Re: [dmarc-ietf] NXDOMAIN

Douglas Foster <dougfoster.emailstandards@gmail.com> Thu, 08 April 2021 20:49 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 550D53A1CB9 for <dmarc@ietfa.amsl.com>; Thu, 8 Apr 2021 13:49:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.075
X-Spam-Level:
X-Spam-Status: No, score=-1.075 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MISSING_HEADERS=1.021, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fJQWjOuF9IzA for <dmarc@ietfa.amsl.com>; Thu, 8 Apr 2021 13:49:39 -0700 (PDT)
Received: from mail-ua1-x934.google.com (mail-ua1-x934.google.com [IPv6:2607:f8b0:4864:20::934]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C7F83A1C73 for <dmarc@ietf.org>; Thu, 8 Apr 2021 13:49:38 -0700 (PDT)
Received: by mail-ua1-x934.google.com with SMTP id u11so1148833uaw.2 for <dmarc@ietf.org>; Thu, 08 Apr 2021 13:49:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:cc; bh=HpH4B/9c36rCY+fbBgdCz8ERlCvuPK3oWt94ic21PN4=; b=IHQhfUa6eVDNaYCe2skvLp7aQBE5du0/P5sn2b3GacmScYI5vHLuX8xdRxc1I8UD+S pPdDFMFgaW0ntI2/1LGDvU9Sx377i3NOcUqls9eKNRDIElwNk/RewesCgVwMB9AtbKlm vPpsENQxpVSQW14Jku/er+ZJ5cK7XKcbIHFGGd6mR+lXHCFvx1SLe0zQTD5AODauIQuY /Ftny+wkQrMe9bJjS3YxM1TGDQ1kLCN110avPACezCTQ+HqnTgBrey8Tv/XUONG49hWQ 4x73noIatD94OLGHhfdwGIjgaECkvrj36W25ICs74IvTZsIhLpK/nj/9RIuSmrCrbyY7 jxvg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:cc; bh=HpH4B/9c36rCY+fbBgdCz8ERlCvuPK3oWt94ic21PN4=; b=DL08ygszLO/GqaLieKBovobxhcw1YGZH+z6RVGzr25ZYI+ODZSwtn69oD3g8G3eChG WrPJg3jEMCiiMlYrQC+70TGvzrPpki/toEbug50rP/023GwOMbpZL+EG++wTl2vunVt5 5hPeOqHOxAUmKB637tGDHs2TGy6vvsWhABV5Sr/PPlZRFf+Y3ECAKu6hVQwdg6EnIcgQ QQoutGY7kYnmoUdcif4oMBm/erIpKQlDHmQslpEairXnpqauzChvqSM2ZPqWeli3Dstm Cxh9Cvb7TPfQvMN/mdhfJO6FW8p0dtfPpOMnl99KUM999ed+dGX8FqQ6FOOBR5859Ctz tW6g==
X-Gm-Message-State: AOAM533zVhAJWIydcrVBf2yfbZihT0iZJevNFLPyBYH7Zq2V87nzMVwY Nyo23OSzbYJAhCWVJ4PSVKACVW74v3JqyGIylVGyVChP5ko=
X-Google-Smtp-Source: ABdhPJxoscf3oqDo8JYsQwdTK2Lq18QCRRTvSjtr1QwZ236EptT0sDfj/cgOUCIKed0Z77/ER541/JM3CtXSSC+rYqM=
X-Received: by 2002:a9f:2069:: with SMTP id 96mr8987164uam.110.1617914977131; Thu, 08 Apr 2021 13:49:37 -0700 (PDT)
MIME-Version: 1.0
References: <CAL0qLwYr+w1hjV3Wez6xd96OmmXjYU3D=-4+2qfCxkQ5TVA+Ww@mail.gmail.com> <20210408182948.5E4AF7282ACE@ary.qy>
In-Reply-To: <20210408182948.5E4AF7282ACE@ary.qy>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Thu, 08 Apr 2021 16:49:26 -0400
Message-ID: <CAH48ZfxM5DgDds1-wHiXMSfSAoT3+rSL_L4wbADtLz=JQ9QU=w@mail.gmail.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007d1f9d05bf7c2ff8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/Vr4taec3NJ8M5hgYq4Mu10wqSfE>
Subject: Re: [dmarc-ietf] NXDOMAIN
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Apr 2021 20:49:51 -0000

DNS Examples that Murray requested, which should also addresses John's
question about relevance to DMARC:

nslookup
> set type=txt


> _dmarc.junk.thisisjunk.com
*** <server> can't find _dmarc.junk.thisisjunk.com: Non-existent domain

Domain has no DMARC policy.
Is this because it chose not to deploy one, or because it does not exist?
 That answer requires a second query.

> junk.credcontrol.com
*** <server> can't find junk.credcontrol.com: Non-existent domain

The TXT query demonstrates that this is a non-existent domain, and
therefore not under the full administrative control of any parent domain.
The message is DMARC NOT_VERIFIED even if domain alignment occurs with a
DKIM signature or SPF PASS.  Since there is no domain-level policy record,
disposition depends on local policy related to non-existent domains and
this particular domain name.    The organizational policy record may be
useful if its requested action is more stringent than the local policy
default action for non-existent domains.

> junk.thisisjunk.com
*** <server> can't find junk.thisisjunk.com: Non-existent domain

Domain has no DMARC policy.
Is this because it chose not to deploy one, or because it does not exist?
 That answer requires a second query.

>thisisjunk.com
        primary name server = ns1.dreamhost.com
        responsible mail addr = hostmaster.dreamhost.com
        serial  = 2018071003
        refresh = 19193 (5 hours 19 mins 53 secs)
        retry   = 1800 (30 mins)
        expire  = 1814400 (21 days)
        default TTL = 14400 (4 hours)

The TXT query demonstrates that the domain exists.   This is true whether
the result returns data or NODATA, and in this case the result is NODATA.
The message can be DMARC-verified using domain alignment to a DKIM
Signature or SPF PASS.

Doug Foster


On Thu, Apr 8, 2021 at 2:30 PM John Levine <johnl@taugh.com> wrote:

> It appears that Murray S. Kucherawy  <superuser@gmail.com> said:
> >-=-=-=-=-=-
> >
> >On Thu, Apr 8, 2021 at 9:50 AM Douglas Foster <
> >dougfoster.emailstandards@gmail.com> wrote:
> >
> >> Why is it problematic to document this risk, and indicate that when "No
> >> Policy detected" occurs, it is recommended to check whether the domain
> >> exists, and if it does not exist then local policy for nonexistent
> domains
> >> should be applied?
> >>
> >
> >Can you put together an example message exhibiting the properties you're
> >talking about, and what DNS records are in play in that scenario?
> >
> >I still can't picture the problem you're trying to solve.
>
> My question would be what does it have to do with DMARC.
>
> We already have policies for dealing with non-existent domains unrelated
> to DMARC.
>
> R's,
> John
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>