IETF Logo Mail Archive

Re: [dmarc-ietf] Thoughts on choosing N

Douglas Foster <dougfoster.emailstandards@gmail.com> Tue, 16 April 2024 00:08 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0AB0C151061 for <dmarc@ietfa.amsl.com>; Mon, 15 Apr 2024 17:08:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QHzSPYHXcjhI for <dmarc@ietfa.amsl.com>; Mon, 15 Apr 2024 17:08:08 -0700 (PDT)
Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C47EC14F6A8 for <dmarc@ietf.org>; Mon, 15 Apr 2024 17:08:08 -0700 (PDT)
Received: by mail-lj1-x233.google.com with SMTP id 38308e7fff4ca-2d8b194341eso33992131fa.3 for <dmarc@ietf.org>; Mon, 15 Apr 2024 17:08:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713226087; x=1713830887; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=j3V9fzmWTnYL5BRqDnAbNaQhx8a9HTPeb3WT+OoAZ54=; b=KlrKiHdnDhoIwieP6vv2paQgNbnEkLVBkpOv6xZ2ayelwmw1ABPwspQ6miwmPSBNMg GGMed1//a4XLpH1vwqwDPRfscPTYwarchsarB6ODfhXKfQDM3RBSPGLtivMjrzEtlzZG BQ1f/eesIKegP7HVgA5G3PLrUBjpm/i4cqZLL43WhbReKM0W+Wmsyr6XGnoh9jK6Jhfg iigW+we+x4nDF+uwTTsfW8tN/V7N7gm8T/R409n9VQrDK9AB4rUtLLGnywLVhpDjEgzq j4gonv1WXJF89dQWbJOhc2ZLj5fxTe9GwPMroq9Ko7Jbqk0UlvBUHfe75d6v7JZ49Zzg 2Iqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713226087; x=1713830887; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=j3V9fzmWTnYL5BRqDnAbNaQhx8a9HTPeb3WT+OoAZ54=; b=bBgvbVjoAJVBEbW27NAjtdjNsNKsoVZThNGaaPJuWTTKjo/SjdljwEiRjwZxG2ZQ9w YtFTPec8K+t84Y5nRM73byuezTz8r2FtuISHNWgnkHDEBkpT5cSlIS95Mb6nTUpzvmwv 8q4rqBHIwWzx6NkJV/6XTS2XH2Bzb01zNL9gPirX+pAT4qsuAEVNQsYSEI1cP0sVoLtu iU7JMpB5qgwSifoPvdhPcom7p+qtR4L29sQ1AY3FaKs1N+oSTuphDq68IcTjrDxTUh4L 41T8Gbvxb1ipUOGPO6ZzPq82UC5c60SYkJ4ZrgyG1GJgCQis0aEsElZA/UZe5oOhpEnI VlTg==
X-Gm-Message-State: AOJu0YymGJ+LBSxDC9wMDRjs3mvVyNUAyQVtHbm3RAu3BE+vdXo8tiv0 YOq0dhcJcVdno4h7JVY3t+l2BxpelV5lPUbyxKOoNUfuB1xKS+RRQ/ZUgdoHh/mhkKicLXk8331 f6ODbLwWZb2HKM0WRqQV6fQMFQeXigQ==
X-Google-Smtp-Source: AGHT+IGdJy6+p84c4nibmYBoX84ogAxA0ZjFwa4x8GtSzZDNMlufK+lzK6NEXd0kEADqz0BhAVkJ6B1lqorfGfPpmEc=
X-Received: by 2002:a2e:a696:0:b0:2d8:c151:80ec with SMTP id q22-20020a2ea696000000b002d8c15180ecmr5798640lje.52.1713226086350; Mon, 15 Apr 2024 17:08:06 -0700 (PDT)
MIME-Version: 1.0
References: <CAOZAAfPwJHKGyLjTkdGDqkMeK4RQX4Fj0rw-Upn0cLZ+cE74aA@mail.gmail.com> <2764165.rv8vZNihtd@zini-1880> <53f29df5-031a-8711-aed6-25c310f539a2@iecc.com> <8C54A48A-5665-41A1-B64F-93A39CF0B12C@kitterman.com> <CAL0qLwZ2TuV_EW6D9HZYwErmwL_n7q4ZKTEpHBZbyxnkKJ8m6w@mail.gmail.com> <CAH48ZfzckPscoSPUVEqy1WS71iAnKyj7gQVDOW4Hi=FXo0PzYg@mail.gmail.com> <a2bd52d6-7bb3-4526-a0d8-075f4ab44f33@tana.it> <92E339E5-0A4C-4929-A751-375B892C2C53@kitterman.com> <CAHej_8m8H2RRH2uMjtqgw7yf093a10do22swt0j0C-yCTNPL6A@mail.gmail.com>
In-Reply-To: <CAHej_8m8H2RRH2uMjtqgw7yf093a10do22swt0j0C-yCTNPL6A@mail.gmail.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Mon, 15 Apr 2024 20:07:54 -0400
Message-ID: <CAH48Zfx-w5LWO5VuK2posywHRF8O1wijTk35H-01e3JaL=V5=A@mail.gmail.com>
To: Todd Herr <todd.herr=40valimail.com@dmarc.ietf.org>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004c08b806162b88aa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/4iwVKa5rhqAciYruef1dOxeXpPU>
Subject: Re: [dmarc-ietf] Thoughts on choosing N
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Apr 2024 00:08:12 -0000

Todd, can you clarify this?

N is not concerned with maximum labels on a subdomain.   We are interested
in the maximum length of an org domain used for relaxed alignment.

If this client wants to use level 7 as an org domain and apply relaxed
alignment for 8-label domains, then N needs to be 7.   If the client's
lowest-desired org domain is at or above 4-labels, then N=4 is sufficient.
Similarly, if the7-label domain only needs strict authentication, then N=7
is not needed.

Has this or another client genuinely chafed at the insufficient granularity
of the old PSL?


On Mon, Apr 15, 2024, 10:02 AM Todd Herr <todd.herr=
40valimail.com@dmarc.ietf.org> wrote:

> On Mon, Apr 15, 2024 at 7:58 AM Scott Kitterman <sklist@kitterman.com>
> wrote:
>
>>
>>
>> On April 15, 2024 11:43:08 AM UTC, Alessandro Vesely <vesely@tana.it>
>> wrote:
>> >On Mon 15/Apr/2024 13:16:50 +0200 Douglas Foster wrote:
>> >> Our original choice of N was based on the PSL.    The PSL could not
>> detect organizational boundaries could not boundaries below level 5,
>> because it had no entries longer than 5 labels, and we determined that the
>> 5-label entries were not used for mail.    Therefore, any increase in N is
>> new capability.   That new capability is probably desirable, but need not
>> be limitless.  Using an N of 8 introduces a lot of new capability.
>> >
>> >
>> >8 is not needed and not justified.  A mail site using 8 labels would
>> have troubles with the RFC 7489 version, which uses the PSL.  They'd have
>> to ask for PSL upgrades, right?
>> >
>> >Now, we can relax our ambition to be PSL-free and state N=max number of
>> labels of public suffixes used by mail.  Or we could put N in an IANA
>> registry that can be updated by expert review.  Such methods allow to have
>> N low enough, yet upgradable and equal for all (compliant) implementations.
>> >
>> >Otherwise we can drop the requirement that N be equal for all
>> implementations, and just make it configurable.  After all, it is an
>> anti-abuse measure, akin to SPF lookup limit.  We can also keep it fixed at
>> 5 and be sure that implementations will differ anyway.
>> >
>> Whatever we decide, I think it needs to be specified.  If N is whatever,
>> you will end up with difficult to troubleshoot interoperability issues when
>> various sites pick different values.
>>
>> I don't think we need to worry about revising it later.  In general, DNS
>> is getting wider (new TLDs), not deeper.
>>
>>
> An inspection of data collected by my employer reveals the longest
> observed RFC5322.From address to include seven labels in the domain part. I
> am not at liberty to reveal the specific domains due to customer privacy,
> but they're there.
>
> For a domain with seven labels, a.b.c.d.e.f.g, the Tree Walk as currently
> described would miss any DMARC policy records published at b.c.d.e.f.g and
> c.d.e.f.g.
>
> I would propose the following first draft of expository text regarding
> setting N at 8:
>
> The point of the Tree Walk is to allow for the publishing and discovery of
> DMARC policy records at any level in the DNS hierarchy that strikes a
> balance between what the domain registrant deems reasonable and what
> operational needs deem reasonable. The setting of N is done with an eye to
> putting a thumb on the scale on the side of operational needs, to guard
> against the truly silly or abusive cases with domain names with label
> counts in the dozens or even triple digits. Based on an observation at the
> time of publishing that RFC5322.From domains with seven labels were in
> active but uncommon use, eight was chosen as the value of N in order to not
> only accommodate for current usage but also to allow for a bit of future
> expansion of the depth of the name space used for RFC5322.From domains.
>
>
>
> --
>
> Todd Herr | Technical Director, Standards & Ecosystem
> Email: todd.herr@valimail.com
> Phone: 703-220-4153
>
>
> This email and all data transmitted with it contains confidential and/or
> proprietary information intended solely for the use of individual(s)
> authorized to receive it. If you are not an intended and authorized
> recipient you are hereby notified of any use, disclosure, copying or
> distribution of the information included in this transmission is prohibited
> and may be unlawful. Please immediately notify the sender by replying to
> this email and then delete it from your system.
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email