IETF Logo Mail Archive

Re: [dmarc-ietf] WGLC review of draft-ietf-dmarc-dmarcbis-30

"John R. Levine" <johnl@iecc.com> Sun, 31 March 2024 00:22 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DA7AC14F5F8 for <dmarc@ietfa.amsl.com>; Sat, 30 Mar 2024 17:22:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sr0dmG2b_Ny5 for <dmarc@ietfa.amsl.com>; Sat, 30 Mar 2024 17:22:05 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1478FC14F605 for <dmarc@ietf.org>; Sat, 30 Mar 2024 17:22:03 -0700 (PDT)
Received: (qmail 22078 invoked from network); 31 Mar 2024 00:22:01 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:content-transfer-encoding; s=563c6608aca9.k2403; bh=Sa37rLZcuJy6L4/8dpIyB/jygLEZl6jVDkIEw1xRnN8=; b=mfjiHDQPfR/zW+toXKs1yOTXT7Hqnko7GqgHoy/Ojl9SSQ8u3KQTQdgIRlwy8D3zeghpDvEoXpBpNDL1GRqrAka9KrnhXdai5P7Li/kNQKlZsc3TwfdbP5HMadstU90rTtijfq3qJZV/5DVX2HbmjED66yIr1D5EuSVFF5XBh13kAW+f7yBnJpuNwIBiHWjiFDzMh2l6gKnQko9aCZYPi3FO4ZO9UT2VUA5DZnrGVQaIlWBPhgXBIRIYksqJQxUa1JnkYuUuoVIPAJgPGzYIzr1bnNA+TAxUs7gQ6kAZoA90UTZxzbMbWHkjOxW0mm6BcYD36v668UHqQtIaQwuhpQ==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA CHACHA20-POLY1305 AEAD) via TCP6; 31 Mar 2024 00:22:01 -0000
Received: by ary.qy (Postfix, from userid 501) id 074DD867E424; Sat, 30 Mar 2024 20:22:00 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by ary.qy (Postfix) with ESMTP id 680AE867E406; Sat, 30 Mar 2024 20:22:00 -0400 (EDT)
Date: Sat, 30 Mar 2024 20:22:00 -0400
Message-ID: <4d462513-6c1a-c1da-d62c-68d41bba6465@iecc.com>
From: "John R. Levine" <johnl@iecc.com>
To: Jim Fenton <fenton@bluepopcorn.net>
Cc: dmarc@ietf.org
X-X-Sender: johnl@ary.qy
In-Reply-To: <B4365E6E-00DF-425E-9974-6EE1DE057319@bluepopcorn.net>
References: <F5158C76-BD86-4540-965D-F0D8664B6CD9@bluepopcorn.net> <85761761-ad6a-2a19-da82-344ed52c2391@iecc.com> <B4365E6E-00DF-425E-9974-6EE1DE057319@bluepopcorn.net>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/4Ybdou65mOnAI-m9S7RIGW9YdWc>
Subject: Re: [dmarc-ietf] WGLC review of draft-ietf-dmarc-dmarcbis-30
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Mar 2024 00:22:10 -0000

>>> Entities other than domains: Public suffixes aren’t (necessarily) domains,
>>
>> Of course they're domains.  What else could they be?  The things that are out of scope are IP addresses, ASNs, magic tokens in the messages, stuff like that.
>
> I’m probably being pedantic here: is “gov” a domain?

Let's check:

$ dig gov soa

  ; <<>> DiG 9.10.6 <<>> gov soa
  ;; global options: +cmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63612
  ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

  ;; OPT PSEUDOSECTION:
  ; EDNS: version: 0, flags:; udp: 1232
  ;; QUESTION SECTION:
  ;gov.				IN	SOA

  ;; ANSWER SECTION:
  gov.			300	IN	SOA	a.ns.gov. dns.cloudflare.com. 1711843800 3600 900 604800 300

Yup, it's a domain.


>>> Second bullet: “most MUAs display some or all of the contents of that field”. I find this becoming less and less true. Many MUAs that I use, including Apple Mail (iOS) and Outlook, display only the Display Name, which is not authenticated at all as pointed out much later (11.4).
>>
>> Perhaps it should say "can display".  I agree you're more likely to see the comment in the From header than the domain these days.
>
> I’m not sure how helpful “can display” is if you have to figure out how to display message source or something. Of course, there is also the argument that users’ behavior won’t be any different even if it is displayed.

I wouldn't object to taking it out since I agree that it's neither very 
accurate nor very helpful.

>> I happen to run the registry for seneca.ny.us, watkins-glen.ny.us and other local places and it seems fine to me.  Can you give some examples?
>
> Mine wasn’t a good example. There are a few public suffixes that have more than 5 labels. Presumably that means there are registered domains that are 6 levels down, and my reading of the tree walk is that a policy published there would never be seen. But who knows if they’re actually sending email.

There aren't any in the PSL.  That's where the limit of 5 came from. 
We've had people say there are deeper ones; if there are it wouldn't be 
hard to bump up the limit from 5 to whatever.

>>> Side note: I got well into this document before I realized that DMARC is publishing an assertion of being a public suffix. Some mention of that belongs back in the introduction.
>>
>> A what?  It's only using PSDs as a way to figure out the org domain.  We certainly don't expect other users of the PSL to switch.
>
> Maybe there should be an admonition to say that other applications MUST NOT use a psd=y record for anything.

I really don't want to get into speculation about what people might do 
wrong and tell them not to do that.  Our job is to tell people how to 
interoperate -- if you do what the spec says, it'll work.

>>> 4.7 DMARC policy discovery
>>> --------------------------
>>>
>>> Paragraph 3: “domain does not exist”: How is that determined, NXDOMAIN, NODATA? What happens with SERVFAIL (e.g., DNSSEC problem) or no response? And if a domain really doesn’t exist, isn’t that a reason to reject “with prejudice”?
>>
>> As it says later, error handling is up to you.
>
> IMO the specification is incomplete if it doesn’t say how nonexistence is determined.

I'm pretty sure we went through that, and it's a quality of implementation 
issue.  If you get SERVFAIL, maybe you want to wait and see if it fixes 
itself, maybe you figure that if people want to get their mail delivered 
they should have working DNS.  I don't see how anything we said would make 
any real difference to interoperation, and in practice, the DMARC records 
tend to be pretty close to the MX records so it's unlikely that one would 
be broken and the other wouldn't.

>>> Paragraph 4 bullet 1: “syntactically valid”: It seems like there are a lot of URIs with valid syntax that would not make sense here. What if someone publishes [sip://example.org](sip://example.org) or [gopher://example.org](gopher://example.org)?
>>
>> Another self-inflicted wound, so we don't care.  I believe the report documents now say that only mailto: actually works.  I proposed an https method similar to what MTA-STS has but nobody was interested.  Considering how few people use https MTA-STS reports, it's hard to disagree.
>
> Maybe it should be limited to mailto: URIs unless someone publishes an extension to another URI scheme.

Look at the report drafts and see what you think.

>>> 11.4 Display Name Attacks
>>> -------------------------
>>>
>>> This goes to one of the overarching concerns I have about DMARC. I am getting lots of spam and phishing with plausible display names but obvious throwaway addresses controlled by attackers. “Further exploration…needs to be undertaken” is not a sufficient response IMO.
>>
>> I think we should take this section out.  There have been a lot of discussions at M3 about what to do about display name attacks and nobody has any idea beyond normal spam filtering.
>
> Strongly disagree. The Security Considerations section is specifically for describing relevant threats. The fact that nobody has any idea what to do about display name attacks is a specific reason why it should be included.

DMARC does one thing, deal with fraud in the domain on the From line.  The 
list of things it doesn't do is infinitely long, so I don't want to try to 
enumerate them.

R's,
John

v2.23.0 | Report a Bug | By Email