Re: [dmarc-ietf] New authentication method, DNSWL

Alessandro Vesely <vesely@tana.it> Thu, 01 August 2019 16:32 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBD101201AA for <dmarc@ietfa.amsl.com>; Thu, 1 Aug 2019 09:32:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1152-bit key) header.d=tana.it
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SQD5hmYZpchY for <dmarc@ietfa.amsl.com>; Thu, 1 Aug 2019 09:32:48 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6DA1F1201A2 for <dmarc@ietf.org>; Thu, 1 Aug 2019 09:32:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1564677164; bh=PVNyVmT9EwdAT/k9vilCch7YoR6W9uCItIzALxiSdJs=; l=5800; h=To:References:From:Date:In-Reply-To; b=A/v3hxc2I1TLgFTOKXqtA+i4guLuYmTi6gB6x+n3iF3CW1B1nWZJCsOAawwBYBFtG aOjJXtyE4q4BLvSSupsmo82IESfDVoq2a1FHpT9kKmwKP7QKu+lsg+eCKJYKwvOKS9 xzxPbQXVc/JTdlAir5IDz3xuZbVM/88B8B+cXCz3y4M1DrHbQPUs1zCQUZKkl
Authentication-Results: tana.it; auth=pass (details omitted)
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k) by wmail.tana.it with ESMTPA id 00000000005DC056.000000005D43142B.000076D0; Thu, 01 Aug 2019 18:32:43 +0200
To: dmarc@ietf.org
References: <e580ada3-d9b5-0e5b-9ac3-eade41ac92d2@tana.it> <CAL0qLwa5yR5dVzkDSD48MDgpUa11+ri=KOwrNSqOxi8fB2i6PA@mail.gmail.com> <eabefc6b-7542-1a46-4272-b786433ed0b5@tana.it> <4783309.BXR8ZdE9c3@l5580> <CAL0qLwb5FAaYZ7AX_H=aeUFkv8cvY+xd1bQ5uCDp4tmrbx2CQg@mail.gmail.com>
From: Alessandro Vesely <vesely@tana.it>
Openpgp: id=0A5B4BB141A53F7F55FC8CBCB6ACF44490D17C00
Message-ID: <7a21b80b-e6bb-d8b9-cf63-601a8d1e47e7@tana.it>
Date: Thu, 1 Aug 2019 18:32:43 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <CAL0qLwb5FAaYZ7AX_H=aeUFkv8cvY+xd1bQ5uCDp4tmrbx2CQg@mail.gmail.com>
Content-Type: text/plain; charset=us-ascii
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/NOsqezsY4XAZwrc1jOrqTPxWmYA>
Subject: Re: [dmarc-ietf] New authentication method, DNSWL
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2019 16:32:51 -0000

On Thu 01/Aug/2019 07:27:10 +0200 Murray S. Kucherawy wrote:

> On Wed, Jul 31, 2019 at 9:40 PM Scott Kitterman <sklist@kitterman.com>
> wrote:
> 
>> Can we discuss this choice?  I know this has been implemented already, so 
>> I'm at least slightly reluctant to do the semi-standard lets rename
>> existing stuff dance that the IETF often does, but I really don't like
>> this.  There isn't an email authentication system out there that doesn't
>> rely on DNS.  I think DNS as a ptype is way too broad.

Policy is even broader.  What's wrong in being broad?  Registering this ptype
does not preclude future methods from using it as well.

In fact, even if all email authentication systems rely on DNS, none of the
properties registered thus far derive from there.  Existing ptypes, body,
header, smtp and policy, report data found in their respective areas, none of
which is the DNS.


>> Also, if I rsync a copy of the list and process it locally, is it still
>> OK to use the dns ptype when there is no DNS involved?


I do rsync a copy, and then serve it via rbldnsd (actually through a bind
forward-only zone).  MTAs will run a query using the DNS protocol anyway.
Courier is smart enough to query an internal zone and report its public name.


>> What about something like extpolicy: The property reported relates to an
>> external policy input?


Hm...


>> Would you be willing to do something like that?  If so, I think we could 
>> also register dns, but with status of decprecated since it's in use and 
>> documenting in use stuff is good.  Then Courier can change at some point
>> when it's convenient, but still be using a registered paramet.>>
> 
> <designated expert hat on>
> 
> Thanks for commenting on this.  I'm overdue to provide a review and
> feedback.
> 
> I rejected this application prior to RFC8601 primarily because the language
> used then to restrict what goes in the registry didn't allow for
> registrations of stuff that wasn't actually part of the message, and a DNS
> whitelist or blacklist result is not (nor for example is the client IP
> address, or the result of any query entirely external to the message body,
> header, or even envelope).  The good news is that the language of RFC8601
> is more relaxed, in particular in Section 2.3 it allows for a
> property/ptype that covers "some other aspect of the message's handling",
> so that's no longer a blocking factor.
> 
> To counter Scott's point, "dns" is a ptype that would exist within the
> method of "dnswl", so I think it's hard to see how it could be
> misinterpreted.  But I'd like to see how this discussion plays out.  I can
> see his point about "dns" being a rather broad ptype.
> 
> Appendix C of RFC8601 goes to some length to discourage the practice of
> including all the details that were inputs to the evaluation, specifically
> because the result of the evaluation at the border MTA is the only thing
> that should matter.  I thus have some trouble understanding why "policy.ip"
> and "policy.txt" are desirable things to include.


Let me narrate a use case.  Courier-MTA can be configured to reject on SPF -all
early in the SMTP dialogue, except if whitelisted.  It writes SPF as well as
dnswl results in the header, but does not interpret the policy.ip.  Downstream
filters can interpret the field based on the dns.zone.  I use that feature to
pass messages tagged "Heuristic" by the antivirus filter if policy.ip has a
positive trustworthiness.

As a matter of fact, Courier stopped to query "ANY" some months ago.  That way,
I miss policy.txt.  Its use was not automated, however.  A few times I happened
to manually retrieve it after delivery.  If I had a domain-based reputation
system available, I could use the domain name in policy.txt to make automated
delivery decisions.


> Related:
> 
> Section 3 of the draft appears to be commentary about what should go in TXT
> records, or how things querying DNSxLs should query and interpret TXT
> results.  This doesn't seem to be appropriate for a document about
> Authentication-Results; it's implementation guidance for MTAs or receiving
> agents.


Yes, the last paragraph is guidance about querying ANY.  It could go to an
appendix or be stroked, if we want to go through another revision.

The first paragraph is about how dnswl's may work.  Rfc5782 just says "DNSWLs
MAY have a TXT record that describes the reason for the entry."  I agree it is
slightly out of scope for registering the parameters.  OTOH, I'd like to know
more dnswl's in order to inform better on TXT record usage.


> And even if that were not true, I'm concerned that "policy.ip" could be
> interpreted as an IP address even though that's manifestly not what this
> is.

That's the reason why I wanted to call "dns.zone" the other property, which
could also be expressed as an IP address.


> Nevertheless, Scott's point about documenting current use is well taken and
> I like his idea in principle.  The only concern I have is that allowing
> this directly into a "deprecated" status still reserves the name "dns"
> should anyone later devise a use for it that's appropriate in breadth.  I
> suspect though we could just ask IANA to register both, one deprecated and
> one current, should that somehow ever come to pass.


Well, DNS is so broad that it's natural to expect that such ptype be used to
report more properties.  However, the way the registry is now structured, it is
only possible to deprecate the dns.zone property, not the very dns ptype, which
seems to be what Scott wishes.

"The DNS zone of a DNSWL" is much like the wording an MTA configuration manual
might use, isn't it?


Best
Ale

-- 
https://tools.ietf.org/html/draft-vesely-authmethod-dnswl