IETF Logo Mail Archive

Re: [dmarc-ietf] Using CNAME records to DMARC templates causes issues

Seth Blank <seth@valimail.com> Tue, 02 March 2021 14:15 UTC

Return-Path: <seth@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AE193A18BE for <dmarc@ietfa.amsl.com>; Tue, 2 Mar 2021 06:15:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gpvuMyFsiqIZ for <dmarc@ietfa.amsl.com>; Tue, 2 Mar 2021 06:15:18 -0800 (PST)
Received: from mail-vs1-xe2b.google.com (mail-vs1-xe2b.google.com [IPv6:2607:f8b0:4864:20::e2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E73043A18B9 for <dmarc@ietf.org>; Tue, 2 Mar 2021 06:15:17 -0800 (PST)
Received: by mail-vs1-xe2b.google.com with SMTP id l192so10649831vsd.5 for <dmarc@ietf.org>; Tue, 02 Mar 2021 06:15:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=HwQxYQOqC9s0IddDEQ/yI4kRUbsfvevigyhuV065t+Q=; b=fmZTkUURAaGfk1BDzsAKf1++v6HEn+3/HAG+ME7uxK/khZfU8yULNXXKWJVshSmIwP yidRNs7RhW97UlR0Oiceje/Pax5hS7POTZJiYpny24LKVSj3CrPeMIPb/ggf4UeFCir0 EGFE26Ni0gDlfZ/IjT6yhajLAGpI7xRig+iLl7yORXNJwm4zPiNT0nyNeYy+cZ9Tt7YZ SZINeyDUlLMc0MrPFCK0E9SGPNLxOJaFzj6ZLQomGBEoHot4ZPo4xG6CgY8ASscrN4Xo U9+ft40vs/nu7k+lrb3nDXte6BKoDrrxp6wr41/Jx85304W6BzG1eug5/jkgG7v2X0Ym IvRA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HwQxYQOqC9s0IddDEQ/yI4kRUbsfvevigyhuV065t+Q=; b=OGrvmayOKN9qQqPiX9Emdnno7NTyB7u6G7PRRynTSfHeA/D8JJmgkPtyrEF/3ovk5x QYQJyqHK59p7s89rU8wjxhrZqUhjr+zNUYl9RwcmCA/lvYoHtrqN3wI2eU5kogxaRaBg v30aGxWdkGTeU/xDiwmLkxv2mnuW/ACHM4M/+IQrjqFV21YMBEppGRnTMbHlQzMLZUwM 9xG9s7/F4IozELYWs31srvTIy/50d4KOLht8RJ5kzxwQyEDrsKmF4wgs8RL2E2zQ8j0A o1sWJ+JaCsiGPOsRTMxiOGzl8y//0BMniPA9C6C4hqmUmgLJl/wFD1Wj94gxzPCQsPWv nMXw==
X-Gm-Message-State: AOAM533Gq/RQa2Gk05k7v3o6NORjh+JIyxZJXBi6a1NSPu7sBCtIx7Wd fKvjmdMRMTCef0q8xYTLiET8MoC8n/lHZYJMduUd+I+7BXk=
X-Google-Smtp-Source: ABdhPJwAsrd2wqLy5QrDvj9Bl5jP5PODJit5UIVFP+R7YyD6AD1ZZ+KAPt/j40HndVyzfEWpcP6GKaQ75mcpJTaMHEQ=
X-Received: by 2002:a67:c44:: with SMTP id 65mr2191501vsm.35.1614694515537; Tue, 02 Mar 2021 06:15:15 -0800 (PST)
MIME-Version: 1.0
References: <edfb0a04df4620f8b9f6eaa659923d02@jbsoft.nl> <1bdd6695-2198-2bcf-f9e2-33d43f9c2bf1@cert.ee> <DB7PR08MB3498C21C6CF8631243BEF4D8BB999@DB7PR08MB3498.eurprd08.prod.outlook.com> <CADyWQ+EWQ9wo5f1qyQJRatO=vxJhKON=f5=X7iH0=u7nbJHZ+Q@mail.gmail.com> <CAH48Zfw8+ZdrUmEFCAd210E6YUENJgYh_bpZa2qkpMWCHJFkrg@mail.gmail.com> <3175c61fbdb4d7b2509ced75b22a7faf@jbsoft.nl> <6a612ccf-2c34-45f4-94d9-4f4138461992@cert.ee>
In-Reply-To: <6a612ccf-2c34-45f4-94d9-4f4138461992@cert.ee>
From: Seth Blank <seth@valimail.com>
Date: Tue, 02 Mar 2021 06:15:03 -0800
Message-ID: <CAOZAAfMF2QDh9cerdhLyP8pSQDL0cK9wk2t6dx7-mdOMR9DdKw@mail.gmail.com>
To: Tõnu Tammer <tonu=40cert.ee@dmarc.ietf.org>
Cc: dmarc@ietf.org
Content-Type: multipart/alternative; boundary="0000000000000513bd05bc8e5d37"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/F4N6qFsuOAum0lYOBRNMUhZBojQ>
Subject: Re: [dmarc-ietf] Using CNAME records to DMARC templates causes issues
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2021 14:15:21 -0000

I’ve seen CNAME for DMARC deployed frequently and without issue.

This should be completely transparent to most implementations, as whether
the record is TXT or CNAME, the same answer should be retrieved from DNS.

Let’s not conflate implementation issues with problems in the spec,
although I agree the spec should make it clear that CNAME is usable here.

I’ll poke the opendmarc bug on a different list.

Seth, with multiple hats

On Tue, Mar 2, 2021 at 05:47 Tõnu Tammer <tonu=40cert.ee@dmarc.ietf.org>
wrote:

> Current RFC does not mention CNAME and while, in theory, it should work,
> we have seen that it does not always do so. Therefore, I would also
> support explicitly mentioning CNAME in the RFC.
>
> It is true that people can make mistakes but people already make typos
> and other mistakes but having CNAME added to RFC would help in case of
> some service providers are managing the DMARC via CNAME.
>
> Tõnu
> CERT-EE
>
> On 02.03.2021 14:09, jbouwh wrote:
> > L.S.
> > I would suggest update the DMARC standard make explicit how CNAME can
> > be used or not.
> > Beside of that, the opendmarc software should address this as a bug in
> > some way. Their opendmarc-check tool shows the correct policy that
> > fails from the opendmarc service when used on a CNAME-ed DMARC policy.
> > The usecase I have seen failing only was one CNAME level deep.
> > The failing mechanism in opendmarc for fetching the DMARC policy now
> > seems to leed leads to a 'none' policy.
> >
> > Regards, Jan
> >
> > Douglas Foster schreef op 2021-03-02 12:51:
> >> Because CNAME usage was not mentioned in the previous DMARC document,
> >> existing implementations may not have tested this configuration.   For
> >> the policy publishing organization, this increases the possibility
> >> that some recipients may treat the mail as not protected by DMARC.
> >> As with any deployment issue, the publishing organization has no
> >> reliable way to know if the deployment of DMARC implementations with
> >> full CNAME support is "essentially complete".  This uncertainty may be
> >> acceptable for some organizations, but may be an obstacle for others,
> >> depending on their motivations for implementing DMARC.
> >>
> >> On the implementation side, the use of CNAME will introduce the
> >> possibility of referral errors, which may or may not require
> >> mentioning in the DMARC specification, since such issues have probably
> >> been addressed in core DNS documents.   The issues that come to mind
> >> are:
> >> CNAME referrals to non-existent names
> >> Nested CNAME referrals (what depth is allowed?)
> >> CNAME referrals that produce loops or excessive nesting depth.
> >>
> >> DF
> >>
> >> On Tue, Mar 2, 2021 at 6:12 AM Tim Wicinski <tjw.ietf@gmail.com>
> >> wrote:
> >>
> >>> Using a CNAME at  _dmarc.example should not be a problem, as long as
> >>>
> >>> the CNAME target is a TXT record.  The DNS resolver functions should
> >>>
> >>> should handle this seamlessly. This does sound like a vendor
> >>> software
> >>> problem.
> >>>
> >>> I am aware of DKIM records being deployed using CNAMEs pointing to a
> >>> TXT record target.
> >>> Has anyone seen the above error condition when testing DKIM records?
> >>>
> >>>
> >>> This definitely sounds like an issue with the software.
> >>>
> >>> Nobody should shy away from publishing DMARC records that are CNAMEs
> >>> to DMARC
> >>> TXT records elsewhere. Using this design should be strongly
> >>> encouraged.
> >>>
> >>> tim _______________________________________________
> >>> dmarc mailing list
> >>> dmarc@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/dmarc
> >> _______________________________________________
> >> dmarc mailing list
> >> dmarc@ietf.org
> >> https://www.ietf.org/mailman/listinfo/dmarc
> >
> > _______________________________________________
> > dmarc mailing list
> > dmarc@ietf.org
> > https://www.ietf.org/mailman/listinfo/dmarc
>
> --
> Tõnu Tammer
> CERT-EE juht / Executive Director of CERT-EE
> Riigi Infosüsteemi Amet / Estonian Information System Authority
>
> Email: tonu@cert.ee
> Mobile: +372 53 284 054
> Web: https://cert.ee
>
> PGP:0x77A8997 / 9477 6B86 6A1E 849B C456  46D6 9CA8 9E41 77A8 997B
>
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>
-- 

*Seth Blank* | VP, Product
*e:* seth@valimail.com
*p:* 415.273.8818

`

This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.

v2.23.0 | Report a Bug | By Email