IETF Logo Mail Archive

Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dmarcbis-07.txt

Scott Kitterman <sklist@kitterman.com> Wed, 20 April 2022 03:12 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBBC93A1A1D for <dmarc@ietfa.amsl.com>; Tue, 19 Apr 2022 20:12:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=xzIXaBqH; dkim=pass (2048-bit key) header.d=kitterman.com header.b=Fmo4NPgv
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A6O1X5zLQ6v9 for <dmarc@ietfa.amsl.com>; Tue, 19 Apr 2022 20:12:14 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8FB533A1A1A for <dmarc@ietf.org>; Tue, 19 Apr 2022 20:12:14 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) by interserver.kitterman.com (Postfix) with ESMTPS id B7D84F80267 for <dmarc@ietf.org>; Tue, 19 Apr 2022 23:12:12 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1650424332; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=GNs7HGPm5TGrob8w3FxOApLnuNxpdzUnsGit6FGdbTw=; b=xzIXaBqHvsiBLm8khaEsxbec7fwkUxlE4s1pVw88Nfa3rw5W0s61rAICQh/2L405ruBa1 AffoEqTUHcNO3d5Ag==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1650424332; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=GNs7HGPm5TGrob8w3FxOApLnuNxpdzUnsGit6FGdbTw=; b=Fmo4NPgvdYNSRfeiKBm/eO8vW8EuFvS0BmSmV0XDGoKuaxllxGuOZCd2Tb6/elo6O1qEZ xLKejle4JGeFPY/E+DYhWpSqBXzRW5GriIXJsOndo8RxhFP6FW6AJIbnNz1EvTEg2wM+xyO DtjEa7rddfB1aozfXdODOiEJ0tFCLu8EX0rzbHptV69UDA0J/sFXueBbnD+8wlvF+zZCdP1 c7enLmewWZ8MdUqKfRxUvmyZan3jnuhr/ISEtNke+aFhxGnlF6rj1ZuVL6bft6pPK3apfJI bFX3iacuc/T6Vj5XUzTi+URigpAdpH8pXrMIHdV0kj0UfxcWrQyeEAzipz5w==
Received: from zini-1880.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTP id 8AEB3F801DB for <dmarc@ietf.org>; Tue, 19 Apr 2022 23:12:12 -0400 (EDT)
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
Date: Tue, 19 Apr 2022 23:12:12 -0400
Message-ID: <4212228.nKx5ozAMXs@zini-1880>
In-Reply-To: <CAH48Zfx6K85_zUEZd15jMb7d=atXqkfZiUYRbnVr=VjpG0isjQ@mail.gmail.com>
References: <164925666278.4445.13789431014958416691@ietfa.amsl.com> <1763264.1lysBax9Yy@zini-1880> <CAH48Zfx6K85_zUEZd15jMb7d=atXqkfZiUYRbnVr=VjpG0isjQ@mail.gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/CurEYgmXMdfJCBm_ADWtpgzNKwc>
Subject: Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dmarcbis-07.txt
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Apr 2022 03:12:19 -0000

Thanks.  

I think this is pretty much the same list John published before.  I think 
there is a little bit of outreach to do while we're working on DMARCbis, but 
it's not a major issue.  Some of these are false positives.  As an example:

gov.scot
service.gov.scot

Are both on the PSL.  It's true that under the new tree walk approach other 
parts of the government of Scotland could impersonate service.gov.scot, but I 
don't think it's a major risk.

This is part of the reason I'd like to see the WG get an early assignment from 
IANA for the psd tag.  Once that's done, we (and I will work on this) can 
start contacting both the PSL and above PSL entities with DMARC records about 
updating them to use it.  The meantime, any lower level entity for these PSDs 
that has a problem would be able to publish psd=n and stop it.

Scott K

On Tuesday, April 19, 2022 8:18:53 PM EDT Douglas Foster wrote:
> Scott asked for my list, so it is attached.   I walked up the tree from the
> private registries, then did a DNS lookup for a DMARC entry.
>  Consequently, the list shows the domains with DMARC policies, at whatever
> level, rather than the PSL entry itself.
> 
> Doug
> 
> 
> On Tue, Apr 19, 2022 at 12:00 AM Scott Kitterman <sklist@kitterman.com>
> 
> wrote:
> > On Monday, April 18, 2022 10:14:37 PM EDT Douglas Foster wrote:
> > > Concern 1
> > > Of the several thousand private registry domains listed in the PSL, 45
> > have
> > > DMARC policies at or above the registry point.   40 of these 45 specify
> > > relaxed alignment for both DKIM and SPF.  Upon activation of the tree
> > walk,
> > > these policies will be treated as organizational domains to any private
> > > registry clients that have not published their own psd=y policy.
> >  
> >  Because
> > > of relaxed alignment, these private registry clients will be able to
> > > impersonate their siblings and parents and produce a DMARC result of
> > PASS.
> > 
> > Please provide your list of ones you think might be problematic.
> > 
> > > Concern 2
> > > Since the longest current PSL entry has 5 segments, the longest
> > > organizational domain is 6 segments.   The "jump to 5" logic needs to be
> > > changed to "jump to 6".
> > 
> > What PSL entries that are 5 long are you worried about?  When we looked at
> > this before, 5 seemed sufficient.  Changing the number, now, isn't a big
> > deal.
> > 
> > > Concern 3
> > > The "psd=u" language is inconsistent.  Which is true?
> > > "This token indicates that this policy is not an organizational domain,,
> > > the organizational domain is above this point"
> > > or
> > > "This token indicates no usable information, proceed with the heuristic
> > 
> > to
> > 
> > > determine if this policy is the organizational domain"
> > 
> > It should be the latter.  If we're inconsistent, please propose corrected
> > text.
> > 
> > Scott K
> > 
> > > Doug Foster
> > > 
> > > On Sun, Apr 17, 2022 at 4:54 PM Scott Kitterman <sklist@kitterman.com>
> > > 
> > > wrote:
> > > > I've finished going through this and also updated authheaders [1] to
> > > > match.  It
> > > > now has a script called dmarc-policy-find which you can used to
> > 
> > determine
> > 
> > > > the
> > > > DMARC policy to be applied for a domain.  You can use RFC 7489, RFC
> > 
> > 7489 +
> > 
> > > > RFC
> > > > 9091, and DMARCbis-07.
> > > > 
> > > > It does currently cheat and assume psd=y is in the records for domains
> > 
> > on
> > 
> > > > the
> > > > PSD DMARC registry list, since no one has actually published that yet.
> > > > 
> > > > Scott K
> > > > 
> > > > [1] https://github.com/ValiMail/authentication-headers (also on pypi)
> > > > 
> > > > On Wednesday, April 6, 2022 12:27:04 PM EDT Scott Kitterman wrote:
> > > > > I believe it does.
> > > > > 
> > > > > Thanks,
> > > > > 
> > > > > Scott K
> > > > > 
> > > > > On April 6, 2022 2:53:59 PM UTC, Todd Herr
> > > > 
> > > > <todd.herr=40valimail.com@dmarc.ietf.org> wrote:
> > > > > >I believe this rev has the proposed text that was submitted in
> > 
> > various
> > 
> > > > > >messages in the thread titled "*5.5.4. Publish a DMARC Policy for
> > 
> > the
> > 
> > > > > >Author Domain - dmarcbis-06"*
> > > > > >
> > > > > >On Wed, Apr 6, 2022 at 10:51 AM <internet-drafts@ietf.org> wrote:
> > > > > >> A New Internet-Draft is available from the on-line
> > > > > >> Internet-Drafts
> > > > > >> directories.
> > > > > >> This draft is a work item of the Domain-based Message
> > 
> > Authentication,
> > 
> > > > > >> Reporting & Conformance WG of the IETF.
> > > > > >> 
> > > > > >>         Title           : Domain-based Message Authentication,
> > > > 
> > > > Reporting,
> > > > 
> > > > > >> and Conformance (DMARC)
> > > > > >> 
> > > > > >>         Authors         : Todd M. Herr
> > > > > >>         
> > > > > >>                           John Levine
> > > > > >>         
> > > > > >>         Filename        : draft-ietf-dmarc-dmarcbis-07.txt
> > > > > >>         Pages           : 62
> > > > > >>         Date            : 2022-04-06
> > > > > >> 
> > > > > >> Abstract:
> > > > > >>    This document describes the Domain-based Message
> > 
> > Authentication,
> > 
> > > > > >>    Reporting, and Conformance (DMARC) protocol.
> > > > > >>    
> > > > > >>    DMARC permits the owner of an email author's domain name to
> > 
> > enable
> > 
> > > > > >>    verification of the domain's use, to indicate the Domain
> > 
> > Owner's
> > 
> > > > > >>    or
> > > > > >>    Public Suffix Operator's message handling preference regarding
> > > > 
> > > > failed
> > > > 
> > > > > >>    verification, and to request reports about use of the domain
> > 
> > name.
> > 
> > > > > >>    Mail receiving organizations can use this information when
> > > > 
> > > > evaluating
> > > > 
> > > > > >>    handling choices for incoming mail.
> > > > > >>    
> > > > > >>    This document obsoletes RFC 7489.
> > > > > >> 
> > > > > >> The IETF datatracker status page for this draft is:
> > > > > >> https://datatracker.ietf.org/doc/draft-ietf-dmarc-dmarcbis/
> > > > > >> 
> > > > > >> There is also an HTML version available at:
> > > > > >> https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-07.html
> > > > > >> 
> > > > > >> A diff from the previous version is available at:
> > > > > >> https://www.ietf.org/rfcdiff?url2=draft-ietf-dmarc-dmarcbis-07
> > > > > >> 
> > > > > >> Internet-Drafts are also available by rsync at rsync.ietf.org:
> > > > > >> :internet-drafts
> > > > > >> 
> > > > > >> _______________________________________________
> > > > > >> dmarc mailing list
> > > > > >> dmarc@ietf.org
> > > > > >> https://www.ietf.org/mailman/listinfo/dmarc
> > > > > 
> > > > > _______________________________________________
> > > > > dmarc mailing list
> > > > > dmarc@ietf.org
> > > > > https://www.ietf.org/mailman/listinfo/dmarc
> > > > 
> > > > _______________________________________________
> > > > dmarc mailing list
> > > > dmarc@ietf.org
> > > > https://www.ietf.org/mailman/listinfo/dmarc
> > 
> > _______________________________________________
> > dmarc mailing list
> > dmarc@ietf.org
> > https://www.ietf.org/mailman/listinfo/dmarc

v2.23.0 | Report a Bug | By Email