Re: [dmarc-ietf] Rolling out the experiment

Alessandro Vesely <vesely@tana.it> Wed, 03 April 2019 09:32 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F3F41200B9 for <dmarc@ietfa.amsl.com>; Wed, 3 Apr 2019 02:32:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1152-bit key) header.d=tana.it
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6domxxhQV1GR for <dmarc@ietfa.amsl.com>; Wed, 3 Apr 2019 02:32:47 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0CCE61200B2 for <dmarc@ietf.org>; Wed, 3 Apr 2019 02:32:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=gamma; t=1554283965; bh=j1q83oLZgazZN27kYaD005UnTkb4J5SIzC1gyK/7Y58=; l=1855; h=To:References:From:Date:In-Reply-To; b=AxIgzovxo6naWwO3RlgIIEdTB3kdLlsSyTtciL4Q4EyVGWNZaS54iG/kn/ejSIPdA hB9F8EJXoX5fnGIB9Y5ZfFeSOerX4BVESYMITnpbpxqffKDSVBFMC+GyHkjICC0uQh z1m/Z+6sa2v3wOdZTAUBMGxYS1UXw3idp3uVK7ZKJK64Uytpe7OOYOqurbICx
Authentication-Results: tana.it; auth=pass (details omitted)
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k) by wmail.tana.it with ESMTPA; Wed, 03 Apr 2019 11:32:45 +0200 id 00000000005DC00B.000000005CA47DBD.0000795C
To: Ian Levy <ian.levy@ncsc.gov.uk>, "fosterd@bayviewphysicians.com" <fosterd@bayviewphysicians.com>, "dmarc@ietf.org" <dmarc@ietf.org>
References: <e1098e14b0b54c79b9f6191eb4afa2fd@bayviewphysicians.com> <LO2P123MB228545562601B6B06D230B8CC9550@LO2P123MB2285.GBRP123.PROD.OUTLOOK.COM>
From: Alessandro Vesely <vesely@tana.it>
Openpgp: id=0A5B4BB141A53F7F55FC8CBCB6ACF44490D17C00
Message-ID: <066854c5-2649-d852-ff21-eb65bb83fd52@tana.it>
Date: Wed, 3 Apr 2019 11:32:44 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <LO2P123MB228545562601B6B06D230B8CC9550@LO2P123MB2285.GBRP123.PROD.OUTLOOK.COM>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/WPNcqhYc3GKKvDt5cK9saWtKyvs>
Subject: Re: [dmarc-ietf] Rolling out the experiment
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Apr 2019 09:32:49 -0000

On Mon 01/Apr/2019 09:03:34 +0200 Ian Levy wrote:

>   * SPF and ASDP polices can still be published for non-existent domains
> 
> Sure, but I can’t predict what non-existent subdomains criminals are going to
> use next. Should I publish a set of TXT records for dougfoster.gov.uk uniquely?
> Given we’ve no way of predicting that, we’re responding to any query for TXT
> records  for any undelegated gov.uk subdomain with an SPF and DMARC record.
> Regardless of how we intend to detect non-existent subdomains (for some value
> of non-existent), we’ll need to stop responding with those default records on
> gov.uk to do something approaching real world testing of PSD-DMARC.


This argument is utterly confusing to me.  When I read Scott's draft, I
understood he was talking about _existing_ domains.  Indeed, that sounded
somewhat strange, since the higher level domain's owner should have a say on
the policies that subdomains have to follow, but IANAL.

DMARC had reject-on-nxdomain, but then reduced it to appendix A.4.  ADSP
(historic) left it to undefined.  Yet, it's the only (deprecated) auth-method
having a "nxdomain" code.  If we are seeking a spec that enables parent domains
to specify reject-on-nxdomain for their subdomains, it doesn't seem to be
necessarily related to DMARC.  (I mean DMARC as a spec, not the dmarc WG.)


    ale@pcale:~/tmp$ dig +short dougfoster.gov.uk txt
    "v=DMARC1;p=reject;rua=mailto:govuk-rua@dmarc.service.gov.uk"
    "v=spf1 ?all"


I agree that's an evil kludge.  (Why ?all?)  Dave just posted a draft about DNS
perimeter, which might possibly evolve so as to allow only the _dmarc label to
return the above record (can it?), while dougfoster.gov.uk perhaps returns the
spf1 stuff.  It is still overly complicated w.r.t. such a simple task as
reject-on-nxdomain.


Best
Ale
--