Re: [dmarc-ietf] Nitpicky questions about DMARC record syntax

Grant Taylor <gtaylor@tnetconsulting.net> Thu, 17 January 2019 16:10 UTC

Return-Path: <gtaylor@tnetconsulting.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A772C130E83 for <dmarc@ietfa.amsl.com>; Thu, 17 Jan 2019 08:10:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=tnetconsulting.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qba-8L7T53kk for <dmarc@ietfa.amsl.com>; Thu, 17 Jan 2019 08:10:39 -0800 (PST)
Received: from tncsrv06.tnetconsulting.net (tncsrv06.tnetconsulting.net [IPv6:2600:3c00:e000:1e9::8849]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47977130E11 for <dmarc@ietf.org>; Thu, 17 Jan 2019 08:10:39 -0800 (PST)
Received: from Contact-TNet-Consulting-Abuse-for-assistance by tncsrv06.tnetconsulting.net (8.15.2/8.15.2/Debian-3) with ESMTPSA id x0HGAaii026446 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for <dmarc@ietf.org>; Thu, 17 Jan 2019 10:10:38 -0600
ARC-Filter: OpenARC Filter v0.1.0 tncsrv06.tnetconsulting.net x0HGAaii026446
Authentication-Results: tncsrv06.tnetconsulting.net; arc=none header.d=tnetconsulting.net
ARC-Seal: i=1; a=rsa-sha256; d=tnetconsulting.net; s=2015; t=1547741438; cv=none; b=UF7Imq3yxkBpdr+SHjIBsfx3Z5O8sDfkKMsDjLMWTaSNrAZLfM52eQzvLj0/eLbAGmQpthdu+pDSLT19r+CW2Sy9QtXTeQdIyPHSZXljWTqm9wdL5OUJJK5SRmIww5lLFjENZ6eUxs+lQUK7vcUQBHYQhcYw/EFQk2oswRiJblE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=tnetconsulting.net; s=2015; t=1547741438; c=relaxed/simple; bh=M5KhTEQP8DTTxXsg3VoWicLV3Mnh8Y6kxIUBJJxgk5g=; h=DKIM-Signature:Subject:To:From:Message-ID:Date:User-Agent: MIME-Version:Content-Type; b=Mqa5UzT5Its7qjf02dG44opgOU8E3ib2zciCnY5wiZMBgXEaOKvDiSFVQTn+2e7p5jP1mS/6s5cJtbXiuUhZ1d4LKC1yvYPqWTKV/warUuzL0PHLrdhv2X/wbmSLVUYSoT2mh+C9odIZMQKGEShCwEL/P0Zb7uvFC6m0pBjNvZQ=
ARC-Authentication-Results: i=1; tncsrv06.tnetconsulting.net; none
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=tnetconsulting.net; s=2015; t=1547741438; bh=M5KhTEQP8DTTxXsg3VoWicLV3Mnh8Y6kxIUBJJxgk5g=; h=Subject:To:References:From:Message-ID:Date:User-Agent: MIME-Version:In-Reply-To:Content-Type:Cc:Content-Disposition: Content-Language:Content-Transfer-Encoding:Content-Type:Date:From: In-Reply-To:Message-ID:MIME-Version:References:Reply-To: Resent-Date:Resent-From:Resent-To:Resent-Cc:Sender:Subject:To: User-Agent; b=B/fpIYt6ABY0/aUt872+R//GgkPVWMFJO4OIGFfMBGPZ98Mf7MYJ/4lzAHQdcGlne bpqoWUmGCCbSf03Mm20M9dcRJlbDQxMDP5W9ZyBcClsg20ZB2YyvSmZM54D8xKAgv7 oyRXswK2R0mZuO0qE2HEfXppnhwj5gGSi+tDAVRw=
To: dmarc@ietf.org
References: <20190116005804.A0A80200CACDA9@ary.qy> <b6d9024b-8a88-66fb-cfe7-800ee463c01c@gmail.com> <alpine.OSX.2.21.1901161029520.36401@ary.qy> <babe5ec6-9ceb-c7e1-1758-8dc20d116b55@gmail.com> <alpine.OSX.2.21.1901161050550.36401@ary.qy> <CABuGu1oqy8NxfpCZOu0v-z2D2MmZUfD43B3diGZ0xQtNwPD8EQ@mail.gmail.com> <alpine.OSX.2.21.1901161222030.38502@ary.qy> <11a5d635-a16b-17b9-0ba6-7713b8f169e2@spamtrap.tnetconsulting.net>
From: Grant Taylor <gtaylor@tnetconsulting.net>
Organization: TNet Consulting
Message-ID: <43ae9a84-75e3-1292-d3f4-68f3a74458a3@spamtrap.tnetconsulting.net>
Date: Thu, 17 Jan 2019 09:10:36 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <11a5d635-a16b-17b9-0ba6-7713b8f169e2@spamtrap.tnetconsulting.net>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms090504050704080902080409"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/69fHw5Vs_wMzrhHFxGfjEKLr-EM>
Subject: Re: [dmarc-ietf] Nitpicky questions about DMARC record syntax
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Jan 2019 16:10:42 -0000

On 01/16/2019 11:34 AM, Grant Taylor wrote:
> However I feel like rejecting things because of additional white space 
> (in front of v=...) or the wrong case is being a little bit pedantic.
> 
> Rather, I think that if removing a spurious / leading space or folding 
> case causes the DMARC record to be valid, it behooves us to tolerate 
> such minor errors.
> 
> I don't want to be so pedantic that people push back on adopting what I 
> (and I assume others) think is a good technology.
> 
> Is doing so against the letter of the specification, absolutely.  Is it 
> within the spirit of the specification, I think so.

I've seen a number of intriguing, if not compelling, replies in this 
thread.  Some of which have changed my thoughts some.

I now concede accommodating a leading space is questionable.

However I still feel like /requiring/ exact case is contrary to the idea 
of "Be liberal in what you accept and conservative in what you send.".

I don't see any security implications in accepting the following:

dmarc-version = ("v" / "V") *WSP "=" *WSP ("D" / "d") ("M" / "m") ("A" / 
"a") ("R" / "r") ("C" / "c") "1"

I agree that this is contrary to the letter of the specification. 
However I think it is completely within the spirit.  Especially when 
dealing with DNS data which is inherently / invariable human entered.

I don't (yet) see any security implications of accepting improper case 
record data for the dmarc-version *IF* that is the /only/ TXT record at 
a given QName that is DMARC related.  -  If there are multiple DMARC 
records, especially if they are conflicting, strictly adhere to the 
standard.

I'm curious if anyone sees any security implications with the above 
dmarc-version.

This is me trying to learn and understand.  I'm not trying to argue one 
way or the other.



-- 
Grant. . . .
unix || die