Re: [dmarc-ietf] Issue opened: Use a four-valued token for the four roles of a DMARC policy
Scott Kitterman <sklist@kitterman.com> Mon, 29 August 2022 19:39 UTC
Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25CB4C152705 for <dmarc@ietfa.amsl.com>; Mon, 29 Aug 2022 12:39:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=9PqzkdWL; dkim=pass (2048-bit key) header.d=kitterman.com header.b=FxsFGkQk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XmLr9t_EGWxN for <dmarc@ietfa.amsl.com>; Mon, 29 Aug 2022 12:39:29 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69495C14CF1D for <dmarc@ietf.org>; Mon, 29 Aug 2022 12:39:29 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) by interserver.kitterman.com (Postfix) with ESMTPS id 58D07F80315 for <dmarc@ietf.org>; Mon, 29 Aug 2022 15:39:28 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1661801968; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=bLrH3Jy9I7z2OlyoWOVR+PsCRTZDbyHQyLiTRFtVCMo=; b=9PqzkdWLASuxcEB5xSoqR52oar3HYN4QSTSAp3SH6QCmLze9aMiQOVbfWpqc5I+dS4NJJ 34ovKcC6503NkiEAg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1661801968; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=bLrH3Jy9I7z2OlyoWOVR+PsCRTZDbyHQyLiTRFtVCMo=; b=FxsFGkQkqhiV4MBRNWJr1+e9Y12dYLEW4PyXZAz6SrEggxcXzAX7DMZYUaO7jwyaB3GGL HcbpkGaa8SsmwbcGiDeMDmZGfff9aSCnARDgOYPwNkGxNy8mknxAYq5xjHlAmWwFIyeLJYf q0zLNt9K8V2FA6uqhyS45Yb0QMhlsP5sVBf1iwIhgiIfNG/O/9XOQ+36GvkI0AMktih6Gs7 gUkRyaapQjYqvBRoOjrH1Y2ShLR2GhKIdPqoIJNwjEMJSMp3LZvc/2PL854aj2QFkYurtlP d62wFGtgMrPb7Fcxcq3IjbGcdGz5EGFYBsV38UgpPKD99CYjOuxo1VA6wzrw==
Received: from zini-1880.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTP id 39B0CF80153 for <dmarc@ietf.org>; Mon, 29 Aug 2022 15:39:28 -0400 (EDT)
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
Date: Mon, 29 Aug 2022 15:39:28 -0400
Message-ID: <2862160.rLg0ATMPWF@zini-1880>
In-Reply-To: <CAHej_8k80ek4QEyfUEFJo_7K07HQ_N3vfmGM1oZ7h5HZoODwhA@mail.gmail.com>
References: <CAH48Zfy7hwRNsFbufA1nfFhC8takoipRY298oNO9RpHCaKuZaA@mail.gmail.com> <b541723f-2c34-fe87-111c-2d7641c818f6@tana.it> <CAHej_8k80ek4QEyfUEFJo_7K07HQ_N3vfmGM1oZ7h5HZoODwhA@mail.gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="iso-8859-1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/B0jBOB0uFZjVKnpVm3MaFq98LL0>
Subject: Re: [dmarc-ietf] Issue opened: Use a four-valued token for the four roles of a DMARC policy
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Aug 2022 19:39:33 -0000
On Monday, August 29, 2022 1:54:31 PM EDT Todd Herr wrote: > On Mon, Aug 29, 2022 at 1:29 PM Alessandro Vesely <vesely@tana.it> wrote: > > Is it so? My understanding is that psd=y is ignored when it is the first > > step in a tree walk. That way you can have From: user@psd.example.com > > authenticated by d=example.com, or helo=mailout.example.com on a bounce. > > I'm curious as to why this is your understanding, because this is how the > psd tag and its value of y are currently described in section 5.2, DMARC > URIs: > > psd: > > A flag indicating whether the domain is a PSD. (plain-text; OPTIONAL; > default is 'u'). Possible values are: > y: > PSOs include this tag with a value of 'y' to indicate that the domain is a > PSD. If a record containing this tag with a value of 'y' is found during > policy discovery, this information will be used to determine the > Organizational Domain and policy domain applicable to the message in > question. > > <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-17.html#section-5 > .3-4.12.1> Meanwhile, the tree walk is described in section 4.6 in this way: > > The generic steps for a DNS Tree Walk are as follows: > <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-17.html#section-4 > .6-5> > > 1. > > Query the DNS for a DMARC TXT record at the DNS domain matching the one > found in the domain(s) described above. A possibly empty set of records > is returned.¶ > > <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-17.html#section-> 4.6-6.1.1> 2. > > Records that do not start with a "v=" tag that identifies the current > version of DMARC are discarded. If multiple DMARC records are returned, > they are all discarded. If a single record remains and it contains a > "psd=n" tag, stop. > > <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-17.html#section-> 4.6-6.2.1> 3. > > Determine the target for additional queries (if needed; see the > note in Section > 4.8 > > <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-17.html#organiza > tional-domain-discovery>), using steps 4 through 8 below. > > <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-17.html#section-> 4.6-6.3.1> 4. > > Break the subject DNS domain name into a set of "n" ordered labels. > Number these labels from right to left; e.g., for "a.mail.example.com", > "com" would be label 1, "example" would be label 2, "mail" would be label > 3, and so forth. > > <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-17.html#section-> 4.6-6.4.1> 5. > > Count the number of labels found in the subject DNS domain. Let that > number be "x". If x < 5, remove the left-most (highest-numbered) label > from the subject domain. If x >= 5, remove the left-most (highest-numbered) > labels from the subject domain until 4 labels remain. The resulting DNS > domain name is the new target for subsequent lookups. > > <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-17.html#section-> 4.6-6.5.1> 6. > > Query the DNS for a DMARC TXT record at the DNS domain matching this new > target in place of the RFC5322.From domain in the message. A possibly > empty set of records is returned. > > <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-17.html#section-> 4.6-6.6.1> 7. > > Records that do not start with a "v=" tag that identifies the current > version of DMARC are discarded. If multiple DMARC records are returned > for a single target, they are all discarded. If a single record remains and > it contains a "psd=n" or "psd=y" tag, stop. > > <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-17.html#section-> 4.6-6.7.1> 8. > > Determine the target for additional queries by removing a single label > from the target domain as described in step 5 and repeating steps 6 and 7 > until the process stops or there are no more labels remaining. > > Step 2 seems to contain an implicit assumption that the first record > queried for will never contain "psd=y", but perhaps it should have as its > final sentence the same wording as step 7, i.e., "If a single record > remains and it contains a 'psd=n' or 'psd=y' tag, stop"? No. There's no reason for it and we've discussed this before. The reason to stop on psd=n is that it's an explicit statement that it's the org domain and that whatever is above it on the tree shouldn't be considered. That's not true for psd=y. Scott K
- [dmarc-ietf] Issue opened: Use a four-valued toke… Douglas Foster
- Re: [dmarc-ietf] Issue closed: Use a four-valued … John Levine
- Re: [dmarc-ietf] Issue opened: Use a four-valued … Seth Blank
- Re: [dmarc-ietf] Issue opened: Use a four-valued … Barry Leiba
- Re: [dmarc-ietf] Issue opened: Use a four-valued … Scott Kitterman
- Re: [dmarc-ietf] Issue opened: Use a four-valued … John Levine
- Re: [dmarc-ietf] Issue opened: Use a four-valued … Barry Leiba
- Re: [dmarc-ietf] Issue opened: Use a four-valued … Dotzero
- Re: [dmarc-ietf] Issue opened: Use a four-valued … Douglas Foster
- Re: [dmarc-ietf] Issue opened: Use a four-valued … Barry Leiba
- Re: [dmarc-ietf] Issue opened: Use a four-valued … Douglas Foster
- Re: [dmarc-ietf] Issue opened: Use a four-valued … Scott Kitterman
- Re: [dmarc-ietf] Issue opened: Use a four-valued … Douglas Foster
- Re: [dmarc-ietf] Issue opened: Use a four-valued … Scott Kitterman
- Re: [dmarc-ietf] Issue opened: Use a four-valued … Alessandro Vesely
- Re: [dmarc-ietf] Issue opened: Use a four-valued … Todd Herr
- Re: [dmarc-ietf] Issue opened: Use a four-valued … John Levine
- Re: [dmarc-ietf] Issue opened: Use a four-valued … Alessandro Vesely
- Re: [dmarc-ietf] Issue opened: Use a four-valued … Scott Kitterman
- Re: [dmarc-ietf] Issue opened: Use a four-valued … Douglas Foster