IETF Logo Mail Archive

Re: [dmarc-ietf] Thoughts on choosing N

Todd Herr <todd.herr@valimail.com> Wed, 17 April 2024 13:42 UTC

Return-Path: <todd.herr@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 499C4C14F6A0 for <dmarc@ietfa.amsl.com>; Wed, 17 Apr 2024 06:42:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.086
X-Spam-Level:
X-Spam-Status: No, score=-7.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iJl22gtG5jEL for <dmarc@ietfa.amsl.com>; Wed, 17 Apr 2024 06:42:41 -0700 (PDT)
Received: from mail-yb1-xb34.google.com (mail-yb1-xb34.google.com [IPv6:2607:f8b0:4864:20::b34]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15C50C14F60E for <dmarc@ietf.org>; Wed, 17 Apr 2024 06:42:40 -0700 (PDT)
Received: by mail-yb1-xb34.google.com with SMTP id 3f1490d57ef6-dbed179f0faso551925276.1 for <dmarc@ietf.org>; Wed, 17 Apr 2024 06:42:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; t=1713361359; x=1713966159; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=kCV0BNlVbgQNvuWBzemc3zAJKvnapphB3xgDYbDrlcw=; b=LSDcRfC18X7oY91ZvtmhXes/CeLWm/DIWV8aMX+cNyS1E4UaHhn/sZAx4ogoQyXVNq tF8mZDWofsvxhP5TsboqmRCoNB2JQo9emHLgGsgxjTh3wn3G7h8tIYZqhNtaD0ojsRQA grqEqm5nP3YrAz4AV1djHR+eZH6gBhaE5ALNls+jcZxV+7ESt8pf8K1kkGdjmFPMnczY wocjUu7vyWSo/O3786FvulKQTj4urgF4y252+h61Q8qPq27VOvHBcFX5m3NHzUPgTycz TS7qK3NvPbxnGTJbtAPu0de7HNLE77nQZyYntwX7zNlUS04I5uOmj2fLQ1Uvoo/Wsg3A ThSg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713361359; x=1713966159; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=kCV0BNlVbgQNvuWBzemc3zAJKvnapphB3xgDYbDrlcw=; b=o+j/MwumsV5TDLwKBB1KCMP7ZYvMAnxTmD8tTkmipMErnRm9JQnKeSc2aJNVfP4LU5 C5nfoaR716m7IcLKwN9AUTQvFB7FuQadOTyYtJYs9JLxLx/kpkDtGUtjJrXh/ByNr/I/ iI9+HuwPPVIl1smZMV05ceg/AIShBluHxBVrWPmbfVJ235jTc8fzxBSRY0WKTYXR6lkP /vNLSDLKaza6+84WsBBt9sL94diXsX45oWJqXfPw1hpTAu9S7VQxRZ3tbPTH0vNcJW3x TOYa9cybwyM8xBq/Sii/aRMpavJCvkuqgGqj7/dVG5ne/3wANlMgZfJ9c0MQADm7hB06 M8eg==
X-Gm-Message-State: AOJu0YwjNKI9QlhChGcWus/yh/oObkoJIjdGX6OlS9Xq5InnRaQLCWKP PDmRedtHDJRN+aBVHfuJBIDyhAf+WwItRRcPFAh5vgQqBZJPqXxLVbNj0fJDe01QlAv0GMMhiL4 bVBrB8nXxLh7sWXZz01ijaanifm5M2+exIqCU5zH7HfGvyb+pykU=
X-Google-Smtp-Source: AGHT+IGtPNJlOolq0ysrZETNqIW3kK3vC34rNTnO2gCJDm2InIgMaKxgd1sm68W0FgYCiwhtqpK4oPP6mlspdfExFL4=
X-Received: by 2002:a25:1fc6:0:b0:dc2:3a05:489 with SMTP id f189-20020a251fc6000000b00dc23a050489mr4148399ybf.14.1713361359490; Wed, 17 Apr 2024 06:42:39 -0700 (PDT)
MIME-Version: 1.0
References: <CAOZAAfPwJHKGyLjTkdGDqkMeK4RQX4Fj0rw-Upn0cLZ+cE74aA@mail.gmail.com> <CAH48Zfx-w5LWO5VuK2posywHRF8O1wijTk35H-01e3JaL=V5=A@mail.gmail.com> <CAHej_8kEFqDax7hrSmiDodE-kQf4K6JvinKDqFtqTZXb+g-uzA@mail.gmail.com> <2109607.sSyRYrMuh2@zini-1880>
In-Reply-To: <2109607.sSyRYrMuh2@zini-1880>
From: Todd Herr <todd.herr@valimail.com>
Date: Wed, 17 Apr 2024 09:42:23 -0400
Message-ID: <CAHej_8kHJU9_T4sf7aMAiD-qzmpH8KBOeN=fBawHCBNk2N5y3g@mail.gmail.com>
To: dmarc@ietf.org
Content-Type: multipart/alternative; boundary="000000000000346ab506164b070a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/Hpt7WcYcdqbUzC_s6Xv529ZxUm4>
Subject: Re: [dmarc-ietf] Thoughts on choosing N
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Apr 2024 13:42:45 -0000

On Wed, Apr 17, 2024 at 1:06 AM Scott Kitterman <sklist@kitterman.com>
wrote:

>
> I am confused.
>
> Under the current (7489) rules a record for _dmarc.c.d.e.f.tld won't be
> found
> either in this case.  Why do we need to support something that is
> currently
> unsupported?
>
> We picked n=5 to allow the current org level record to be detected by the
> tree
> walk.  It's true that the tree walk provides some additional flexibility
> for
> subordinate organizations within what we would call a DMARC org domain
> based
> on RFC 7489, but that was by no means anything we ever described as a
> feature
> or a goal.
>

I don't share your understanding here. I interpret some of the text of
https://github.com/ietf-wg-dmarc/draft-ietf-dmarc-dmarcbis/issues/79, "Do
away with the PSL and Org Domain entirely; just walk the tree" to at least
imply that the tree walk was designed to provide this flexibility, to wit:

When DMARC was first developed, there was concern about DNS load and
needing to minimize DNS lookups. Operational expertise now shows that this
is no longer cause for concern.

Short circuiting a tree walk has led to many issues, like a reliance on the
PSL, complicated algorithms for Org Domain discovery, many types of domains
(PSDs, per https://tools.ietf.org/wg/dmarc/draft-ietf-dmarc-psd/) being
unable to utilize DMARC even though they wish to, and larger organizations
(such as universities and governments) that are comprised of
sub-organizations that use subdomains having material problems getting
everything authenticated.

All these issues disappear, and DMARC becomes a lot simpler conceptually,
if DMARC simply walks the DNS hierarchy for the exact sending domain down
to the TLD until it finds a DMARC record, and stops.

It's the second paragraph, specifically the "and larger organizations..."
bits to which I'm referring here.


> Even if some organizations have very deep DNS trees, the fact that some
> entity
> uses a.b.c.d.e.f.tld doesn't affect DMARC.  The record for the top level
> of
> their organization will still be found.
>
> In any case, any domain, at any depth in the tree can publish their own
> DMARC
> record if they need some special thing.  The value of N does not affect
> that at
> all.
>
>
Fair enough. You're correct that a DMARC policy can be published for any
specific domain used as the RFC5322.From domain, so perhaps a bit of text
in the Tree Walk section describing the really deep use case and
the solution for it might be a compromise.


-- 

Todd Herr | Technical Director, Standards & Ecosystem
Email: todd.herr@valimail.com
Phone: 703-220-4153


This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.

v2.23.0 | Report a Bug | By Email