Re: [dmarc-ietf] Using CNAME records to DMARC templates causes issues

Tim Wicinski <tjw.ietf@gmail.com> Tue, 02 March 2021 11:12 UTC

Return-Path: <tjw.ietf@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A54263A15D3 for <dmarc@ietfa.amsl.com>; Tue, 2 Mar 2021 03:12:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2lQivkc1kCzc for <dmarc@ietfa.amsl.com>; Tue, 2 Mar 2021 03:11:59 -0800 (PST)
Received: from mail-oo1-xc2d.google.com (mail-oo1-xc2d.google.com [IPv6:2607:f8b0:4864:20::c2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7ACF73A15D4 for <dmarc@ietf.org>; Tue, 2 Mar 2021 03:11:59 -0800 (PST)
Received: by mail-oo1-xc2d.google.com with SMTP id l5so4705650ooj.7 for <dmarc@ietf.org>; Tue, 02 Mar 2021 03:11:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=aPh0uSJkISlkU+89cu2LryZVDny2PrrCNosTk+IG97Q=; b=ovlDQacmKvvd5T9h4Je9ZrwDUNHV5AfagzqRLRI3oxU2JerJSYoE6gMJ59x0UadR+l qhEfewIZJqLD/37q5cl3v5pAZ+sSn+WJrLaV1/bOOGsmZMIJQLzVkTSv7Ift6up3RXOH L8i2oG7loeM+NDluODB2I0Ew6rr+9oIPxjPSjXXXbj+B+iIY1cp3xaH3Y7xbuu+1brWJ FJBMii1DU4CYlcAGNk4cPuIQpbJwE7XDYpoLsFlUToQezCC4NShKm5SdKNtWR2O9pPMm +ABl2PnLSQyhq0acb6ceFdAl9FNrBHj5A18w7oX7kU6Y8I6p4R9sTt/XuOjFy7+Sa+N5 kg3Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=aPh0uSJkISlkU+89cu2LryZVDny2PrrCNosTk+IG97Q=; b=f8TEe2G2jYonXvmMeIOwDvlggA+Ige3Pb3/L8pQ5U2pUfuyroxoTWjYFoKk6iwLwi3 NHiPbl+5CeYnAznkOVtPQGuVKNwbC2IjjBk/VM0RvXJwxRdhWKN5/PGdussT09nX0SNt cD0csVCXbrMcDkeJUwjOCsEqnOuawrvpjYG9HooggS+uA6G7Y2c3I6fazohtg5HHUuvs UzhTwjUvxkzn5wlz8/jBY+ONmvQJUrk68j11wIHACxVPDtQjw+jMV880K+RX3rjmWEA7 9zvETPr3/k/LUo5ic89AZVoKSrj+TzoBSZnTQlE8ygFg47JwREXOCcQQQp2TVLkKyEfU jgmw==
X-Gm-Message-State: AOAM533SA2VekywXEfenPj7HoPI7WUF9KHYW0th4hDbsAelL23xJnp4l rAL6FQz2mSjBc3TwP0Wyo0Keike3TdqwZ18mrdtucb55EMk=
X-Google-Smtp-Source: ABdhPJzgVb1gbnk79q7O5oJZBqK/2dO7FWJPfz139Afpy7EhYYLCAeK8bhZY2UbVE8+oKGi3vFwMp5VNRH2QNTAZCVc=
X-Received: by 2002:a4a:4958:: with SMTP id z85mr16264513ooa.3.1614683517863; Tue, 02 Mar 2021 03:11:57 -0800 (PST)
MIME-Version: 1.0
References: <edfb0a04df4620f8b9f6eaa659923d02@jbsoft.nl> <1bdd6695-2198-2bcf-f9e2-33d43f9c2bf1@cert.ee> <DB7PR08MB3498C21C6CF8631243BEF4D8BB999@DB7PR08MB3498.eurprd08.prod.outlook.com>
In-Reply-To: <DB7PR08MB3498C21C6CF8631243BEF4D8BB999@DB7PR08MB3498.eurprd08.prod.outlook.com>
From: Tim Wicinski <tjw.ietf@gmail.com>
Date: Tue, 2 Mar 2021 06:11:47 -0500
Message-ID: <CADyWQ+EWQ9wo5f1qyQJRatO=vxJhKON=f5=X7iH0=u7nbJHZ+Q@mail.gmail.com>
To: Henning Krause <mail=40henningkrause.eu@dmarc.ietf.org>
Cc: "dmarc@ietf.org" <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000081ca6105bc8bcd72"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/UMqVEVTu_i22_L1mWPm-XZfSJrw>
Subject: Re: [dmarc-ietf] Using CNAME records to DMARC templates causes issues
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2021 11:12:01 -0000

Using a CNAME at  _dmarc.example should not be a problem, as long as
the CNAME target is a TXT record.  The DNS resolver functions should
should handle this seamlessly. This does sound like a vendor software
problem.

I am aware of DKIM records being deployed using CNAMEs pointing to a TXT
record target.
Has anyone seen the above error condition when testing DKIM records?

This definitely sounds like an issue with the software.

Nobody should shy away from publishing DMARC records that are CNAMEs to
DMARC
TXT records elsewhere. Using this design should be strongly encouraged.

tim