Re: [dmarc-ietf] DNS library queries for DKIM and DMARC records?

Dave Crocker <> Sun, 14 April 2019 03:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 61EC4120355 for <>; Sat, 13 Apr 2019 20:40:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id osPaltud26jp for <>; Sat, 13 Apr 2019 20:40:45 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::331]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D826312034D for <>; Sat, 13 Apr 2019 20:40:44 -0700 (PDT)
Received: by with SMTP id e5so11677497otk.12 for <>; Sat, 13 Apr 2019 20:40:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=XHV7eSFAw81Y7lN701BYx9eMHSngppTMWPAB472tnLM=; b=FgKQNcmM+w4pZ4SHvjGKRYcoSjIB+5DwjyUcHeccSw0qVGrxuHulmqmdtuNet427pt 8swP9Py7bGZIMzlArLsCYo67V6ZFE3DGWnJ34xoNGusU30fjXpmNojxX6VipldVaSkGO 4+gnsb4b10rVFlHcSwaoUjoW4hteW2j/3zkerv387RedHmtZjLzO+l80FdyBP0WwMaDl RlSIL1ajOG1OQiO93wQQONHSZeySp5TcCSuIGiOo+0ny6VUk11PzdRauWhnn4RKTEJct 5pyeg2O0YAkWv+Xy97L4HJ6WTuXqGHIKCUQ+zx6ZhsU+uk7AvLoWG0k05UMaHftxhXBT 516g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=XHV7eSFAw81Y7lN701BYx9eMHSngppTMWPAB472tnLM=; b=N1relCZaFEoChU1Jy9P5dXRlw4kV/ZAkH7J5jw7gAQ6jMYbQa07Qo7JpNm4PuELPcO w1v2Dh5lAr4F5iJKd3V6uBMDgQ9VMvyk6hqj+vV2c4k5VUWYEXYMa7FcXWiurmtZysJN f2LHir8EG7vNa4HPA4rbQ/+i7rkhCLvlo/XwFd/6YPn5EnNKN7qL0zVhL/FvtaY53JdR nO9ltwHYw1hVr5B4GlEAEMS8PkqY1aTzJewe9zO7Mos1YJA558Nr6WJANlNxDat+T/QR rrp8Kqlc3fFTPKcpzkBa47aML/MpUuO3FufSoj8KWqJij+2oPuSKvj3bXzxSj3O0p7bF XfFA==
X-Gm-Message-State: APjAAAX6VxuE5tSc9D2qDJM5ut9PPGtzeT+bXFpG/ZX7BP6eTFLZ+NvD 9uXnK4NuDXqpgPwfjPC15Ndf2U0x
X-Google-Smtp-Source: APXvYqz4YKTSO0oLbKtQFSxB1xx3XpY3j3lwAUtGLb/itFgafHkVDVYE7Hp26KxXSu2B2rZHSSJesg==
X-Received: by 2002:a05:6830:1390:: with SMTP id d16mr44054011otq.30.1555213243787; Sat, 13 Apr 2019 20:40:43 -0700 (PDT)
Received: from ?IPv6:2600:1700:a3a0:4c80:48e7:4131:7580:907a? ([2600:1700:a3a0:4c80:48e7:4131:7580:907a]) by with ESMTPSA id q205sm11666225oih.17.2019. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 13 Apr 2019 20:40:42 -0700 (PDT)
To: John Levine <>,
References: <20190414032049.113592011EB715@ary.qy>
From: Dave Crocker <>
Message-ID: <>
Date: Sat, 13 Apr 2019 20:40:41 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <20190414032049.113592011EB715@ary.qy>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [dmarc-ietf] DNS library queries for DKIM and DMARC records?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 14 Apr 2019 03:40:46 -0000

On 4/13/2019 8:20 PM, John Levine wrote:
> In article <> you write:
>> On 4/10/2019 8:37 PM, Scott Kitterman wrote:
>>>>>> print(response.additional)
>>> []
>> Turns out that's what I was especially hoping to see.
> As I understand it, your design depends on putting NXDOMAIN signals
> in the additional section to show that there aren't any boundaries
> between the names it returns.  How do you plan to do that?

John, I don't understand your note.

I don't know what you mean by "NXDomain signals"  and I've no idea what 
you mean by "show that there aren't any boundaries between the names it 

The latter sound strange enough to make me suspect you read some draft 
other than mine.

And just to add a bit of constraint, my this sub-topic within the draft 
concerns a possible means of getting some efficiency in a search.  It's 
offered as a discussion session in the larger spec.

Dave Crocker
Brandenburg InternetWorking