Re: [dmarc-ietf] DNS library queries for DKIM and DMARC records?

"Chris Newman" <chris.newman@oracle.com> Thu, 16 May 2019 14:06 UTC

Return-Path: <chris.newman@oracle.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E9781200EC for <dmarc@ietfa.amsl.com>; Thu, 16 May 2019 07:06:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.31
X-Spam-Level:
X-Spam-Status: No, score=-4.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O_tdpO-yW_eJ for <dmarc@ietfa.amsl.com>; Thu, 16 May 2019 07:06:30 -0700 (PDT)
Received: from userp2130.oracle.com (userp2130.oracle.com [156.151.31.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 280EF12008F for <dmarc@ietf.org>; Thu, 16 May 2019 07:06:30 -0700 (PDT)
Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x4GDs0AI090765; Thu, 16 May 2019 14:06:25 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-type : content-transfer-encoding; s=corp-2018-07-02; bh=yM07u5c65TKjkjQAdWKZAfpGbGHfDEIw/b9u+9WgFbM=; b=nDKMFLQ6Xc+4dFCrWgILols9pPKkYeh3RwEx8FubogjU0Zcmvvw5k6m7TkfFqs2bHnZT aRNrcV7BaNXuBg7tCJ2UmE2Cr3x4VYcwWKPX0CcBCYpS1ucTkGBj6MM+buL0J2ZSIrk4 YrUtaBIQ+8m63h1WZqyo3AbYvTpRs0G3ZXOD9w5aYgBIkK2khKKLd9wJP1yCjjEpUKCD seqR24dMx5XgDlL/ksC5SOjHORpLfLRFYvoMhFTWEiL/dgwULFgOm2bLuKrG+o4kjL2E RQEOOMo6JDF5hi1ps0PMxC+A723AUewyNTciHh1U8c8KUKdC9YitUHWKIOogdri0XUAr mg==
Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80]) by userp2130.oracle.com with ESMTP id 2sdntu3p9j-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 16 May 2019 14:06:25 +0000
Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x4GE6Fbt070642; Thu, 16 May 2019 14:06:25 GMT
Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userp3030.oracle.com with ESMTP id 2sgkx43q60-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 16 May 2019 14:06:24 +0000
Received: from abhmp0022.oracle.com (abhmp0022.oracle.com [141.146.116.28]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id x4GE6NS2009903; Thu, 16 May 2019 14:06:23 GMT
Received: from [10.39.240.74] (/10.39.240.74) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 16 May 2019 14:06:23 +0000
From: "Chris Newman" <chris.newman@oracle.com>
To: "Doug Foster" <fosterd@bayviewphysicians.com>
Cc: "Dave Crocker" <dcrocker@gmail.com>, "IETF DMARC WG" <dmarc@ietf.org>
Date: Thu, 16 May 2019 10:06:18 -0400
X-Mailer: MailMate (1.12.4r5594)
Message-ID: <49301D00-1881-4A86-B7E5-AC0B6272B34B@oracle.com>
In-Reply-To: <000401d50b27$dbb5c310$93214930$@bayviewphysicians.com>
References: <571ce243-a8b0-094d-0d59-06f1432bd741@gmail.com> <000401d50b27$dbb5c310$93214930$@bayviewphysicians.com>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed
Content-Transfer-Encoding: quoted-printable
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9258 signatures=668687
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1905160092
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9258 signatures=668687
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1905160092
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/43HhXEVoOKZsD9ii1a7zKpUFrBA>
Subject: Re: [dmarc-ietf] DNS library queries for DKIM and DMARC records?
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 May 2019 14:06:33 -0000

If you're doing this analysis, I think it may be helpful to the 
community if you share test vector messages. Data variations that 
trigger a bug in one implementation might cause issues with other 
implementations and thus may be helpful as a public test vector to 
improve overall implementation quality.

		- Chris

On 15 May 2019, at 10:09, Doug Foster wrote:

> I have recently begun evaluating my incoming traffic for DKIM status, 
> and I
> suspect the results are relevant to your question.
>
> These results are based on 768 unique domains, on signed messages, 
> received
> over a few adjacent days.  Messages that were blocked for any reason 
> are
> excluded from the analysis.  (I am not blocking based on DKIM status).
>
> 22  2.9% have DKIM signatures but fail verification 100%
> 15   2.0% have some DKIM verification failures
>
>  7    0.9% have 100% rejection due to DNS record syntax errors
>  1   0.1% have some rejections due to DNS record syntax errors
>
> 10  1.3% have 100% DKIM TXT lookup failures
>   1 0.1% have some DKIM TXT lookup failures
> ---  ----
> 57  7.3%  have DKIM problems
>
> This failure rate is much higher than I would have expected.
>
> When DKIM verification failures are detected, several possibilities 
> must be
> considered:
> - an error exists in the signature generation algorithm at the source 
> system
> - modification or addition of a signed header during transit
> - an error exists in the signature verification algorithm at the 
> receiving
> system
>
> We receive very little indirect mail, so I believe that forwarding is 
> not a
> significant contributor to these problems.
>
> For this type of debugging, it would be helpful if the receiving 
> system
> logged the message exactly as it was used for signature verification.  
> This
> would permit independent verification using a tool such as the message
> header checker at MxToolbox.com.   For the devices that I manage, this 
> is
> not the case.   Some of the devices do not log the full message at 
> all.  The
> one that does full logging only logs the message as it is relayed 
> outbound.
>
> My research also exposed a probable data-related bug on one mail 
> server,
> which causes it to generate incorrect signatures on a small percentage 
> of
> our outbound traffic.   I will be working with the vendor on that.
>
> Doug Foster
>
>
>
>
>
>
> -----Original Message-----
> From: dmarc [mailto:dmarc-bounces@ietf.org] On Behalf Of Dave Crocker
> Sent: Wednesday, April 10, 2019 3:37 PM
> To: IETF DMARC WG
> Subject: [dmarc-ietf] DNS library queries for DKIM and DMARC records?
>
> Folks,
>
> Howdy.
>
> I'm trying to get a bit of education about reality.  Always dangerous, 
> but
> I've no choice...
>
>
> For the software you know about, how are queries to the DNS performed,
> to obtain the TXT records associated with DKIM and/or DMARC?
>
> I'm trying to understand the breadth and limitations of returned
> information that is filtered or passed by the code that is actually in
> use.  Which libraries and which calls from those libraries.
>
>
> Thanks.
>
> d/
>
> -- 
> Dave Crocker
> Brandenburg InternetWorking
> bbiw.net
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_dmarc&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=K_BObr5Kfkr3rxt1oBPF9KFiEU3xl9LcD2OOJG3TXfI&m=grA_44LyxvKqiGTJiOi4rnAkWUvPWq5Awl5rt-CqST0&s=PGbGkqcDa8b82pmdZS8i0mfVHJnKbSANGptAyHzeEtc&e=
>
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_dmarc&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=K_BObr5Kfkr3rxt1oBPF9KFiEU3xl9LcD2OOJG3TXfI&m=grA_44LyxvKqiGTJiOi4rnAkWUvPWq5Awl5rt-CqST0&s=PGbGkqcDa8b82pmdZS8i0mfVHJnKbSANGptAyHzeEtc&e=