Re: [dmarc-ietf] Using CNAME records to DMARC templates causes issues
Tim Wicinski <tjw.ietf@gmail.com> Wed, 03 March 2021 18:00 UTC
Return-Path: <tjw.ietf@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 417883A17A3 for <dmarc@ietfa.amsl.com>; Wed, 3 Mar 2021 10:00:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LeWMexnVWyux for <dmarc@ietfa.amsl.com>; Wed, 3 Mar 2021 10:00:57 -0800 (PST)
Received: from mail-oi1-x236.google.com (mail-oi1-x236.google.com [IPv6:2607:f8b0:4864:20::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C597D3A179B for <dmarc@ietf.org>; Wed, 3 Mar 2021 10:00:57 -0800 (PST)
Received: by mail-oi1-x236.google.com with SMTP id m25so13912705oie.12 for <dmarc@ietf.org>; Wed, 03 Mar 2021 10:00:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wJnhKymP0y1BqRU5VoEThjWZW/V9b7UIHNSvlURJBvE=; b=Xg3sUCe/y+EJ5okYp3NfemhodwkLEE/Y5yoIkMj8+BUxC63lFi1ehOblbXj2Pqc/nQ G21uD5ntRYcMwCU07A/86Vd2zgngPqKTr1/qBaz5VYK5GZ3jdLY+eWcCTSBP1PL77zPC ZvWwCRzFUnf7LR0vntpv9bi4gatvUhXsbGebDa3qcizHW57bgiSqP7iG7n/Xc9N5VH8Y sqzE7v0ZTI7hChtAw+cBR8opjwkEIXTnj3ocHom6kQn2rO+sZvuVvk+Obg7lojS9RYQ9 wYDMYQw+zgwB6g1ChZOTDUip8Hg8ztWAQPRtehC+LAU1mlVJ+WN04rJlU50lFhS+29zg xWxw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wJnhKymP0y1BqRU5VoEThjWZW/V9b7UIHNSvlURJBvE=; b=sJ+6NBMTwaRh1GIxuhR+B5yOaTtgIL13KE3BLuX9LnKepHlo2xN4FO5XU9QbmxGytl KF1TXGB9kTBABnoP5UV12f6Wmc5O5e2qjjhLLN2GTLAAHsCyxqGSEX2yOJFJqrJOsqhK QZ9eWHBGBOv6dYhhpoLpRFCPZCvSAK2OZdnokJzOy2ahcJWzYlZMyRoRe3+H2BIK+9ud 2b3Agb05ayGjbickrKvPL42lVPlJcnUIY4ibkEaJbvvv/LLOluD8vunY6WtcwBgCC5E+ 6QIaIXQFLnvLPh/820z7BV+QG1c6o3mqfDyCDyPRE+SUdL+Tycvyam3YeDwz+IIn0wJL KnOA==
X-Gm-Message-State: AOAM532MZzRK0eZNrbIX1Scp+q67gdoLdgGGkvJoDkXe3lNWUXBKqtr2 LYFz/QrE7FpttGuS4NYIPJOL1bGBN1pUHigt/bw=
X-Google-Smtp-Source: ABdhPJyqHdaTn33OSU891IIgPnChfwqc0NeQe5pY3urXvRyc60Q6WFV50QOaL7WNmnzb4QfmhaPhg5/h2RYY+NIseoc=
X-Received: by 2002:a05:6808:154:: with SMTP id h20mr12394oie.45.1614794454428; Wed, 03 Mar 2021 10:00:54 -0800 (PST)
MIME-Version: 1.0
References: <edfb0a04df4620f8b9f6eaa659923d02@jbsoft.nl> <1bdd6695-2198-2bcf-f9e2-33d43f9c2bf1@cert.ee> <DB7PR08MB3498C21C6CF8631243BEF4D8BB999@DB7PR08MB3498.eurprd08.prod.outlook.com> <CADyWQ+EWQ9wo5f1qyQJRatO=vxJhKON=f5=X7iH0=u7nbJHZ+Q@mail.gmail.com> <CAH48Zfw8+ZdrUmEFCAd210E6YUENJgYh_bpZa2qkpMWCHJFkrg@mail.gmail.com> <CAL0qLwZbcDYbndfri+MMYJNNHZYip3a_Cj=4572jkATpZDbY7Q@mail.gmail.com>
In-Reply-To: <CAL0qLwZbcDYbndfri+MMYJNNHZYip3a_Cj=4572jkATpZDbY7Q@mail.gmail.com>
From: Tim Wicinski <tjw.ietf@gmail.com>
Date: Wed, 03 Mar 2021 13:00:42 -0500
Message-ID: <CADyWQ+HY_3qT6zb1Gr4tQYVZcpDSQ=xCE4b1J33BLeLdTNvzdw@mail.gmail.com>
To: "Murray S. Kucherawy" <superuser@gmail.com>
Cc: Douglas Foster <dougfoster.emailstandards@gmail.com>, Henning Krause <mail=40henningkrause.eu@dmarc.ietf.org>, "dmarc@ietf.org" <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d76e7405bca5a1c3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/WCwTiBKlXsS9sad-PXuWm_n3RZQ>
Subject: Re: [dmarc-ietf] Using CNAME records to DMARC templates causes issues
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Mar 2021 18:00:59 -0000
I have to overly agree with Murray here. Where there should be discussions around using CNAMEs for DMARC records would be in a DMARC best practice document. I spent some time yesterday digging through all the DKIM RFCs, and there is no place where there are discussions about using CNAMEs (Except in passing in RFC5016). And the use of using CNAMEs for DKIM TXT records is not just widely used, but is consider a best practice by M3AAWG: https://www.m3aawg.org/sites/default/files/m3aawg-dkim-key-rotation-bp-2019-03.pdf As for those few folks who have seen DNS issues around using CNAMEs, I really want to hear from you off list. Tracking down esoteric DNS error operational behavior is something I am slightly obsessive about. "I'm from the DNS, and I'm here to help" thanks tim On Wed, Mar 3, 2021 at 12:28 PM Murray S. Kucherawy <superuser@gmail.com> wrote: > On Tue, Mar 2, 2021 at 3:51 AM Douglas Foster < > dougfoster.emailstandards@gmail.com> wrote: > >> Because CNAME usage was not mentioned in the previous DMARC document, >> existing implementations may not have tested this configuration. For the >> policy publishing organization, this increases the possibility that some >> recipients may treat the mail as not protected by DMARC. As with any >> deployment issue, the publishing organization has no reliable way to know >> if the deployment of DMARC implementations with full CNAME support is >> "essentially complete". This uncertainty may be acceptable for some >> organizations, but may be an obstacle for others, depending on their >> motivations for implementing DMARC. >> >> On the implementation side, the use of CNAME will introduce the >> possibility of referral errors, which may or may not require mentioning in >> the DMARC specification, since such issues have probably been addressed in >> core DNS documents. The issues that come to mind are: >> CNAME referrals to non-existent names >> Nested CNAME referrals (what depth is allowed?) >> CNAME referrals that produce loops or excessive nesting depth. >> > > I don't understand why we need to say anything special about CNAMEs here. > They are processed by the resolver as they would be for any other > application. > > If there's a bug in opendmarc, that's a different question that has > nothing to do with the output of the working group. > > -MSK >
- [dmarc-ietf] Using CNAME records to DMARC templat… jbouwh
- Re: [dmarc-ietf] Using CNAME records to DMARC tem… Tõnu Tammer
- Re: [dmarc-ietf] Using CNAME records to DMARC tem… Henning Krause
- Re: [dmarc-ietf] Using CNAME records to DMARC tem… Tim Wicinski
- Re: [dmarc-ietf] Using CNAME records to DMARC tem… Douglas Foster
- Re: [dmarc-ietf] Using CNAME records to DMARC tem… jbouwh
- Re: [dmarc-ietf] Using CNAME records to DMARC tem… Tõnu Tammer
- Re: [dmarc-ietf] Using CNAME records to DMARC tem… Seth Blank
- Re: [dmarc-ietf] Using CNAME records to DMARC tem… Murray S. Kucherawy
- Re: [dmarc-ietf] Using CNAME records to DMARC tem… Tim Wicinski
- Re: [dmarc-ietf] Using CNAME records to DMARC tem… John Levine