IETF Logo Mail Archive

Re: [dmarc-ietf] Additions to draft - Security Considerations

Scott Kitterman <sklist@kitterman.com> Fri, 29 April 2022 13:35 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4CE6C15E6C0 for <dmarc@ietfa.amsl.com>; Fri, 29 Apr 2022 06:35:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=Ike1hJzX; dkim=pass (2048-bit key) header.d=kitterman.com header.b=gWZtw/WP
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iLk4VyJA9mnO for <dmarc@ietfa.amsl.com>; Fri, 29 Apr 2022 06:35:05 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 635BBC15E40E for <dmarc@ietf.org>; Fri, 29 Apr 2022 06:35:05 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) by interserver.kitterman.com (Postfix) with ESMTPS id E2949F8016D for <dmarc@ietf.org>; Fri, 29 Apr 2022 09:35:00 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1651239300; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=osD60F1BjYb8xY0YAxm6isCtC8Ail7vxRcFGF/mvE8U=; b=Ike1hJzXUK8rMFjpkUCol9tFTCOu9U9vC7BQMy5cpeBUz4cB3EdxhqkPMBhwgR20RLfBl UdpXtYR89hi9KnaAA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1651239300; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=osD60F1BjYb8xY0YAxm6isCtC8Ail7vxRcFGF/mvE8U=; b=gWZtw/WPm3hClGzxKAfNZCc+V8yu8O/Kfu8DkW8w7U1ORaWDJa1jXdPXSnIkiN3+2Ug8e gsoC3jbjAU0gEqo4hJC6+FrlWBixkcoMa1k49E7vn/hFYMT7lOtvkLVpZjSEEQV82wEPHFc myWM+et0ZcnzPpUguz/hH8CCk+TScA0eZgaNvaxAxxnMyHcrMeJKgPECwI5hlU31xKr6Y+k vLPEtnRC+Zx3xeXs6QKlSVS6VkdxaHlnohANY/K7jMaPCcmBf7Mw9f83gRU1n7XCZ5rS3Pu y1jOsgUZiW7hx3+i0lWsG0T5B/K/Vrkem5ZDqmLXUSDZQ0GQL+cKAkGV2RjQ==
Received: from zini-1880.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTP id CF141F8016A for <dmarc@ietf.org>; Fri, 29 Apr 2022 09:35:00 -0400 (EDT)
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
Date: Fri, 29 Apr 2022 09:35:00 -0400
Message-ID: <1743775.j8TXEB4h3r@zini-1880>
In-Reply-To: <16774026-a365-4fe7-76d3-1e1afa365b57@tana.it>
References: <CAH48Zfz5MWDuQa1DJQE_YK9gAUL4P-se4CeGAGYCf+c6D0ysaA@mail.gmail.com> <7BF2E6F5-FBDA-4DF9-B533-B39080BF6F69@kitterman.com> <16774026-a365-4fe7-76d3-1e1afa365b57@tana.it>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/KBPf_aqei4np4790wITiWXgyykg>
Subject: Re: [dmarc-ietf] Additions to draft - Security Considerations
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Apr 2022 13:35:09 -0000

On Friday, April 29, 2022 4:11:21 AM EDT Alessandro Vesely wrote:
> On Tue 26/Apr/2022 19:23:06 +0200 Scott Kitterman wrote:
> > On April 26, 2022 4:50:08 PM UTC, Alessandro Vesely <vesely@tana.it> 
wrote:
> >>On Tue 26/Apr/2022 14:53:27 +0200 Scott Kitterman wrote:
> >>> On April 26, 2022 8:06:50 AM UTC, Alessandro Vesely <vesely@tana.it> 
wrote:
> >>>> On Mon 25/Apr/2022 05:56:46 +0200 Scott Kitterman wrote:
> >>>>> How about something like this:
> >>>>> 
> >>>>> 9.7 Determination of the Organizational Domain For Relaxed Alignment
> >>>>> 
> >>>>> DMARC evaluation for relaxed alignment is highly sensitive to errors
> >>>>> in the
> >>>>> determination of the organizational domain if the RFC5322.From domain
> >>>>> does not have a published policy.  If an incorrectly selected
> >>>>> organizational domain is a parent of the correct organizational
> >>>>> domain, then relaxed alignment could potentially allow a malicious
> >>>>> sender to obtain DMARC PASS.  This potential exists for both the
> >>>>> legacy [RFC 7489] and current [Section 4.8] methods for determining
> >>>>> the organizational domain.
> >>>> 
> >>>> I object that this text undermines the robustness of the protocol and
> >>>> may sound like a campaign for strict alignment.  Relaxed alignment is
> >>>> safer from a flexibility POV, as it accounts for occasional
> >>>> @hostname.example.com.  It has played a relevant role in DMARC
> >>>> success, and it's not by chance the default.>>>> 
> >>>> Here's an alternative text:
> >>>>    DMARC evaluation for relaxed alignment is sensitive to errors in the
> >>>>    determination of the organizational domain due to erroneous DNS
> >>>>    settings by
> >>>>    either the organizational domain or its PSD parent.  If the PSD
> >>>>    parent is
> >>>>    incorrectly selected as organizational domain, then relaxed
> >>>>    alignment can
> >>>>    potentially allow a malicious sender to obtain DMARC PASS while
> >>>>    impersonating the relevant organization.  This potential exists for
> >>>>    both
> >>>>    the legacy [RFC 7489] and current [Section 4.8] methods for
> >>>>    determining the
> >>>>    organizational domain.
> >>>>> 
> >>>>> This issue is completely avoided by use of strict alignment and
> >>>>> publishing
> >>>>> DMARC records for all domains/sub-domains used as RFC5322.From domain
> >>>>> in an
> >>>>> organization's email.
> >>>>   or by publishing psd=n.
> >>>>> 
> >>>>> For cases where strict alignment is not appropriate, this issue can be
> >>>>> mitigated by periodically checking the DMARC records, if any, of PSDs
> >>>>> above
> >>>>> the organization's domains in the DNS tree and (for legacy [RFC 7489]
> >>>>> checking that appropriate PSL entries remain present).  If a PSD
> >>>>> domain publishes a DMARC record without the appropriate psd=y tag,
> >>>>> organizational domain owners can add psd=n to their organizational
> >>>>> domain's DMARC record so that the PSD record will not be incorrectly
> >>>>> evaluated to be the organizational domain.>>>> 
> >>>> The latter alternative is obviously easier than monitoring the DNS
> >>>> settings of the PSD parent, and has to be carried out anyway in 
case.>>> 
> >>> What specifically do you object to?
> >>
> >>A quick skim through your text seems to be summarizable as "DMARC has a
> >>defect but you can overcome it by using strict alignment".  I know that's
> >>not what you meant, but it sounds quite like that.>>
> >>> Do you think it's inaccurate that this concern is limited to relaxed
> >>> alignment?>>
> >>No, I think it's wrong to blame relaxed alignment.
> >>
> >>> The specific suggestion you added (or by publishing psd=n) is already in
> >>> the text later on, so I'm not understanding what you think the problem
> >>> is or what you want to do about it?>>
> >>The alternative text above differs slightly from the first paragraph of
> >>the text you proposed, in an attempt at watering down that meaning.>>
> > Okay.  Explain how the issue occurs when alignment is strict?
> 
> It is obviously easier to verify alignment when it is strict.  You don't
> even need to determine the org domain exactly; retrieving a DMARC record
> suffices. That's not the point.
> 
> The point is that it is not right to (apparently) suggest to turn to strict
> alignment because of problems in determining the org domain.  The solution
> is to set psd= correctly.  I hope Todd will word it out clearly.

What is not right about it?  You say yourself it avoids the problem.

I may be misunderstanding you here, but it seems like you agree the statement 
is technically accurate, but there's some moral dimension to it.  Is that 
right?

I really don't understand your objection.

I would suggest Todd goes ahead and puts my proposed text in, so we have 
something to cover the issue and we can work to refine it once we clear this 
up.

Scott K

v2.23.0 | Report a Bug | By Email