IETF Logo Mail Archive

Re: [dmarc-ietf] New authentication method, DNSWL

"Murray S. Kucherawy" <superuser@gmail.com> Fri, 02 August 2019 06:18 UTC

Return-Path: <superuser@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5F25120136 for <dmarc@ietfa.amsl.com>; Thu, 1 Aug 2019 23:18:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sdKVIaYMcEwE for <dmarc@ietfa.amsl.com>; Thu, 1 Aug 2019 23:18:37 -0700 (PDT)
Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A361B120135 for <dmarc@ietf.org>; Thu, 1 Aug 2019 23:18:36 -0700 (PDT)
Received: by mail-lj1-x231.google.com with SMTP id z28so17506197ljn.4 for <dmarc@ietf.org>; Thu, 01 Aug 2019 23:18:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vjTR/AzCPA5B5d4oKbPLw4svRNmXUBlqz9mERRru8ck=; b=PKK4DUal22OXpxh25ZH/uo5Tud6eqylKDsdLJvLrMxW+iQ4q9Po+6skWeYUHmERtlL 8i8DKzzu1uKtgXaVTC64FsHXdKmzKLasNaA98/Grdl4oo3g/dCxuFpQD1RRZWj1IRgd5 jLCk3Pr81Ptps9QYGbVW3o1Nax+M60sfsDb6DNgynHXk2rAX1+YvsCx39bkCP6iekler fNk0m95R1GEupvt/tsI7jwGk8HIa/1GuseiCWGG50kBJ18iMoEREblL4DyQiVXw28amy FacYrPpPZAbCormFkzOHs/1CUsb5tWkklC87tgudT0oROTU1z9d5fNy0PlfMV99+w5qC V/3g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vjTR/AzCPA5B5d4oKbPLw4svRNmXUBlqz9mERRru8ck=; b=RoJ9jp735LHvPVTEZdEdmPEdn7cTPaDbvK9NPGCSkoD3KCf6LQzD+ueag+5fgdP7Ig KsqRd6LVT0BmqoiJocCg6JHr2/VSG89nmGEeYIzluGMSvh+eq7qnhzKkQ8RkJX7VVElJ 6Xtr8A8HZWnHXKgVWOFDbUiwSPJROjgMQephSy35O3Vy+ab1Jn1FAFbfZO+W4dsFrTvs mVhF4NanQXZkG1Jk2GKq5sb4lJl0GMVIUaSZciuKnOlTbIlZf4m5R+Zc+A0FTdm6RlTT DSaeYpacdK9NETJ3ul9rwOAGe7q1YpyUyceMctJDI6DhmjYjBsttyIIu1Rk4/H0mFqZd woCw==
X-Gm-Message-State: APjAAAXYT2NP6nX0Z9741CW9+hi9EBc6o5NHo9ehyfIjZf4K/aQTuyN/ DwMKY3tvEMYIcw+NslbEgzs1eDm9OgripG3g8wo=
X-Google-Smtp-Source: APXvYqwcbglV08DcGk/LCXOMTOonIACCxirbdrsn1KBjds7NFh/I2T663uqVOW2KKIU+lYipAT0hZy2Q9Jqpe7sGLCE=
X-Received: by 2002:a2e:88d3:: with SMTP id a19mr23446586ljk.32.1564726714681; Thu, 01 Aug 2019 23:18:34 -0700 (PDT)
MIME-Version: 1.0
References: <e580ada3-d9b5-0e5b-9ac3-eade41ac92d2@tana.it> <CAL0qLwa5yR5dVzkDSD48MDgpUa11+ri=KOwrNSqOxi8fB2i6PA@mail.gmail.com> <eabefc6b-7542-1a46-4272-b786433ed0b5@tana.it> <4783309.BXR8ZdE9c3@l5580> <CAL0qLwb5FAaYZ7AX_H=aeUFkv8cvY+xd1bQ5uCDp4tmrbx2CQg@mail.gmail.com> <7a21b80b-e6bb-d8b9-cf63-601a8d1e47e7@tana.it>
In-Reply-To: <7a21b80b-e6bb-d8b9-cf63-601a8d1e47e7@tana.it>
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Thu, 01 Aug 2019 23:18:20 -0700
Message-ID: <CAL0qLwZJ=1r8Za0G3AsxX-L00o4qukJFVATKQCwX9V7yE0v7xQ@mail.gmail.com>
To: Alessandro Vesely <vesely@tana.it>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ffcc6c058f1c5311"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/CJzQN5C5ySK3zHIjfZuHU6eL9AE>
Subject: Re: [dmarc-ietf] New authentication method, DNSWL
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Aug 2019 06:18:39 -0000

On Thu, Aug 1, 2019 at 9:32 AM Alessandro Vesely <vesely@tana.it> wrote:

> Let me narrate a use case.  Courier-MTA can be configured to reject on SPF
> -all
> early in the SMTP dialogue, except if whitelisted.  It writes SPF as well
> as
> dnswl results in the header, but does not interpret the policy.ip.
> Downstream
> filters can interpret the field based on the dns.zone.  I use that feature
> to
> pass messages tagged "Heuristic" by the antivirus filter if policy.ip has a
> positive trustworthiness.
>

I think this is a bit unusual, but RFC8601 doesn't preclude it.  Seems to
me you're effectively throwing away the result, "pass" or "fail", if
downstream agents actually know more about the applied algorithm than the
border MTA adding it.


> Yes, the last paragraph is guidance about querying ANY.  It could go to an
> appendix or be stroked, if we want to go through another revision.
>
> The first paragraph is about how dnswl's may work.  Rfc5782 just says
> "DNSWLs
> MAY have a TXT record that describes the reason for the entry."  I agree
> it is
> slightly out of scope for registering the parameters.  OTOH, I'd like to
> know
> more dnswl's in order to inform better on TXT record usage.
>

As long as the text is focused on the registration and not providing
opinion about RFC5782, it's fine.  I'm not so sure where the current text
lands.

-MSK

v2.23.0 | Report a Bug | By Email