IETF Logo Mail Archive

Re: [dmarc-ietf] "psd=" tag early assignment

Alessandro Vesely <vesely@tana.it> Thu, 07 July 2022 10:58 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B81F4C15AD43 for <dmarc@ietfa.amsl.com>; Thu, 7 Jul 2022 03:58:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.003
X-Spam-Level:
X-Spam-Status: No, score=-9.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-1.876, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=tana.it header.b=L/4zJa2c; dkim=pass (1152-bit key) header.d=tana.it header.b=BW6gANN1
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xfxhJpfNCpYi for <dmarc@ietfa.amsl.com>; Thu, 7 Jul 2022 03:57:54 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11623C15CF53 for <dmarc@ietf.org>; Thu, 7 Jul 2022 03:57:51 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=tana.it; s=epsilon; t=1657191466; bh=pC2qIo6JIBPvnCzgh+MOiA5DshJ64aQ0RCMo7omZReg=; h=Date:Subject:To:References:From:In-Reply-To; b=L/4zJa2cXc6bp+QVbvgc9wSjFE86/hIAk1LUPZd2c+r16unKNUaSVy+oWFesNqCkG p3HreDZGGz0YSGTyS0lBg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1657191466; bh=pC2qIo6JIBPvnCzgh+MOiA5DshJ64aQ0RCMo7omZReg=; h=Date:To:References:From:In-Reply-To; b=BW6gANN1YAbtn4BK4ohQ3FoBXPxo2a6Etvs6yTDClYYQjd1xjIO1hOa+XG2/266+1 63oaRdALNqCMdIPdgR9qm3U9flailTI/v7PJYRtgE3gpPawVOanN97Vn9zwlSNIWER L+XkIBSJySts5bK2LxcRYnm0mJL7tv9ly7McWPG6nOqtSuwaDkeczbzJ8UaOq
Author: Alessandro Vesely <vesely@tana.it>
Received: from [192.168.1.108] (host-82-56-132-47.retail.telecomitalia.it [82.56.132.47]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC083.0000000062C6BC2A.0000713F; Thu, 07 Jul 2022 12:57:46 +0200
Message-ID: <b87b71c5-c4bc-b963-06eb-dd94cca1340d@tana.it>
Date: Thu, 07 Jul 2022 12:57:46 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.1
Content-Language: en-US
To: dmarc@ietf.org
References: <2106279.dWI8RDzgUi@zini-1880> <CALaySJLFY6s6+4xFs9iu-YSbrihnThgDEkb1+g2NUAt-QS_mTw@mail.gmail.com> <95b1d241-0e3c-edf3-4768-cf08b7d73283@tana.it> <CALaySJJcd1e+iT0CwbQ738fMaX2-UQ+q7NvduK4a7J+H5Q0dVg@mail.gmail.com> <05AB0F55-F8EF-40F7-97BE-23C9B96747D2@kitterman.com> <CALaySJKzL4BsvaMb23XCsExfF2ns8C=n1x1PyA7W0+Xt4DsY2g@mail.gmail.com> <CAH48ZfzVZzE+4AuVxRRfeDPwe4+dWo_zLE3KP6_vQ_4487Rmvw@mail.gmail.com>
Authentication-Results: tana.it; auth=pass (details omitted)
From: Alessandro Vesely <vesely@tana.it>
In-Reply-To: <CAH48ZfzVZzE+4AuVxRRfeDPwe4+dWo_zLE3KP6_vQ_4487Rmvw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/Wd5zVFaZuqYpxWfHRS2Z0HzfTwI>
Subject: Re: [dmarc-ietf] "psd=" tag early assignment
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jul 2022 10:58:02 -0000

Having a contract with ICANN rather than someone else is not much 
relevant.  The point of "private" PSDs is that they can be stacked 
below a regular DMARC PSD.  ("Private" is not the right term IMHO, as 
it may sound like "within an org".)


Stacks deeper than two are unlikely because of the five label limit. 
We set it because we found no domains deeper than that.  That way, 
we're imposing that the Internet topology cannot reach such shapes, or 
that DMARC will have been forgotten by then.


Anyway, we need an appendix with an example of private (or should we 
call them secondary?) registry, to illustrate both the algorithm and 
the setting of psd='s.


Best

Ale


On Wed 06/Jul/2022 20:00:42 +0200 Douglas Foster wrote:
> Yes, PSD is still the appropriate term for a PSO-controlled domain.   We
> need an additional definition for a "Private Registry Domain" (optionally
> "PRD" if we want to create another acronym.)   Collectively, PSDs and PRDs
> are "registry domains".   We intend to use a single DNS token for both PSD
> and PRD policies, so the token definition needs to be clear on this point.
> 
> RFC 7489 was amiss by not defining private registries, and that has created
> confusion about how to interpret the PSL.    But as long as the PSL had
> correct information, the distinction did not affect DMARC accuracy.    With
> the tree walk, the possibility of multiple registry domains in a single DNS
> path creates some challenges, and these need to be explained.
> 
> We can resolve an ongoing dispute by providing two approaches to
> implementing the tree walk.    John's approach makes some simplifying
> assumptions in order to replace the entire PSL immediately.   My approach
> is more cautious and is inclined to use the PSL when explicit tagging is
> not available.   Evaluators can chose which to use based on their
> perception of the tradeoffs.   Domain owners can solve the problem by
> providing explicit tags to ensure that both approaches obtain the same
> result.
> 
> DF
> Then the text needs to be clear about when PSDs and PRDs are similar, and
> when the differences are noteworthy.
> 
> On Sat, Jul 2, 2022 at 7:32 AM Barry Leiba <barryleiba@computer.org> wrote:
> 
>> That's true, while we won't have the PSL in the algorithm, we will
>> still be talking about PSDs, so the term will remain defined.  OK,
>> that makes sense, Scott; thanks.
>>
>> Barry
>>
>> On Mon, Jun 27, 2022 at 9:46 AM Scott Kitterman <sklist@kitterman.com>
>> wrote:
>>>
>>> If we use a different term, we'll need to define it.  Fundamentally, I
>> think changing the name only adds a level of indirection (and thus
>> complexity).
>>>
>>> Current:
>>>
>>> PSD (which is defined in the document) yes or no or use tree walk.
>>>
>>> Proposed:
>>>
>>> Role (needs a definition) PSD (defined), Org (defined as not a PSD), and
>> Subdomain (which isn't defined and is technically wrong - all three might
>> be subdomains).
>>>
>>> Whether you directly use psd as the tag or not, the question is still is
>> it a PSD or not.  The suggested change doesn't do anything towards getting
>> away from PSD as a concept or a defined term.
>>>
>>> I think that by hiding it in the definitions, it will be more confusing,
>> not less.
>>>
>>> Scott K
>>>
>>> On June 27, 2022 1:27:37 PM UTC, Barry Leiba <barryleiba@computer.org>
>> wrote:
>>>> I have to say, as a participant, that I have more than a little
>>>> sympathy for this suggestion or some derivative of it.  Using "psd" as
>>>> the tag name is rooted in history that will be lost as we move away
>>> >from using a public suffix list.
>>>>
>>>> Barry
>>>>
>>>> On Mon, Jun 27, 2022 at 6:20 AM Alessandro Vesely <vesely@tana.it>
>> wrote:
>>>>>
>>>>> On Sun 26/Jun/2022 18:05:44 +0200 Barry Leiba wrote:
>>>>>>
>>>>>> Please comment in this thread about whether you agree with making
>> the
>>>>>> registration now, or whether you do not agree and why.
>>>>>
>>>>>
>>>>> I'd like to make a last appeal to use more intuitive symbols to be
>> used instead
>>>>> of the current ones:
>>>>>
>>>>> instead of | use      | to mean
>>>>>
>> -----------+----------+-----------------------------------------------------
>>>>> psd=u      | role=sub | the default subdomain role (never needed)
>>>>> psd=n      | role=org | the org domain (only needed with non
>> compliant PSDs)
>>>>> psd=y      | role=psd | a PSD (needed if PSD published DMARC record.)
>>>>>
>>>>>
>>>>> The reason to use cryptic symbols seems to be to discourage their
>> usage, which
>>>>> I can hardly understand.  I'd be OK with the current symbols if the
>> WG can
>>>>> explain somewhat better, possibly as part of the spec itself, the
>> rationale of
>>>>> using counter-intuitive yes/ no/ undefined to express that
>> three-valued value.
>>>>>
>>>>>
>>>>> Best
>>>>> Ale
>>>>> --
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> dmarc mailing list
>>>>> dmarc@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/dmarc
>>>>
>>>> _______________________________________________
>>>> dmarc mailing list
>>>> dmarc@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/dmarc
>>>
>>> _______________________________________________
>>> dmarc mailing list
>>> dmarc@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dmarc
>>
>> _______________________________________________
>> dmarc mailing list
>> dmarc@ietf.org
>> https://www.ietf.org/mailman/listinfo/dmarc
>>
> 
> 
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc

v2.23.0 | Report a Bug | By Email