IETF Logo Mail Archive

Re: [dmarc-ietf] NXDOMAIN

Douglas Foster <dougfoster.emailstandards@gmail.com> Fri, 09 April 2021 13:49 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B6343A21D6 for <dmarc@ietfa.amsl.com>; Fri, 9 Apr 2021 06:49:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gMs4k_BTSObd for <dmarc@ietfa.amsl.com>; Fri, 9 Apr 2021 06:49:23 -0700 (PDT)
Received: from mail-ua1-x92f.google.com (mail-ua1-x92f.google.com [IPv6:2607:f8b0:4864:20::92f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB5343A21D4 for <dmarc@ietf.org>; Fri, 9 Apr 2021 06:49:22 -0700 (PDT)
Received: by mail-ua1-x92f.google.com with SMTP id r20so1841557uam.6 for <dmarc@ietf.org>; Fri, 09 Apr 2021 06:49:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=UyeoonFpwrOyDDq7p8k/Nu8FEXCNVwa0NDTLCtnAoww=; b=ltvjgpYjKeYjQwQwvVeP2/unJvDMvx+8ypDFQJdqNf1M8t0L3fkT2cJ5Xm+v6UL6cH 7k34dHx+Ux6L5kK9po34/AewsV87dCn4+Nc6HMwqTzJWwPRFVJg2mPgi+8oVAs1C+uKq AIyXMDGudePDj4eZ/0HboVUMoiS6vROEWIdAJv1tzCIzj0mWMmMcOW40s7NfTh6qpVae LC6rYagXfkn42ecZ0D5k3x4Ayb/6/yaHQIttBg6feDm89VYByKknC1AVQQuYUH+ZtrNM sIknNfpeqWvfsNIsbqf8rzBRsqhlNcW3ZIOmLa5qNS3uWYv++3huJ4ZR3v45nSA2yLxl eh1A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=UyeoonFpwrOyDDq7p8k/Nu8FEXCNVwa0NDTLCtnAoww=; b=RWf6gwAY+aqQtnk/NO7VjLwr6P3E0641pAkeWDyzCgU4K9sbzrC2yWKUhsQvH3zwb4 qSdEerqu8AK2d3wBE2VZk2GNM/a6D7aeLixb+xHsjWGSSRmqYq6FAamztV53OEhi/HOR ANbOYCacsdwQVrR9YkY/3eah+zvZ60yeZQe0tujX2t55neNIt5qmWnijNaNOVl8NaSHm xO+AzOSfIlNT4tdiI2FR7Bu13zwaiDEPDDiKCzLBXdHxfy9ietD5NQqGgxepeh8ODGML CySiXNBz/TW8S9HybEgBKrhpKoQA5dgJJcr6AF+baH/+mebNZIrz7XwoLjfM2n25VR3m bZtw==
X-Gm-Message-State: AOAM533tRUc8Z6WZarmfR0J/ubdWw+VWgxEKm+Cfu8Vn5lQWOYz4Wn1t p3vhdAp23WvXShAH/oQkajvaQ+SlvkNvsykR17rFdn2I
X-Google-Smtp-Source: ABdhPJxPiNMUsS6eEe9j32tFr7v4au8859e18dvA6mZFpIXCnnihYeLmiOHVMnEMdlzJUluGw3Huky+pym1zgnkTAHQ=
X-Received: by 2002:a9f:2c90:: with SMTP id w16mr10868970uaj.88.1617976160573; Fri, 09 Apr 2021 06:49:20 -0700 (PDT)
MIME-Version: 1.0
References: <CAL0qLwYr+w1hjV3Wez6xd96OmmXjYU3D=-4+2qfCxkQ5TVA+Ww@mail.gmail.com> <20210408182948.5E4AF7282ACE@ary.qy> <CAH48ZfxM5DgDds1-wHiXMSfSAoT3+rSL_L4wbADtLz=JQ9QU=w@mail.gmail.com> <CAHej_8kNa89c_wvo71Vd7as1SrF5xv0a78J0PVE5wyi-Ybizrg@mail.gmail.com>
In-Reply-To: <CAHej_8kNa89c_wvo71Vd7as1SrF5xv0a78J0PVE5wyi-Ybizrg@mail.gmail.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Fri, 09 Apr 2021 09:49:08 -0400
Message-ID: <CAH48Zfzf1zAB0avOaVzbjm4=otkA2JjQrNekKA8mr1-CsmMgiQ@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004e5c9a05bf8a6e27"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/HxxZwGuEoke9pQTZ2632S2EyR4U>
Subject: Re: [dmarc-ietf] NXDOMAIN
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Apr 2021 13:49:28 -0000

I am happy to have the concept optimized.  Your comments make sense to me.

  I just believe strongly that these documents teach implementers best
practices and that this particular document is the time and place to begin
teaching best practices around non-existent domains.

It is swell that postfix is widely used and responds appropriately to
non-existent domains  But clearly we have a lot of implementers who need
coaching.

DF

On Fri, Apr 9, 2021, 9:09 AM Todd Herr <todd.herr=
40valimail.com@dmarc.ietf.org> wrote:

> On Thu, Apr 8, 2021 at 4:51 PM Douglas Foster <
> dougfoster.emailstandards@gmail.com> wrote:
>
>> DNS Examples that Murray requested, which should also addresses John's
>> question about relevance to DMARC:
>>
>> nslookup
>> > set type=txt
>>
>>
>> > _dmarc.junk.thisisjunk.com
>> *** <server> can't find _dmarc.junk.thisisjunk.com: Non-existent domain
>>
>> Domain has no DMARC policy.
>> Is this because it chose not to deploy one, or because it does not
>> exist?   That answer requires a second query.
>>
>> > junk.credcontrol.com
>> *** <server> can't find junk.credcontrol.com: Non-existent domain
>>
>> The TXT query demonstrates that this is a non-existent domain, and
>> therefore not under the full administrative control of any parent domain.
>> The message is DMARC NOT_VERIFIED even if domain alignment occurs with a
>> DKIM signature or SPF PASS.  Since there is no domain-level policy record,
>> disposition depends on local policy related to non-existent domains and
>> this particular domain name.    The organizational policy record may be
>> useful if its requested action is more stringent than the local policy
>> default action for non-existent domains.
>>
>> > junk.thisisjunk.com
>> *** <server> can't find junk.thisisjunk.com: Non-existent domain
>>
>> Domain has no DMARC policy.
>> Is this because it chose not to deploy one, or because it does not
>> exist?   That answer requires a second query.
>>
>> >thisisjunk.com
>>         primary name server = ns1.dreamhost.com
>>         responsible mail addr = hostmaster.dreamhost.com
>>         serial  = 2018071003
>>         refresh = 19193 (5 hours 19 mins 53 secs)
>>         retry   = 1800 (30 mins)
>>         expire  = 1814400 (21 days)
>>         default TTL = 14400 (4 hours)
>>
>> The TXT query demonstrates that the domain exists.   This is true whether
>> the result returns data or NODATA, and in this case the result is NODATA.
>> The message can be DMARC-verified using domain alignment to a DKIM
>> Signature or SPF PASS.
>>
>> Doug Foster
>>
>>
>> I think you may have a cut and paste error here:
>
> > junk.thisisjunk.com
>
> *** <server> can't find junk.thisisjunk.com: Non-existent domain
>
> Domain has no DMARC policy.
> Is this because it chose not to deploy one, or because it does not exist?
>  That answer requires a second query.
>
>
> The above isn't a query for a DMARC policy record.
>
> To your larger point though and your claim of a second query being
> required to determine if a domain exists if there is no published DMARC
> policy, I think you've got the order of the queries exactly backward.
>
> My expectation for any policy rules that are based on a domain's existing
> and/or a domain having published an MX or A/AAAA record is that such
> queries will be done *before* any attempt to suss out a DMARC policy record
> and perform DMARC validation checks, not after.
>
> For example:
>
>    1. Client connects to my server. At this point I know the source IP of
>    the client, and so I can apply any policy rules I may have in place for the
>    source IP, such as rejecting the connection due to the IP's being blocked,
>    refusing the connection if the IP has no corresponding PTR record, refusing
>    the connection if the PTR record matches a pattern of names from which I
>    don't want to accept mail (such as the naming pattern being generic or
>    indicating that it's dynamic space), perhaps throttling the connection
>    based on a lack of FCrDNS for the IP or other rules based on local
>    reputation data known about the IP.
>    2. If the connection is still open, the client issues a MAIL FROM
>    command. At this point I now have a domain (RFC5321.From) and I can run
>    checks to make sure the domain exists in the DNS and publishes either an MX
>    or A/AAAA record and do any DNSBL lookups for the domain. I can also, if I
>    wish, do the SPF check here and reject if there's a failure and the record
>    ends in "-all".
>    3. If the connection is still open, the client issues one or more RCPT
>    TO commands. I can answer "250 ok" or "550 5.1.1 user unknown" as
>    appropriate.
>    4. If the client has exhausted its RCPT TO commands and has gotten
>    "250 ok" in response to at least one of them, then it will issue a DATA
>    command, and I can respond "ok" if I still potentially want to accept a
>    message from this connection.
>    5. Client transmits the message, ends with "."
>    6. Before I reply with "ok", I will definitely do step 1 below, and
>    might do either or both of steps 2 and 3:
>       1. Test for existence of the RFC5322.From domain in DNS and do any
>       DNSBL lookups on the domain.
>       2. Run the message through an anti-spam filtering engine, if I'm
>       the type to reject mail based on its content. If instead I'd just route it
>       to the spam folder if the engine says it's spam, I may do this step at a
>       layer closer to my message delivery/storage layer.
>       3. Do DMARC validation checks, if I'm the type to honor a domain's
>       published policy and reject mail that fails DMARC checks if that's what the
>       policy asks me to do. If instead I'm the type to apply a quarantine
>       disposition to anything with p=reject or p=quarantine, I might accept the
>       message so that the connection can be closed and I can do DMARC processing
>       at a layer closer to my message delivery/storage layer.
>
> Now, I could be wrong here, but I've always viewed DNS queries as
> computationally cheaper than content scanning and DKIM hash validation
> (note that I'm going to do DKIM hash validation regardless of the existence
> of a DMARC policy record, but it's all a matter of where in my
> infrastructure I do the validation). DNS queries that allow me to make an
> immediate yes/no decision on message acceptance (IP or domain on block
> list, domain exists and has an MX or A/AAAA record) get done before DNS
> queries that might cause me to do more work. A DNS query for a DMARC record
> can result in additional work for me if the DMARC policy record exists, not
> just going through the validation steps but also recording the results in
> the data store that supports my reporting engine, so I'm going to do that
> one last, not first.
>
> But that's just me.
>
> --
>
> *Todd Herr* | Sr. Technical Program Manager
> *e:* todd.herr@valimail.com
> *m:* 703.220.4153
>
> This email and all data transmitted with it contains confidential and/or
> proprietary information intended solely for the use of individual(s)
> authorized to receive it. If you are not an intended and authorized
> recipient you are hereby notified of any use, disclosure, copying or
> distribution of the information included in this transmission is prohibited
> and may be unlawful. Please immediately notify the sender by replying to
> this email and then delete it from your system.
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email