Re: [dmarc-ietf] Using CNAME records to DMARC templates causes issues

Tõnu Tammer <tonu@cert.ee> Tue, 02 March 2021 08:13 UTC

Return-Path: <tonu@cert.ee>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5D523A1326 for <dmarc@ietfa.amsl.com>; Tue, 2 Mar 2021 00:13:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cert.ee header.b=P2D/GTVz; dkim=pass (2048-bit key) header.d=cert.ee header.b=ApFWlWkI
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rpt-DAx1cvRY for <dmarc@ietfa.amsl.com>; Tue, 2 Mar 2021 00:13:18 -0800 (PST)
Received: from smtp-out.cert.ee (smtp-out.cert.ee [46.226.143.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F4583A1324 for <dmarc@ietf.org>; Tue, 2 Mar 2021 00:13:17 -0800 (PST)
Received: from mail.cert.ee (mail.cert.ee [46.226.143.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (Client did not present a certificate) by smtp-out.cert.ee (Postfix) with ESMTPS id 2ED2D3F8A9 for <dmarc@ietf.org>; Tue, 2 Mar 2021 10:13:14 +0200 (EET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cert.ee; s=mail; t=1614672794; bh=elyc9edwpvNEMUlWn8tSMhpjMRyLuBhEAH6nlgOCvaQ=; h=To:References:From:Date:In-Reply-To; b=P2D/GTVz7Yu/tmSt0UGvkwVgO2+WN/ZsM7JXubRTXrcqJ+g49Zt+cH1lA0aTs76GD IevUMHeWB0TcwHUGr+UyIBGE9y8Ab+koUsGuquflN4hap4+KjC4QDg8CHTKKJk3vgi FLzFS+xCOqw6S24mS0UyN944wk4ZZ1yXze8HMySzMU74/zga5RX4TrQWrZ46u16G0w 6/hBNihc/gT1LucTmOvc8B7wDrHvb0dbsQtq2mEBy9OEJWWy4/BDKzox6I3mMwRdrZ xvqY66ORBMXEYLS/CCBV1vcIYnkQiUdkyG0RJQmbGALrqtaFmc8Wmwbj5yj6e7v5/V RgGxBHzTvi7fw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cert.ee; s=mailcertee; t=1614672794; bh=elyc9edwpvNEMUlWn8tSMhpjMRyLuBhEAH6nlgOCvaQ=; h=To:References:From:Date:In-Reply-To; b=ApFWlWkI5vlX22kasOr41giiOQoLm8/fupQKcDq7fFjnZRm+yDY9Ze9l3sAq9zXhi I5HAn5MEkCCEMBESH3w7QBKXtGWmgOnSxCkcOvPIFOtyfFmkLGt5Swt3JqLY/9CgOQ 6UmtuOb9ui3ajPGjYjJFcMarKdm97MiopnIVA+Nri1gOOaw3/xVJnr+c58kwfVFRsC ZlGm4v69lgm4iw3vc33pbP+9uXrH0snDSlYd9x6bLXbnmdQpqlGreAtEe0Bf7qoeAy UG6dkDAn3dG4YKR4G67RUlPKUYEry+v4BuLt0xKTDjSr00gG1YQWPvh3pio2HjBra1 7nQPusufJoE/g==
To: dmarc@ietf.org
References: <edfb0a04df4620f8b9f6eaa659923d02@jbsoft.nl>
From: =?UTF-8?Q?T=c3=b5nu_Tammer?= <tonu@cert.ee>
Message-ID: <1bdd6695-2198-2bcf-f9e2-33d43f9c2bf1@cert.ee>
Date: Tue, 2 Mar 2021 10:13:13 +0200
BIMI-Selector: v=BIMI1; s=default;
MIME-Version: 1.0
In-Reply-To: <edfb0a04df4620f8b9f6eaa659923d02@jbsoft.nl>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/RGKyapZIaHRFN7z2zP59VbH22II>
Subject: Re: [dmarc-ietf] Using CNAME records to DMARC templates causes issues
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2021 08:13:22 -0000

Hi Jan,

We have noticed similar issue with CNAME that is used by some of the 
vendors. However, we have not fully concluded if this is the issue of 
software as RFC stipulates that TXT records should be used.

https://tools.ietf.org/html/rfc7489#section-6.1

KR,

Tonu
CERT-EE

On 02.03.2021 09:49, jbouwh wrote:
> Hi all,
> I am new to this list, and will give a short introduction to myself.
> I work for the Dutch government as an IT architect. One of my goals is 
> improving mail security.
> As Dutch government we commit to comply to SPF, DKIM, DMARC, DANE and 
> IPv6 standards.
> With this we are challenged to keep the technical environment manageable.
> Some of our government IT partners use CNAME records to refer to DMARC 
> templates, and we are planning to use the same technique. Using 
> templates makes it more easy to maintain DNS records.
>
> For private purposes I am running my own mail server using opendmarc 
> together with postfix, amavis, spamassasin, opendkim and 
> postfix-policyd-spf.
> During testing mail policies that where published using a CNAME, I 
> noticed opendmarc is not handling the published policies, but is 
> acting as if no policy was published. To address this issue I have 
> submitted an issue to the opendmarc project.
>
> https://github.com/trusteddomainproject/OpenDMARC/issues/103
>
> My questions are:
> -    Is it a common practice to use CNAME DNS record to reference 
> DMARC templates?
> -    Is it a known issue opendmarc does not process the published 
> policies when they are published using a CNAME? If this is caused due 
> to a software bug, this could be a serious security issue.
>
> Regards,
> Jan
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc