IETF Logo Mail Archive

Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dmarcbis-07.txt

Douglas Foster <dougfoster.emailstandards@gmail.com> Wed, 20 April 2022 10:56 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6C4B3A1079 for <dmarc@ietfa.amsl.com>; Wed, 20 Apr 2022 03:56:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h1QtzHv-d9KX for <dmarc@ietfa.amsl.com>; Wed, 20 Apr 2022 03:56:12 -0700 (PDT)
Received: from mail-oa1-x2e.google.com (mail-oa1-x2e.google.com [IPv6:2001:4860:4864:20::2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 968513A1053 for <dmarc@ietf.org>; Wed, 20 Apr 2022 03:56:12 -0700 (PDT)
Received: by mail-oa1-x2e.google.com with SMTP id 586e51a60fabf-e5c42b6e31so1507259fac.12 for <dmarc@ietf.org>; Wed, 20 Apr 2022 03:56:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=TQNILjgIluZROcJ3JSUKGPaV6JZkgVKAu4auvHsND7o=; b=jsOfDZYNS2TLX4Cr4UF+brKCW/vQQvoU9UbuymfOo55PJOhZm/fn87MrpIXh1Apx7K BOiXIAf0sycNGS5VYA166lH5szNHMtKC9o6ayl6cOZbsFk/fh84rIQ6zf/ysZa1gCvv/ Sq2xcc2uEhpUOTmvaMEWfb3vCTbfGttlNl10NhVxF1ebKeKX51oap7BBJ8W2jnmP/NJC pQRDbo0yhYHZ8kn/2zeWd22abRhUcYuh7hHIBFMeHoSK+alUaWeZibUF8C3WAhTOjZLP N5/CIjt8jwWhJm3XTUk5qQpdHfGwQkINiGFRnMpOyc8bEiCSJs8nrZ+GRzBOz7+Ejwxh qJRA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=TQNILjgIluZROcJ3JSUKGPaV6JZkgVKAu4auvHsND7o=; b=Mdz53xaFu7l9AOajvBWRw07TK5SEOqDp0rXbdCzz7KZYcYGYni3P+ywHHQn8wq5WuV 5zVK8Laf0r4SHrcj0vLWXRHItRtuDZLhL7gK3R8aPEDQZ7t6tJYBnXBlKD5CqHpvsy5u /VQ5k2E+3XiDc+1MJkTzGgwUjtiNrPXq8uoMN3cYr3cPzwqdG+W10/YVIktWEJ0SMZRu cm8xt/U+XgPSk41z63rzzMSb4L4p0dEbTH++Hr1Xa2TK4fB53MVQGAZDpHytTDFUBzRK uNsp2hU1SStqDQDXqUoDpB1x3VDRlcjWlg+9nNRK8IqnCqX3YBhmxX8YHMvvSaUPSFIU GXrg==
X-Gm-Message-State: AOAM531mUV6iNKRSDnlhmiUEX+YXMk2bVpzd2307NfYFeAPqpC7b0v3w UXoh5d9xrsoe2kTDC4dfH4jvKL3xxGwdlOawoZrXGkhd
X-Google-Smtp-Source: ABdhPJyy/yZ+G3HdFMKxGRnBiK3wZW0Gt4xbLsiFlXJK57p7gKuHT+NSzI5GkhnjetJ9yYN47YMx7ukiUrqu5BvfXUI=
X-Received: by 2002:a05:6870:2041:b0:de:f8b7:d98e with SMTP id l1-20020a056870204100b000def8b7d98emr1255728oad.51.1650452171431; Wed, 20 Apr 2022 03:56:11 -0700 (PDT)
MIME-Version: 1.0
References: <164925666278.4445.13789431014958416691@ietfa.amsl.com> <1763264.1lysBax9Yy@zini-1880> <CAH48Zfx6K85_zUEZd15jMb7d=atXqkfZiUYRbnVr=VjpG0isjQ@mail.gmail.com> <4212228.nKx5ozAMXs@zini-1880>
In-Reply-To: <4212228.nKx5ozAMXs@zini-1880>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Wed, 20 Apr 2022 06:56:01 -0400
Message-ID: <CAH48Zfy3D5EBZRT5Y+pHZo2xgKq1XMG-Sw7Rps-mAiDY-CrCtQ@mail.gmail.com>
To: Scott Kitterman <sklist@kitterman.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000065a38705dd13d713"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/46xgiU-t8cHWwvSlHL01O77Eup4>
Subject: Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dmarcbis-07.txt
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Apr 2022 10:56:19 -0000

This is a fundamental flaw in the design, not a problem to be fixed on a
case-by-case basis.

Under the tree walk, any private registry client can impersonate the parent
or a sibling, simply by publishing a non-org DMARC policy and then letting
the tree walk proceed into the parent organization.  Yes, the parent
organization can prevent this using its own DMARC policy, but it is foolish
to assume that all of them will.  Wherever the opportunity exists,
malicious domain owners can be expected to use it. and the Michael Hammer
testimony is that they have already done so when the PSL had an omissioin.

Private registries are a significant complication to understanding the
effectiveness of DMARC evaluation, and yet the document still does not
discuss their existence or their potential security considerations.

The case against the PSL has been heavy on generalities but weak on
specifics.   The appropriate solution is to use DNS entries to provide a
check on PSL mistakes and omissions.   When a DNS entry specifies a lower
alignment point (more restrictive relaxed alignment), the evaluator should
use the DNS value.   If the PSL specifies a lower alignment point, the DNS
entry may be malicious.   So the evaluatror would be wise to use the more
restrictive st the PSL entry for an initial message, and then make an
investigate to determine if he wants to establish a local policy to trust
the higher alignment point in DNS.  When the DNS is being used to validate
the PSL rather than replacing it, we have alternate algorithm options which
are more efficient than a full tree walk.

In summary, there is no good reason to discard the PSL completely, and no
compelling reason to believe that DNS by itself can ever provide a
sufficient solution.

.Doug






On Tue, Apr 19, 2022 at 11:12 PM Scott Kitterman <sklist@kitterman.com>
wrote:

> Thanks.
>
> I think this is pretty much the same list John published before.  I think
> there is a little bit of outreach to do while we're working on DMARCbis,
> but
> it's not a major issue.  Some of these are false positives.  As an example:
>
> gov.scot
> service.gov.scot
>
> Are both on the PSL.  It's true that under the new tree walk approach
> other
> parts of the government of Scotland could impersonate service.gov.scot,
> but I
> don't think it's a major risk.
>
> This is part of the reason I'd like to see the WG get an early assignment
> from
> IANA for the psd tag.  Once that's done, we (and I will work on this) can
> start contacting both the PSL and above PSL entities with DMARC records
> about
> updating them to use it.  The meantime, any lower level entity for these
> PSDs
> that has a problem would be able to publish psd=n and stop it.
>
> Scott K
>
> On Tuesday, April 19, 2022 8:18:53 PM EDT Douglas Foster wrote:
> > Scott asked for my list, so it is attached.   I walked up the tree from
> the
> > private registries, then did a DNS lookup for a DMARC entry.
> >  Consequently, the list shows the domains with DMARC policies, at
> whatever
> > level, rather than the PSL entry itself.
> >
> > Doug
> >
> >
> > On Tue, Apr 19, 2022 at 12:00 AM Scott Kitterman <sklist@kitterman.com>
> >
> > wrote:
> > > On Monday, April 18, 2022 10:14:37 PM EDT Douglas Foster wrote:
> > > > Concern 1
> > > > Of the several thousand private registry domains listed in the PSL,
> 45
> > > have
> > > > DMARC policies at or above the registry point.   40 of these 45
> specify
> > > > relaxed alignment for both DKIM and SPF.  Upon activation of the tree
> > > walk,
> > > > these policies will be treated as organizational domains to any
> private
> > > > registry clients that have not published their own psd=y policy.
> > >
> > >  Because
> > > > of relaxed alignment, these private registry clients will be able to
> > > > impersonate their siblings and parents and produce a DMARC result of
> > > PASS.
> > >
> > > Please provide your list of ones you think might be problematic.
> > >
> > > > Concern 2
> > > > Since the longest current PSL entry has 5 segments, the longest
> > > > organizational domain is 6 segments.   The "jump to 5" logic needs
> to be
> > > > changed to "jump to 6".
> > >
> > > What PSL entries that are 5 long are you worried about?  When we
> looked at
> > > this before, 5 seemed sufficient.  Changing the number, now, isn't a
> big
> > > deal.
> > >
> > > > Concern 3
> > > > The "psd=u" language is inconsistent.  Which is true?
> > > > "This token indicates that this policy is not an organizational
> domain,,
> > > > the organizational domain is above this point"
> > > > or
> > > > "This token indicates no usable information, proceed with the
> heuristic
> > >
> > > to
> > >
> > > > determine if this policy is the organizational domain"
> > >
> > > It should be the latter.  If we're inconsistent, please propose
> corrected
> > > text.
> > >
> > > Scott K
> > >
> > > > Doug Foster
> > > >
> > > > On Sun, Apr 17, 2022 at 4:54 PM Scott Kitterman <
> sklist@kitterman.com>
> > > >
> > > > wrote:
> > > > > I've finished going through this and also updated authheaders [1]
> to
> > > > > match.  It
> > > > > now has a script called dmarc-policy-find which you can used to
> > >
> > > determine
> > >
> > > > > the
> > > > > DMARC policy to be applied for a domain.  You can use RFC 7489, RFC
> > >
> > > 7489 +
> > >
> > > > > RFC
> > > > > 9091, and DMARCbis-07.
> > > > >
> > > > > It does currently cheat and assume psd=y is in the records for
> domains
> > >
> > > on
> > >
> > > > > the
> > > > > PSD DMARC registry list, since no one has actually published that
> yet.
> > > > >
> > > > > Scott K
> > > > >
> > > > > [1] https://github.com/ValiMail/authentication-headers (also on
> pypi)
> > > > >
> > > > > On Wednesday, April 6, 2022 12:27:04 PM EDT Scott Kitterman wrote:
> > > > > > I believe it does.
> > > > > >
> > > > > > Thanks,
> > > > > >
> > > > > > Scott K
> > > > > >
> > > > > > On April 6, 2022 2:53:59 PM UTC, Todd Herr
> > > > >
> > > > > <todd.herr=40valimail.com@dmarc.ietf.org> wrote:
> > > > > > >I believe this rev has the proposed text that was submitted in
> > >
> > > various
> > >
> > > > > > >messages in the thread titled "*5.5.4. Publish a DMARC Policy
> for
> > >
> > > the
> > >
> > > > > > >Author Domain - dmarcbis-06"*
> > > > > > >
> > > > > > >On Wed, Apr 6, 2022 at 10:51 AM <internet-drafts@ietf.org>
> wrote:
> > > > > > >> A New Internet-Draft is available from the on-line
> > > > > > >> Internet-Drafts
> > > > > > >> directories.
> > > > > > >> This draft is a work item of the Domain-based Message
> > >
> > > Authentication,
> > >
> > > > > > >> Reporting & Conformance WG of the IETF.
> > > > > > >>
> > > > > > >>         Title           : Domain-based Message Authentication,
> > > > >
> > > > > Reporting,
> > > > >
> > > > > > >> and Conformance (DMARC)
> > > > > > >>
> > > > > > >>         Authors         : Todd M. Herr
> > > > > > >>
> > > > > > >>                           John Levine
> > > > > > >>
> > > > > > >>         Filename        : draft-ietf-dmarc-dmarcbis-07.txt
> > > > > > >>         Pages           : 62
> > > > > > >>         Date            : 2022-04-06
> > > > > > >>
> > > > > > >> Abstract:
> > > > > > >>    This document describes the Domain-based Message
> > >
> > > Authentication,
> > >
> > > > > > >>    Reporting, and Conformance (DMARC) protocol.
> > > > > > >>
> > > > > > >>    DMARC permits the owner of an email author's domain name to
> > >
> > > enable
> > >
> > > > > > >>    verification of the domain's use, to indicate the Domain
> > >
> > > Owner's
> > >
> > > > > > >>    or
> > > > > > >>    Public Suffix Operator's message handling preference
> regarding
> > > > >
> > > > > failed
> > > > >
> > > > > > >>    verification, and to request reports about use of the
> domain
> > >
> > > name.
> > >
> > > > > > >>    Mail receiving organizations can use this information when
> > > > >
> > > > > evaluating
> > > > >
> > > > > > >>    handling choices for incoming mail.
> > > > > > >>
> > > > > > >>    This document obsoletes RFC 7489.
> > > > > > >>
> > > > > > >> The IETF datatracker status page for this draft is:
> > > > > > >> https://datatracker.ietf.org/doc/draft-ietf-dmarc-dmarcbis/
> > > > > > >>
> > > > > > >> There is also an HTML version available at:
> > > > > > >>
> https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-07.html
> > > > > > >>
> > > > > > >> A diff from the previous version is available at:
> > > > > > >>
> https://www.ietf.org/rfcdiff?url2=draft-ietf-dmarc-dmarcbis-07
> > > > > > >>
> > > > > > >> Internet-Drafts are also available by rsync at rsync.ietf.org
> :
> > > > > > >> :internet-drafts
> > > > > > >>
> > > > > > >> _______________________________________________
> > > > > > >> dmarc mailing list
> > > > > > >> dmarc@ietf.org
> > > > > > >> https://www.ietf.org/mailman/listinfo/dmarc
> > > > > >
> > > > > > _______________________________________________
> > > > > > dmarc mailing list
> > > > > > dmarc@ietf.org
> > > > > > https://www.ietf.org/mailman/listinfo/dmarc
> > > > >
> > > > > _______________________________________________
> > > > > dmarc mailing list
> > > > > dmarc@ietf.org
> > > > > https://www.ietf.org/mailman/listinfo/dmarc
> > >
> > > _______________________________________________
> > > dmarc mailing list
> > > dmarc@ietf.org
> > > https://www.ietf.org/mailman/listinfo/dmarc
>
>
>
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email