Re: [dmarc-ietf] Nonexistent Domain Policy was: Re: Working Group Last Call: draft-ietf-dmarc-psd

"John Levine" <johnl@taugh.com> Sat, 20 July 2019 05:08 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DF6C12008D for <dmarc@ietfa.amsl.com>; Fri, 19 Jul 2019 22:08:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=CncJKFGw; dkim=pass (1536-bit key) header.d=taugh.com header.b=lkUR3jCc
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fCGxfLzHCzVl for <dmarc@ietfa.amsl.com>; Fri, 19 Jul 2019 22:08:54 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33045120044 for <dmarc@ietf.org>; Fri, 19 Jul 2019 22:08:54 -0700 (PDT)
Received: (qmail 20464 invoked from network); 20 Jul 2019 05:08:53 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=4fed.5d32a1e5.k1907; i=johnl-iecc.com@submit.iecc.com; bh=GBV8nN5SeqeljuQ9W6p3NPVJVSX2zQ4MS1Hzp4xq4eU=; b=CncJKFGwPpkpl0qdgqURw/0ZA/tlAPwFUTiRR4zvLPnIFjErd39iWbiB2W1et3IPiDI8/8FQ1+invR/HMMYzT20SyhpUv0BKBLgVSUw+oP9FOaQ5mictxI/0vJjOyUjykn4cR+SfV0wwypUtmem/Su8eTNQByOWaLJ1rAQSwSqDKlVA4hBcJ9JJx/3Ax8RqwuoIWOXhDHvqkATC7wfmdRI8jlTsl2rA/xSFdn2Y/zohYEYhumKkWqGv3oBz747EU
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=4fed.5d32a1e5.k1907; olt=johnl-iecc.com@submit.iecc.com; bh=GBV8nN5SeqeljuQ9W6p3NPVJVSX2zQ4MS1Hzp4xq4eU=; b=lkUR3jCchHu0wNglQPRNGwha0/UUs3hJzhaDhp5tYdr50ljQyg6IVS5cNEhhm2w9pFfrzozRtCL8zrwVGsKa6xJgM8whcdtMbs99OiBRMsYgeePwuxP/66E0i5FQyIfwaoSlcEi4thRkcaJHz/+afXJmaoBXyypR8+K8RBboEbjgYf0NaZHG0p4oxzwSjerMMBR1GEUPxMF+MTsY/UHDfEGno9Ys3cxRKE1rQ7HEQi/ldrrVWSXVeiOFb9GgUVo5
Received: from ary.qy ([64.246.232.221]) by imap.iecc.com ([64.57.183.75]) with ESMTPSA (TLS1.2 ECDHE-RSA AES-256-GCM AEAD, johnl@iecc.com) via TCP; 20 Jul 2019 05:08:53 -0000
Received: by ary.qy (Postfix, from userid 501) id BFC22525572; Sat, 20 Jul 2019 01:08:52 -0400 (EDT)
Date: 20 Jul 2019 01:08:52 -0400
Message-Id: <20190720050852.BFC22525572@ary.qy>
From: "John Levine" <johnl@taugh.com>
To: dmarc@ietf.org
Cc: kboth@drkurt.com
In-Reply-To: <CABuGu1qGJq2fes9B1vwb1v=JMi3HcydvzDvoi0+ZrEwC4rYk1A@mail.gmail.com>
Organization: Taughannock Networks
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/R7mVX5gwRnlq8M90pt6m5I0aOKY>
Subject: Re: [dmarc-ietf] Nonexistent Domain Policy was: Re: Working Group Last Call: draft-ietf-dmarc-psd
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Jul 2019 05:08:56 -0000

In article <CABuGu1qGJq2fes9B1vwb1v=JMi3HcydvzDvoi0+ZrEwC4rYk1A@mail.gmail.com>; you write:
>Most MTAs will also follow CNAMEs. Should they be included (along with
>other things like DNAME records) within the scope of existence? I'm a
>little concerned that we are making a special definition of "non-existence"
>which differs from the standard DNS concepts of NODATA and NXDOMAIN without
>having a correspondingly special name.

Good catch, you have to chase CNAME and DNAME before deciding whether you've found
A/AAAA/MX.

>I'm not sure how well this maps to what we describe. I'm also concerned
>that a wildcard null MX record at the org level would end up having all
>subdomains "exist", but the policy that should be applied would be the more
>restrictive "np" policy, not the (possibly) more permissive "sp" policy.

That sounds fairly deep into "don't do that" territory.  If you are
clever enough to publish a wild card MX, you should be clever enough
to publish an appropriate DMARC record.  Keep in mind that wildcards
don't work the way many people think they do, so if you have *.foo.com
along with a.foo.com, then the wildcard will match b.foo.com, but not
b.a.foo.com.

R's,
John