOMelmoeSPxsVITY+Mgn43aC8 9uKQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=q/HYkKZe3PK4SwMOVo3xDbhAW3JXY1chItmV4ytFB14=; b=yiTxoX/34OI/SqMgXdC13RM6QmkIIIiKGvSp9c6kQEYZiuTFoeL04pEWyWPL5IiZ6l Av8psGn1pTdBJAGPCBcRKaCY30wLq86OpvgHhsv3YID2ovBgZ2hx6VA9wf5NzDu17Jj7 aTLgXTSrc72/Ykt2Fl+YOgNaDahvSGiQkNXWT1ifMx/2Br3Qd5PUvzBybWPr1eJgZ/49 EHR3kaA0ocxdkZ4HK2Lr3WsEqzkE2r/r+FtVFPZM3CQ0cMiezc1CPcUBaU6CLYn9EnaF TGkMj2LHiojgOLmiCmmhtJsmeXvJWkZ9zTA8c8LFRKIw5ArFzDx8TW21j4aP2DxmbfQ+ a75g==
X-Gm-Message-State: AJIora9NhSYYrzpAat3cgERKaMdJD60YICS+y9mwcporOUDw1a+yWvO3 lBFNiXC7emkTyStjej4hV4OeduQPxGZokX3LjHwMNSOx
X-Google-Smtp-Source: AGRyM1v6tbFwjaEDmITt7vTDOL8vsDiU8SVCGrrtdRIeDLIlrF+3D115NCvSMGb9c9oGJu3Dt8WKE85L75ltzBGACV8=
X-Received: by 2002:a9d:7b51:0:b0:616:de05:1279 with SMTP id f17-20020a9d7b51000000b00616de051279mr3519598oto.82.1656442889478; Tue, 28 Jun 2022 12:01:29 -0700 (PDT)
MIME-Version: 1.0
References: <CAH48Zfy4mKG=K+YamFiQVSt0D-oDPOBDaJLsW3iX7HucCQRV+g@mail.gmail.com> <CAHej_8nve0nevJ5=F7MPCQc4s=KPjQqNe++KOhiYbJPh_Q0yUg@mail.gmail.com> <CAH48Zfzk33iAd_8iyQ43kovXCf8pbNiNYP8MfY=gt7-=M6KZ7g@mail.gmail.com> <CAHej_8nyF5F9Du+5YAEZStHtY_M5LWFm7w9NS2Vy8pO9f-xPuw@mail.gmail.com>
In-Reply-To: <CAHej_8nyF5F9Du+5YAEZStHtY_M5LWFm7w9NS2Vy8pO9f-xPuw@mail.gmail.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Tue, 28 Jun 2022 15:01:18 -0400
Message-ID: <CAH48Zfx=_YWPsE0Ow1zvX+qzCXjpq9Fkmj6wsFiUfhW2WjBWLA@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000004a89405e286aa34"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/1no3ELXTdDH2uMCtgwC71qPHP2o>
Subject: Re: [dmarc-ietf] Draft 10 notes: NXDOMAIN
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jun 2022 19:02:08 -0000

I agree that NXDOMAIN is the correct test to use for the NP policy, and as
close as we can get to perfection.

As for the reference to RFC 8020, whether NXDOMAIN does or does not exclude
subdomains, the effect on our specification is small.   But it does seem
important to not repeat information that appears to be occasionally
incorrect.

A relevant issue is whether NXDOMAIN is a valid test for non-existence of a
TLD or PSD.   I expected the answer to be NO, on the theory that some TLDs
or PSDs will not support DNS SEC and therefore not have RRSIG records, and
in many cases would not have reason to contain any other resource record
either.  However, in this week's testing, every TLD or PSD tested is
returning NODATA.   So I don't understand my results.

Doug


On Tue, Jun 28, 2022 at 2:03 PM Todd Herr <todd.herr=
40valimail.com@dmarc.ietf.org> wrote:

> On Mon, Jun 27, 2022 at 8:36 PM Douglas Foster <
> dougfoster.emailstandards@gmail.com> wrote:
>
>> My testing was done more than a year ago.   My recollection is that I
>> discovered it based on something in the wild, and then confirmed it with a
>> locally-configured experiment.   This time I am having trouble finding
>> examples.
>>
>> The only one I can verify is from a previous email exchange on this forum:
>>
>> mail.foodnetwork.com
>> returns NXDOMAIN
>>
>> but
>> _dmarc.mail.foodnetwork.com
>> returns DATA for type=TXT
>>
>
> Thank you for the further information.
>
> In regards to RFC 8020, rev -10 of DMARCbis currently reads as follows:
>
> 7.8.  <#m_-63867453221050999_section-7.8>Domain Existence Test
> <#m_-63867453221050999_name-domain-existence-test>
>
> RFC 7489 used the test specified in [RFC5321
> <#m_-63867453221050999_RFC5321>] to determine a domain's existence. This
> test requires up to three DNS lookups for the MX, A, and AAAA RRs for the
> name in question.ΒΆ <#m_-63867453221050999_section-7.8-1>
>
> This version of the protocol relies solely on the test for existence as
> defined in [RFC8020 <#m_-63867453221050999_RFC8020>]. If a query for a
> name returns NXDOMAIN, then the name does not exist.
>
> <#m_-63867453221050999_section-7.8-2>
> But I'm not sure that this is correct, especially not the first sentence,
> because here's what RFC 7489 has to say on the topic:
>
>
>  <https://datatracker.ietf.org/doc/html/rfc7489#appendix-A.4>
>
> A.4 <https://datatracker.ietf.org/doc/html/rfc7489#appendix-A.4>.  Domain Existence Test
>
>    A common practice among MTA operators, and indeed one documented in
>
>    [ADSP <https://datatracker.ietf.org/doc/html/rfc7489#ref-ADSP>], is a test to determine domain existence prior to any more
>
>    expensive processing.  This is typically done by querying the DNS for
>
>    MX, A, or AAAA resource records for the name being evaluated and
>
>    assuming that the domain is nonexistent if it could be determined
>
>    that no such records were published for that domain name.
>
> *   The original pre-standardization version of this protocol included a*
>
> *   mandatory check of this nature.  It was ultimately removed, as the*
>
> *   method's error rate was too high without substantial manual tuning*
>
> *   and heuristic work.*  There are indeed use cases this work needs to
>
>    address where such a method would return a negative result about a
>
>    domain for which reporting is desired, such as a registered domain
>
>    name that never sends legitimate mail and thus has none of these
>
>    records present in the DNS.
>
>
> The first two sentences in the second paragraph from RFC 7489 seem to contradict the statement in DMARCbis that "RFC 7489
>
> used the test specified in RFC 5321 to determine a domain's existence."  This would argue for the text of "Domain Existence
>
> Test" in DMARCbis to be reworded.
>
>
> The "np" tag didn't exist in RFC 7489, and it's not clear to me that RFC 7489 cared all that much about whether a domain existed.
>
> In DMARCbis, however, the "np" tag does exist, and so it seems we must settle on a way to determine whether or not a domain exists,
>
> and RFC 8020 seems to be the more efficient method than RFC 5321, as it requires just one query, not three.
>
>
> As to the particulars of your example, I'm not sure there's any difference regardless of the method chosen, as queries for an A, AAAA,
>
> and MX records for the name "mail.foodnetwork.com" all return NXDOMAIN just as does a query for ANY. Those results are, for me,
>
> enough reason to reject a message prior to attempting any DMARC processing, because if the domain in the From: or Return-Path:
>
> header doesn't exist, then the message cannot be replied to and is therefore not worthy of being accepted. This is consistent with the
>
> above statement from RFC 7489 - "A common practice among MTA operators ... is a test to determine domain existence prior to any
>
> more expensive processing." The fact that AWS's DNS servers don't adhere to RFC 8020 and return an answer for _dmarc.mail.foodnetwork.com
>
> would be meaningless to me here, because I'd never ask the question.
>
>
> For those MTA operators who don't think like I do, DMARCbis is clear on which policy to use for a non-existent RFC5322.From domain:
>
>
> If the DMARC policy to be applied is that of the RFC5322.From domain, then the DMARC policy is taken from the p= tag of the
>
> record. If the DMARC policy is taken from either the Organizational Domain or the Public Suffix Domain and that domain is different
>
> than the RFC5322.From domain, then the DMARC policy is taken from the sp= tag (if any) if the RFC5322.From domain exists and
>
> the np= tag (if any) if the RFC5322.From domain does not exist. In the absence of applicable sp= or np= tags, the p= tag policy
>
> is used for subdomains.
>
>
> This would mean in this case that for those sites that adhere to the DMARCbis specification and elect to accept mail from non-existent
>
> domains, the policy published at "_dmarc.foodnetwork.com" would apply to this message (p=none), rather than the policy published
>
> at "_dmarc.mail.foodnetwork.com" (p=reject), and if the domain owner of mail.foodnetwork.com wanted different behavior, they would
>
> ensure that mail.foodnetwork.com passes an existence test in DNS.
>
>
> --
>
> *Todd Herr * | Technical Director, Standards and Ecosystem
> *e:* todd.herr@valimail.com
> *m:* 703.220.4153
>
> This email and all data transmitted with it contains confidential and/or
> proprietary information intended solely for the use of individual(s)
> authorized to receive it. If you are not an intended and authorized
> recipient you are hereby notified of any use, disclosure, copying or
> distribution of the information included in this transmission is prohibited
> and may be unlawful. Please immediately notify the sender by replying to
> this email and then delete it from your system.
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email