Re: [dmarc-ietf] Nonexistent Domain Policy was: Re: Working Group Last Call: draft-ietf-dmarc-psd

"Kurt Andersen (b)" <kboth@drkurt.com> Wed, 17 July 2019 20:15 UTC

Return-Path: <kurta@drkurt.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2C27120047 for <dmarc@ietfa.amsl.com>; Wed, 17 Jul 2019 13:15:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=drkurt.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nxKe2OqtxXLL for <dmarc@ietfa.amsl.com>; Wed, 17 Jul 2019 13:15:10 -0700 (PDT)
Received: from mail-io1-xd30.google.com (mail-io1-xd30.google.com [IPv6:2607:f8b0:4864:20::d30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB805120018 for <dmarc@ietf.org>; Wed, 17 Jul 2019 13:15:10 -0700 (PDT)
Received: by mail-io1-xd30.google.com with SMTP id k8so47887792iot.1 for <dmarc@ietf.org>; Wed, 17 Jul 2019 13:15:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=drkurt.com; s=20130612; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nlJVBWRMgG34HUb32eah7Oqwkwo4oKREW+FyCemavuY=; b=e11diZBg1vO5x1V2vxvoVuzP7ALJtP/EWUEg5qYOqiujfBEsieyjo5nr1Xnu2/mHob xXb6SquRWcmuvjtbG2pT5iuyPt1IZPAXEoVssjSXlxEHFTE2Jkn3lPHDtmMmfrK+aLHK WGpZyyREJQdS3UGp2/0YR2IXkW5KAbsFjp4mE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nlJVBWRMgG34HUb32eah7Oqwkwo4oKREW+FyCemavuY=; b=WlIY+wlN62yiRVtFSa3ZwxJ2e5RhZF3iVJIhlCc6xQTMAe+YYhoDDGOnBj9dRg/N2t WgA5xIMdAVNayjpx80Swwc/cwQYB+yZF7W4jUmcbQMndmJcmUx14TD3Hjh5X+GjiMqY2 vjB2hQTCWFvfZJ+5bHe2pO2jOlK4f04CmeWytKIRvCBaxqmc1fDb3D6wedb+A32nDbXZ ItbOX5BYaLR2SRYFDgjm4xJK+A3EiEa0rnD+5UqDBSqKDblHgJRlc2Os2rjoZmp+sV+8 kInTmHTdfz3lLLtT2aytjW1Ia1lak10A8EYTTDH8KFP2foEHURSndyGnqElhTsnko9Td 3JIA==
X-Gm-Message-State: APjAAAVFdgwqu7COHNPaeaGKPwEXx8iFMT9d9V3sjg0s3DPJktS/dxUA HW/9TbLz3GRmEaWIneVyJDPT50crWkeC1wolYxZyi5hPi7w=
X-Google-Smtp-Source: APXvYqyF3aI+Qi+Igwqt7F06G5YSmDyFl8dbruSDY1cwgk4Kfl34Lc/Hc/CVt3H6QQGVNkkFMg30uQSBAMImp5AceWA=
X-Received: by 2002:a5d:948a:: with SMTP id v10mr9183898ioj.103.1563394509773; Wed, 17 Jul 2019 13:15:09 -0700 (PDT)
MIME-Version: 1.0
References: <CAL0qLwbbz_UhBLsURg=eXhRBC2g9OghiN==T9Uq9pFuLtd=b7w@mail.gmail.com> <1958020.28HeBAo97T@l5580> <4789054.Ip9ilXyiH0@l5580> <7295017.bxVsTnSgkA@l5580>
In-Reply-To: <7295017.bxVsTnSgkA@l5580>
From: "Kurt Andersen (b)" <kboth@drkurt.com>
Date: Wed, 17 Jul 2019 13:14:54 -0700
Message-ID: <CABuGu1rSyifv0B9RtD3_R2ex-sh+nVrh4Q3H=kU=ZsDWzVRAgQ@mail.gmail.com>
To: Scott Kitterman <sklist@kitterman.com>
Cc: "dmarc@ietf.org" <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000664b5e058de6269a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/H5yBgz6pBXFq-Mr2Rg9c-4RzJX0>
Subject: Re: [dmarc-ietf] Nonexistent Domain Policy was: Re: Working Group Last Call: draft-ietf-dmarc-psd
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jul 2019 20:15:13 -0000

On Tue, Jul 16, 2019 at 10:07 PM Scott Kitterman <sklist@kitterman.com>;
wrote:

>
> Updated rfcdiff attached.  The only change other than typos is to add
> mention
> of 'np' to Appendix A.
>

Having reviewed the thread and the diff insofar as it pertains to the "np"
tag, I'm in favor of the "np defaults to sp" approach.

Generally, I think that the proposed text works, but have two concerns:

Firstly, I'm a little concerned with the sentence which says 'Note that
"np" will be ignored for DMARC records published on subdomains of
Organizational Domains and PSDs due to the effect of the DMARC policy
discovery mechanism described in DMARC [RFC7489] Section 6.6.3.' I don't
think that is an accurate portrayal. When DMARC evaluation libraries are
updated to do both PSD lookups and handle the np tag, I would expect the
presence of np tags below the PSD level would be processed exactly the way
that any other tag in a DMARC record is processed. np will only be ignored
(per the terms of the DMARC spec) when it is an "unrecognized" tag. I
realized that this text is sort of picked up from the current description
of "sp", but the inclusion of "and PSDs" makes it inaccurate. You can't
publish an np record on a non-existent Org domain or any subdomain thereof
:-)

Secondly, I think that we need to update the "p" and "sp" descriptions in
both 7489 sections 6.3 & 11.4:

   - p --> 'Policy applies to the domain queried and to subdomains, unless
   subdomain policy is explicitly described using the "sp" tag.' change to
   'Policy applies to the domain queried and to subdomains, unless subdomain
   policy is explicitly described using the "sp" or "np" tags.'
   - sp --> 'Requested Mail Receiver policy for all subdomains
   (plain-text; OPTIONAL).  Indicates the policy to be enacted by the Receiver
   at the request of the Domain Owner.  It applies only to subdomains of the
   domain queried and not to the domain itself.' change to 'Requested Mail
   Receiver policy for all subdomains (plain-text; OPTIONAL).  Indicates the
   policy to be enacted by the Receiver at the request of the Domain Owner.
   It applies only to subdomains of the domain queried if they exist or if
   there is not an "np" tag published. "sp" does not apply to the domain
   itself."

--Kurt