IETF Logo Mail Archive

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

Mark Alley <mark.alley@tekmarc.com> Thu, 14 March 2024 20:28 UTC

Return-Path: <mark.alley@tekmarc.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EE3AC14F6BD for <dmarc@ietfa.amsl.com>; Thu, 14 Mar 2024 13:28:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=tekmarc.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6YLGrfcdsQNi for <dmarc@ietfa.amsl.com>; Thu, 14 Mar 2024 13:28:14 -0700 (PDT)
Received: from mail-yw1-x1135.google.com (mail-yw1-x1135.google.com [IPv6:2607:f8b0:4864:20::1135]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25B87C14F6F7 for <dmarc@ietf.org>; Thu, 14 Mar 2024 13:28:14 -0700 (PDT)
Received: by mail-yw1-x1135.google.com with SMTP id 00721157ae682-609f4155b76so15076487b3.1 for <dmarc@ietf.org>; Thu, 14 Mar 2024 13:28:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tekmarc.com; s=google; t=1710448093; x=1711052893; darn=ietf.org; h=in-reply-to:from:references:to:content-language:subject:user-agent :mime-version:date:message-id:from:to:cc:subject:date:message-id :reply-to; bh=PszYGnhIgg8GvwFhwqZi74lTWWxxqLwibgKfhltW7L4=; b=H56Fmi9nItBMZoKx2T6Sc856zytdjwgCe8TklRlEx3E0PPPDrpRqeLR/izaLA2zBxK tGcDXvMOUhYu+wMkQPld9J6P+t0X7sFEWBHvehnUMShkIPyivzEEn5uUsMObhf8b/24P RHI9lokV+zVCaUHGwD6jfs4f7BxEeOXFfrsI/h2k1cIZ0VneqZRTWY5EHg9F40BTYqdE uWUhhOQ3xPT/Sg9F2qpAmiJo21GmKGPwyI4KL8DjrIPW/h7fhRp67ev+OrrRqFvaSY9r vTArU2nJxjkZMgdmMPGGFAQC5wm6efK1+8pqyVkbwqUj7iVspWWuTiHLe9HdPylOBXwU Qb3g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710448093; x=1711052893; h=in-reply-to:from:references:to:content-language:subject:user-agent :mime-version:date:message-id:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=PszYGnhIgg8GvwFhwqZi74lTWWxxqLwibgKfhltW7L4=; b=uYve0r8PZ4zDU5oIldEV0JIpcuQclBe7He/pPYbFcQz579kkiVYwKR6PJTptNVSo+3 uzddhr5iOr79Ypb7rKj/OHdGOvKkcUBBTrSiF39U1TLletBVmUhtmwsrn7uycrLPHzam 7oiUdQnVkZLqzOVeUthvzlYwpkeObLCx0G0aqCfoTNJCtQmpfNo7A5P7Q61fZ+sl76eO 3+RHusW3X534K+P6sraepN0TUbrzxYU53FxyoOmo7FmFR2BWaIaUUHs0jGUS2XLCosm5 Th+0a85Niv2lrRcjrUdxE2DbxqIrscys+ssuNKa18R8uk8yWYBL/nmlsOtXQIl/HS3Zk v/vw==
X-Gm-Message-State: AOJu0Yyh6Gbu6ZylPy2JB03DpV4HUHWwoW8te+IUn4C6tcroq3q/NAWl lMLH7ux7j+nBgYUOJ6n0ZVtgWCRTbac3BkYSmZPpJDzK9l5x6QTqGcsubIHIZyDTDhL+MCrXa30 7
X-Google-Smtp-Source: AGHT+IFi78ca4+LGvAuCK/DHS4R2hv19YzmSoR7NyX/rilN+aQezU/lOI4ZC34NTJgNkBUb04syKew==
X-Received: by 2002:a25:918f:0:b0:dcc:4b44:3377 with SMTP id w15-20020a25918f000000b00dcc4b443377mr2529217ybl.25.1710448092638; Thu, 14 Mar 2024 13:28:12 -0700 (PDT)
Received: from [192.168.2.20] (162-238-103-217.lightspeed.brhmal.sbcglobal.net. [162.238.103.217]) by smtp.gmail.com with ESMTPSA id b8-20020a25bb48000000b00dcc620f4139sm388861ybk.14.2024.03.14.13.28.11 for <dmarc@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 14 Mar 2024 13:28:12 -0700 (PDT)
Content-Type: multipart/alternative; boundary="------------IFuxBkPNKa6Mwb46vyyeYE67"
Message-ID: <54b44e40-e298-432b-9fc0-1269a328ae58@tekmarc.com>
Date: Thu, 14 Mar 2024 15:28:11 -0500
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: dmarc@ietf.org
References: <CAHej_8kip_p+n56=Y5WuVG2M_+HXHj51fyY3k6dx-itJRZkCpQ@mail.gmail.com>
From: Mark Alley <mark.alley@tekmarc.com>
In-Reply-To: <CAHej_8kip_p+n56=Y5WuVG2M_+HXHj51fyY3k6dx-itJRZkCpQ@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/Hnklqm0Gm2wBB1yC6NViL7uAOxc>
Subject: Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2024 20:28:18 -0000

If we need some real world examples of this, got a few here:

_dmarc.oit.alabama.gov

_dmarc.tjx.com

_dmarc.walmart.com

_dmarc.novanta.com

- Mark Alley

On 3/14/2024 3:18 PM, Todd Herr wrote:
> Colleagues,
>
> There was a discussion among M3AAWG members on March 13 that centered 
> on the question of whether DMARC records can be published in DNS as 
> CNAMEs, e.g.,
>
>     _dmarc.example.com <http://dmarc.example.com> IN CNAME
>     _dmarc.example.org <http://dmarc.example.org>
>
>     _dmarc.example.org <http://dmarc.example.org> IN TXT "v=DMARC1;
>     p=reject; rua=mailto:dmarc-reports@example.org
>     <mailto:dmarc-reports@example.org>;"
>
> Section 3.6.2 of RFC 1034 seems to indicate that it is permissible to 
> publish DMARC records in this fashion, and describes the following 
> scenario using an CNAME record and an A record:
>
>     For example, suppose a name server was processing a query with for
>     USC-
>
>     ISIC.ARPA, asking for type A information, and had the following
>     resource
>
>     records:
>
>     |USC-ISIC.ARPA IN CNAME C.ISI.EDU <http://C.ISI.EDU>|
>
>     |C.ISI.EDU <http://C.ISI.EDU> IN A 10.0.0.52|
>
>     Both of these RRs would be returned in the response to the type A
>     query,
>
>     while a type CNAME or * query should return just the CNAME.
>
> I recommend adding a paragraph to DMARCbis, section 5.1 DMARC Policy 
> Record at the end of that section that reads:
>
>     Per RFC 1034 section 3.6.2, a DMARC record MAY be published as a
>     CNAME record, so long as the corresponding canonical name
>     ultimately resolves to a TXT record so as to ensure that queries
>     of type TXT return a DNS RR in the expected format.
>
> Issue 136 has been opened for this.
>
> -- 
>
> Todd Herr | Technical Director, Standards & Ecosystem
> Email: todd.herr@valimail.com
> Phone: 703-220-4153
>
>
> This email and all data transmitted with it contains confidential 
> and/or proprietary information intended solely for the use of 
> individual(s) authorized to receive it. If you are not an intended and 
> authorized recipient you are hereby notified of any use, disclosure, 
> copying or distribution of the information included in this 
> transmission is prohibited and may be unlawful. Please immediately 
> notify the sender by replying to this email and then delete it from 
> your system.
>
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc

v2.23.0 | Report a Bug | By Email