IETF Logo Mail Archive

Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-failure-reporting-04.txt

Alessandro Vesely <vesely@tana.it> Thu, 18 August 2022 17:44 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14432C1522CC for <dmarc@ietfa.amsl.com>; Thu, 18 Aug 2022 10:44:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=tana.it header.b=fm/ki5id; dkim=pass (1152-bit key) header.d=tana.it header.b=AjHwQp5U
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VXoMTZK5Malk for <dmarc@ietfa.amsl.com>; Thu, 18 Aug 2022 10:43:57 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91F61C1522C1 for <dmarc@ietf.org>; Thu, 18 Aug 2022 10:43:55 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=tana.it; s=epsilon; t=1660844633; bh=qq0Olz7jMQPUb2UwxXqlHBY91IDw4S3BXUEeQl7UpiM=; h=Date:Subject:To:References:From:In-Reply-To; b=fm/ki5idPvYqV5StNnQjwU0nmKcTxw/jC/Ikmv7t/oNWdWgvfW/RbntT+utL6O77Z oBWPfm9MhihGUDo9b2wAA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1660844633; bh=qq0Olz7jMQPUb2UwxXqlHBY91IDw4S3BXUEeQl7UpiM=; h=Date:To:References:From:In-Reply-To; b=AjHwQp5UzA3j6Z5N6mkDDhwJYt0a8anqEdGTrO8MOQlS01L3CTg/ePOuK9ALkAVXh CmbiinxCfpelJa4Wrzr2t4ednwpiHu/NlvJdF4DVW9SZok2nuc425J1nX37RvXOgQ1 Mw7/A9j+az2XEnkrBnRG5Wbt1DUradx1omN2qoQtuYv4FA39P5+aBVfwuFW0w
Author: Alessandro Vesely <vesely@tana.it>
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC0C3.0000000062FE7A59.00005896; Thu, 18 Aug 2022 19:43:53 +0200
Message-ID: <b944c8d6-76ac-7c3d-8395-c5aaae4a834c@tana.it>
Date: Thu, 18 Aug 2022 19:43:52 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0
Content-Language: en-US
To: dmarc@ietf.org
References: <20220817151234.7C48547E2C1D@ary.local> <2865425.PqQoGlAqvt@zini-1880>
Authentication-Results: tana.it; auth=pass (details omitted)
From: Alessandro Vesely <vesely@tana.it>
In-Reply-To: <2865425.PqQoGlAqvt@zini-1880>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/CHIuuy9MfbojI_hnwY8u03B6U7c>
Subject: Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-failure-reporting-04.txt
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Aug 2022 17:44:04 -0000

On Thu 18/Aug/2022 17:08:07 +0200 Scott Kitterman wrote:
> 
> I have similar concerns.  Thoughts on the changes in this revision:
> 
> I think adding the reference to Section 3.2 about external destination
> verification is good.
> 
> RFC 9091 says, "PSD DMARC feedback MUST be limited to Aggregate Reports."  I
> think that should be carried forward and so the SHOULD NOT consider RUF= tags
> should be MUST NOT and the bit after the comma (unless there are ...) needs to
> be deleted.


Done on Github copy.


> I agree that 'aggregation techniques' should be changed since there's no
> aggregation involved.  I don't love 'pruning', but I think it's better.


Better terms?


> I think the changes in the techniques list is problematic.  I don't see why
> sending a report to only the first recipient was dropped.


There is a paragraph a few lines above saying:

    Where multiple URIs are selected to receive failure reports, the
    report generator MUST make an attempt to deliver to each of them.

Isn't that the opposite of doing only the first recipient?  A generator cannot 
do both, unless it has a method to detect DDoS.


> I don't think it's appropriate to specify only sending debugging messages
> when there's no mechanism for identifying such messages.

Agreed.  I was thinking something like Subject: [DEBUG] ...  I'd drop that line 
if we're not willing to specify a mechanism.


> In any case, that's more of a privacy risk mitigation strategy than a denial
> of service mitigation. > Generally for denial of service mitigation during normal operations, debugging
> would be one of the first things to go.


Yes, but it's still a pruning technique, no?


> In 3.1 (1) I do not agree with the change to only require DKIM/SPF related
> fields on failure instead of when the message was signed by DKIM or has an SPF
> result.  In the case of partial failures, the information is useful.


None of the failures I received quotes my SPF record.  Albeit SPF actually 
failed, they only report dmarc failure (Auth-Failure: dmarc).  The spec 
suggests a generator can independently issue an SPF failure report.  Similar 
argument for DKIM.

I don't think we can convince those generators to include more data.  I'd 
rather accept current practices.


> Additionally, the limitation to aligned failures further excludes useful
> information.  The change in 3.1 (2) is also problematic as it is predicated on
> the changes in 3.1 (1).


That change was for clarity.  What does it mean "to produce an alignment"?  Did 
it fail or succeed?  Reporting both doesn't say much, it would always be spf, 
dkim, without telling which one verified or failed.


> I think redefining SPF-DNS is a horrible idea.  I agree that, in theory, the
> txt/spf distinction is no longer needed, this would complicate receive
> processing substantially (would need to be able to distinguish between the to
> field formats and to process both) for the very negligible benefit of saving a
> few bits on the wire.


Yes, I removed it in the Github copy.


> I think the 3.2 change to more fully describe the conditions for the external
> destination verification method is a good one.
> 
> For IANA considerations, I think updating the reference for Identity-Alignment
> to this document is correct.  I don't understand the need for a new
> Authentication Failure Types registry.  To the extent it may be a good idea, I
> think this is the wrong place to do it.  This kind of issue should be
> addressed by any RFC6591bis effort that may be done at some point in the
> future.


Having a place where all values are listed is somewhat practical, and may help 
making ARF less of a mess than it is.  I don't know if the bang is worth the buck.


> Related to the failure reporting discussion for PSDs above, the Privacy
> Considerations section of this draft needs to document the information leakage
> potential associated with failure reporting based on PSD records (which is why
> it needs to be a MUST NOT).


Should I add RFC6973 as an informative reference?



Best
Ale
--

v2.23.0 | Report a Bug | By Email