Re: [dmarc-ietf] New authentication method, DNSWL

[Scott Kitterman <sklist@kitterman.com>]

On Thursday, June 27, 2019 5:10:39 AM EDT Alessandro Vesely wrote:
> On Wed 26/Jun/2019 22:27:46 +0200 Murray S. Kucherawy wrote:
> > On Tue, Jun 4, 2019 at 4:01 AM Alessandro Vesely <vesely@tana.it> wrote:
> >> Appendix D1 of rfc7208 mentions DNSWL as a way to mitigate SPF's
> >> reject-on-fail.  The score attributed to the sender by a trusted DNSWL is
> >> also useful after DATA, thence the need to store that value for
> >> downstream filters.>>
> >> However, as an authentication method, a DNSWL TXT response can provide a
> >> domain name, which is possibly aligned with From:.  In that sense, this
> >> method might be of interest for this WG.  Probably not, but I felt
> >> compelled to make sure before trying independent submission.  (Already
> >> tried ART.)  The I-D is here:>>
> >> https://tools.ietf.org/html/draft-vesely-authmethod-dnswl> 
> > With my Designated Expert hat on and co-chair hat off, a procedural point
> > here:
> > 
> > The IANA registry for these is Expert Review, which means you don't have
> > to
> > publish an RFC to get it registered.  You can, but it's not necessary if
> > your registration request can sufficiently describe what you're doing. 
> > See
> > RFC8601 Section 6.2, fourth paragraph.
> 
> I just submitted the form attached.  This path seems to be quicker.  Thanks.
> 
> 
> Let me paste the parameters, for list readers, and point out that dnswl can
> yield a domain name like, e.g., policy.txt=example.com.  Whether the domain
> name alignment can be meaningful or not is the reason why this topic appears
> on this list.
...
> 
>    | ptype | Definition | Description                                  |
> 
>    +-------+------------+----------------------------------------------+
> 
>    | dns   | [this doc] | The property being reported belongs to the   |
>    | 
>    |       |            | Domain Name System                           |

Can we discuss this choice?  I know this has been implemented already, so I'm 
at least slightly reluctant to do the semi-standard lets rename existing stuff 
dance that the IETF often does, but I really don't like this.  There isn't an 
email authentication system out there that doesn't rely on DNS.  I think DNS 
as a ptype is way too broad.

Also, if I rsync a copy of the list and process it locally, is it still OK to 
use the dns ptype when there is no DNS involved?

What about something like extpolicy: The property reported relates to an 
external policy input?

Would you be willing to do something like that?  If so, I think we could also 
register dns, but with status of decprecated since it's in use and documenting 
in use stuff is good.  Then Courier can change at some point when it's 
convenient, but still be using a registered paramet.

Scott K