IETF Logo Mail Archive

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

Tim Wicinski <tjw.ietf@gmail.com> Thu, 14 March 2024 20:50 UTC

Return-Path: <tjw.ietf@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFEBAC14F6FD for <dmarc@ietfa.amsl.com>; Thu, 14 Mar 2024 13:50:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.093
X-Spam-Level:
X-Spam-Status: No, score=-2.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ARS4XMhsYFON for <dmarc@ietfa.amsl.com>; Thu, 14 Mar 2024 13:50:37 -0700 (PDT)
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 954D1C14F748 for <dmarc@ietf.org>; Thu, 14 Mar 2024 13:50:37 -0700 (PDT)
Received: by mail-ed1-x52c.google.com with SMTP id 4fb4d7f45d1cf-5687e7662a5so1959780a12.0 for <dmarc@ietf.org>; Thu, 14 Mar 2024 13:50:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710449435; x=1711054235; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=1URMQS4BberCt+9mD01DRPjHRESsPagt4x6ToXH6XxA=; b=WUMfQpK0tuyP/QyHNdgNpPwH91nBJJobL9AmfX2piI7A73xBzBrMrCm4XDJA9gZEfR PYCq6CM1kIGQbg2nega5BvyNCJCJXpJaFZXETdo1Jr53UcKzHrCZbbUrajoVXtdnKCG2 vUWi0aWaCMDq3z3rwHRtuBndlrXKZhcVrOoDcTSUvmHt7EsgLLtDRUwj3jdz+5zx/5O2 VOuJziltwP7gIgQzPdImqbjAm6c2E7W2W8SqoRXr4oxNX/mWI13RVCFz74L3eP23o4Jz 1J4zeqYu3ZQ2sQsx5b/g2ILCHxvZsLTztWamjNpw1nUV7qowKcUk82EfF0KZqZmeDG1j n7sA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710449435; x=1711054235; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=1URMQS4BberCt+9mD01DRPjHRESsPagt4x6ToXH6XxA=; b=s3XgtesuX0imM7o12uxCMWNq7+1EKFjaWkFgNqlizLZffZZ3ZzTpAA7gvGItEQ71QM axBp+VEHukRnMjY2z7Rv7wygDxwpgbL7w/j5pfi9HRocSeApPsG2DOK0Nrp5jrD/9Pl3 kcK8KzBt+KIhxup4lELAP7wWNyI68wEI48Fe+7ux13im4uCBOT3kcW5mqCKDlvUyWp2r DbwKdkkLkkYUT8r8DZle91SW6RwRB97YMeqo5Aqv7V1G0HJ8VsknkkdPgClWzKGG6yWi sXGfYbfqCpTzaFG6PMDjtBWEhxdfNbGTo/7Lu3C26Hglz0VFeZK+ml6FtRZ7mJFvvCnH Kwxg==
X-Gm-Message-State: AOJu0YzBc/IM1hGRXYgJ65Xs29ChU0x0GtlwwpyQxSjMMzF+uvVpP8lP JwzmvaiGhORG1XVb3QpPnJBxD4GfxqMEDGyVZ3VrxUOyrfDodxjJb46iYxXaUSlRWj2aeFbrZbA iFXAYw5ddN1OTERD7iaUUsMvglhgF38VK
X-Google-Smtp-Source: AGHT+IFj1Pb00Clf8C++AjvqISPiC1uJoy2pmpq88YkJia8K2jun/IhvowMtWe4xFqUuVUmAdJ0NCxq0IQV8BGf3f9Q=
X-Received: by 2002:a05:6402:913:b0:566:7250:9ea2 with SMTP id g19-20020a056402091300b0056672509ea2mr2036048edz.34.1710449435159; Thu, 14 Mar 2024 13:50:35 -0700 (PDT)
MIME-Version: 1.0
References: <CAHej_8kip_p+n56=Y5WuVG2M_+HXHj51fyY3k6dx-itJRZkCpQ@mail.gmail.com>
In-Reply-To: <CAHej_8kip_p+n56=Y5WuVG2M_+HXHj51fyY3k6dx-itJRZkCpQ@mail.gmail.com>
From: Tim Wicinski <tjw.ietf@gmail.com>
Date: Thu, 14 Mar 2024 16:50:23 -0400
Message-ID: <CADyWQ+HyY1LSv6gJ7PfOj_AHudk033UWv_GaMOFvD5EsGxCuLw@mail.gmail.com>
To: Todd Herr <todd.herr=40valimail.com@dmarc.ietf.org>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000fd39250613a50aa2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/7JmHjD7y9wdKeZEIrERTolJqsrQ>
Subject: Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2024 20:50:41 -0000

There are folks who publish NS records at _dmarc.example.com that point to
some super fancy DNS service that return DMARC TXT records.

tim


On Thu, Mar 14, 2024 at 4:19 PM Todd Herr <todd.herr=
40valimail.com@dmarc.ietf.org> wrote:

> Colleagues,
>
> There was a discussion among M3AAWG members on March 13 that centered on
> the question of whether DMARC records can be published in DNS as CNAMEs,
> e.g.,
>
> _dmarc.example.com IN CNAME _dmarc.example.org
>
> _dmarc.example.org IN TXT "v=DMARC1; p=reject; rua=
> mailto:dmarc-reports@example.org <dmarc-reports@example.org>;"
>
> Section 3.6.2 of RFC 1034 seems to indicate that it is permissible to
> publish DMARC records in this fashion, and describes the following scenario
> using an CNAME record and an A record:
>
> For example, suppose a name server was processing a query with for USC-
>
> ISIC.ARPA, asking for type A information, and had the following resource
>
> records:
>
> USC-ISIC.ARPA   IN      CNAME   C.ISI.EDU
>
> C.ISI.EDU       IN      A       10.0.0.52
>
> Both of these RRs would be returned in the response to the type A query,
>
> while a type CNAME or * query should return just the CNAME.
>
> I recommend adding a paragraph to DMARCbis, section 5.1 DMARC Policy
> Record at the end of that section that reads:
>
> Per RFC 1034 section 3.6.2, a DMARC record MAY be published as a CNAME
> record, so long as the corresponding canonical name ultimately resolves to
> a TXT record so as to ensure that queries of type TXT return a DNS RR in
> the expected format.
>
> Issue 136 has been opened for this.
>
> --
>
> Todd Herr | Technical Director, Standards & Ecosystem
> Email: todd.herr@valimail.com
> Phone: 703-220-4153
>
>
> This email and all data transmitted with it contains confidential and/or
> proprietary information intended solely for the use of individual(s)
> authorized to receive it. If you are not an intended and authorized
> recipient you are hereby notified of any use, disclosure, copying or
> distribution of the information included in this transmission is prohibited
> and may be unlawful. Please immediately notify the sender by replying to
> this email and then delete it from your system.
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email