Re: [dmarc-ietf] Nonexistent Domain Policy was: Re: Working Group Last Call: draft-ietf-dmarc-psd

"Chudow, Eric B CIV NSA DSAW (USA)" <eric.b.chudow.civ@mail.mil> Tue, 16 July 2019 16:15 UTC

Return-Path: <eric.b.chudow.civ@mail.mil>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11F411208C4 for <dmarc@ietfa.amsl.com>; Tue, 16 Jul 2019 09:15:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mail.mil
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4USYkplxG50x for <dmarc@ietfa.amsl.com>; Tue, 16 Jul 2019 09:15:45 -0700 (PDT)
Received: from USAT19PA24.eemsg.mail.mil (USAT19PA24.eemsg.mail.mil [214.24.22.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B78691208C0 for <dmarc@ietf.org>; Tue, 16 Jul 2019 09:15:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mail.mil; i=@mail.mil; q=dns/txt; s=EEMSG2018v1a; t=1563293745; x=1594829745; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=C0D2eiy4HEqaQaNNZFx31eFtYcROabUEr8h9SMWWQWU=; b=gtwnMPG0VlAabW+/NpU2xHCR1FdRo11u3x1QHhNDHhCp07KHx4n5XXee JBxTKJbKmACcPDLIEbT0wAEcTbAgrMXh/vfmeSYcr29AHRBk2PbHeJdms j7P2xFpjVttc+/iITieHaQpKpOWY0XT9JLixS9SkY8ZotRC/doJWqi9yc AkDDOOMRnQGUFZw3DS1Q0kr6xftdP3Hg4ATHD7P0ktrguWmstZNk2ECZg lA4N07wt3wNZrNtJqAZ6Cd7kv2qtqOOSTrnzKzwd1RFAZHbP1yH2eavFd P/Iq45pdaeENPAPA1zcwqMbsQieADl1TYt7D8doFkVZg2uQ1lMxrIsxnn Q==;
X-EEMSG-check-017: 8544732|USAT19PA24_ESA_OUT05.csd.disa.mil
X-IronPort-AV: E=Sophos;i="5.63,498,1557187200"; d="scan'208,217";a="8544732"
Received: from edge-mech02.mail.mil ([214.21.130.230]) by USAT19PA24.eemsg.mail.mil with ESMTP; 16 Jul 2019 16:15:43 +0000
Received: from UMECHPAOR.easf.csd.disa.mil (214.21.130.161) by edge-mech02.mail.mil (214.21.130.230) with Microsoft SMTP Server (TLS) id 14.3.439.0; Tue, 16 Jul 2019 16:14:55 +0000
Received: from UMECHPA7D.easf.csd.disa.mil ([169.254.5.81]) by umechpaor.easf.csd.disa.mil ([214.21.130.161]) with mapi id 14.03.0439.000; Tue, 16 Jul 2019 16:14:54 +0000
From: "Chudow, Eric B CIV NSA DSAW (USA)" <eric.b.chudow.civ@mail.mil>
To: "dmarc@ietf.org" <dmarc@ietf.org>
Thread-Topic: [dmarc-ietf] Nonexistent Domain Policy was: Re: Working Group Last Call: draft-ietf-dmarc-psd
Thread-Index: AQHVObIrPnhyNfLOXkqHxVonBg/kBabNZIpTgAALRhg=
Date: Tue, 16 Jul 2019 16:14:54 +0000
Message-ID: <553D43C8D961C14BB27C614AC48FC0311CAA91FE@UMECHPA7D.easf.csd.disa.mil>
References: <CAL0qLwbbz_UhBLsURg=eXhRBC2g9OghiN==T9Uq9pFuLtd=b7w@mail.gmail.com> <CABuGu1rCF1C1rK9PpbEiDmP+85FvgB_aSuvieGL=hRcrFGXNBg@mail.gmail.com> <1958020.28HeBAo97T@l5580>,<4789054.Ip9ilXyiH0@l5580>
In-Reply-To: <4789054.Ip9ilXyiH0@l5580>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [214.21.97.89]
Content-Type: multipart/alternative; boundary="_000_553D43C8D961C14BB27C614AC48FC0311CAA91FEUMECHPA7Deasfcs_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/4zExZ7ROnOilsVOpGY0wBfqCWxg>
Subject: Re: [dmarc-ietf] Nonexistent Domain Policy was: Re: Working Group Last Call: draft-ietf-dmarc-psd
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jul 2019 16:15:48 -0000

I recently joined this working group from the United States Department of Defense (DoD), which runs the .mil TLD. We appreciate all the work that has been done so far on DMARC and are currently investing significant efforts to implement DMARC broadly across DoD domains.  We value and support this PSD DMARC draft and experiment and see how it will complement the existing DMARC effort for us and many others by being able to broadly apply DMARC at TLDs and PSDs when subdomains are missing their own DMARC records and for non-existent subdomains, which are significant gaps today.



I agree with the suggestion below that the default policy for non-existent sub-domains should be the domain's policy if the "np" tag is absent, rather than defaulting to the "sp" tag's policy.



A few minor suggestions:



In section 4, "requiremetns" should be "requirements".

In section 4.1, there is an extra "be", so "This leakage could be potentially be utilized ..." should be "This leakage could potentially be utilized ...".

In appendix B, "faciliate" should be "facilitate".



Sincerely,

-Eric

________________________________

Eric Chudow

DoD Cybersecurity Mitigations



________________________________
From: Alessandro Vesely <vesely@tana.it>;
Sent: Tue, 16 July 2019 14:53 UTC
To: dmarc@ietf.org
Subject: Re: [dmarc-ietf] Nonexistent Domain Policy was: Re: Working Group Last Call: draft-ietf-dmarc-psd


> Sorry for not contributing more to this thread - please don't take it as any indication of lack of interest. For UK NCSC specifically, I think we'd prefer NXDOMAIN rather than NODATA, given it's more constrained and this is an experiment. My view would be that if we've published a name under gov.uk, even with no valid (in the eyes of the receiver) associated records, then *someone* is responsible for it and we can go find and educate them. They may even believe they have a valid reason for doing so that may outweigh any email authentication concerns. But there's a conversation to be had. If there's no published name, then there's no-one responsible, so it should default to the top-level policy.

I agree that np should default to p.  The original wording for sp is also simpler than''If absent, the policy specified by the "sp" (if present) and then the "p" tag, if not, MUST be applied for non-existent subdomains.''  (BTW, mind that "sp" instead of "np" in the new tag's definition.)