IETF Logo Mail Archive

Re: [dmarc-ietf] NXDOMAIN

Douglas Foster <dougfoster.emailstandards@gmail.com> Thu, 08 April 2021 12:02 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B4083A1430 for <dmarc@ietfa.amsl.com>; Thu, 8 Apr 2021 05:02:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LQ-XQVBXYA1d for <dmarc@ietfa.amsl.com>; Thu, 8 Apr 2021 05:02:27 -0700 (PDT)
Received: from mail-vk1-xa31.google.com (mail-vk1-xa31.google.com [IPv6:2607:f8b0:4864:20::a31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B28723A142F for <dmarc@ietf.org>; Thu, 8 Apr 2021 05:02:27 -0700 (PDT)
Received: by mail-vk1-xa31.google.com with SMTP id k27so442748vki.2 for <dmarc@ietf.org>; Thu, 08 Apr 2021 05:02:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mWggbpmcui4QQTokqrxnC+4e6hdbkdk6ggVsNK1cBD4=; b=ZmwG0NkXshF6RT8fDwRG2un/2WGRxSXEXfDdpVKMeSQZ0cwt/444EYtcLyBHWFwkju 4o3WjF5CI9JSW1y/5y+HoT8yZzjP26ad9L59vubuNA1O8zE+13m2OnObYufr+rvPf7N4 8NIfiXJWm2IfC5Ad3bLjfLVyRPQeO6jVtF5ZI7HT6MwJjDDYtWQ0Wh7gQ3eEtOBfixfa SZBTl1F/4HtNykuaTijBzmqzsJmdWlCrji/IXufGJRRGgCBHl0LLRf5cNKySy/XuAttT zEEWlAFzIGnFZFLmuZI/kxJapdXHN9nTWrGYkdlU0o3TxZBfxKYKDVUW9qjxi/jF/xMz ziBw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mWggbpmcui4QQTokqrxnC+4e6hdbkdk6ggVsNK1cBD4=; b=RwQwu/yedjL1wGYhM6bwbkGc4ggnKJ0Ab8JYmPYQ2WuP/f/eqj5NAeoiFh+BV8LXoU GVuedx90q7q9vnJxv9DI+eQA++06hg8OKUBhYn61uJoJRIDgFTftaBYzf4I42vfpMus9 OJ0/Xi8vWrp/BvAxlwEMvS13mKonnNUxqmp79AKfOLDWN6kD0wLwomGCvrl9NJ+tnNes wswfqq55zrlze4x3koJex98XNEO+/Bftk52CjvmmhqlADT5GVoMBnBvvnAz5bvUyuTIi /d2ArUtI6ifVdMxCE5kovKK48F86ySbXjUMVy9iwbA4pQcyn6CzMxsZVF/UjzpILGuRm 4XWg==
X-Gm-Message-State: AOAM530vXtVz1z+sqeMHKm2GakF85vkgZ+d0cPgRQSjLUY3fPn2nmosa 2ilnWutbQm2SxnLOlBJFET9msgenRCcJUwiK9G8=
X-Google-Smtp-Source: ABdhPJyU6shXJdWUcHLAWI584p0YL0/W5/grFysC+ef9jmwsVpGSnjgIKM38XWcahxdSs8gG+mZ0NAUPSJlJbk3b+Gc=
X-Received: by 2002:a1f:5504:: with SMTP id j4mr5207995vkb.7.1617883346002; Thu, 08 Apr 2021 05:02:26 -0700 (PDT)
MIME-Version: 1.0
References: <CAH48ZfxjotxU8G4ZucGTqERP0ZXSF8i9EH9vvQyi2SacbPxvvw@mail.gmail.com> <CAL0qLwa-ZkwxF=-9T42_d-pPrmVpMTZ0gMyq+4i1zXrZGPK1fQ@mail.gmail.com> <CAH48Zfx6mdmwiBtD0nRKMsuxwPkh7Wm7aX_qdUEt=4+OM6DG2g@mail.gmail.com> <CAL0qLwYmu20PB-HRjLNtnuykoJDerQ2NryEc5SdBD759Muoc7Q@mail.gmail.com> <CAH48Zfy6Qrp7etxvC6oieQORy8nfNdDF7Kju5hwDZOG2tEarPg@mail.gmail.com> <CAL0qLwbe2y3y=6+UvcdqeAYFs41mPwLtXOjMVSD-Gj5D24WUZw@mail.gmail.com>
In-Reply-To: <CAL0qLwbe2y3y=6+UvcdqeAYFs41mPwLtXOjMVSD-Gj5D24WUZw@mail.gmail.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Thu, 08 Apr 2021 08:02:15 -0400
Message-ID: <CAH48Zfzo=VspGD5EuJHEnMTsDU77p5_+Jqzm=DAbZS_zQ4s_0w@mail.gmail.com>
To: "Murray S. Kucherawy" <superuser@gmail.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000020674005bf74d230"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/XNWfJdkYHBFiZbS0MHDEaDSIhs0>
Subject: Re: [dmarc-ietf] NXDOMAIN
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Apr 2021 12:02:30 -0000

NXDOMAIN and Return-Path-Check are two different ways of identifying
non-existent domains.    I believe NXDOMAIN to be the better one, but since
the group seemed to be in love with return-path-check, I was willing to go
there.    Whichever one could solve the problem best, the issue for us is
that the problem has not been solved.

Prior to PSD for DMARC, the IETF role in sender authentication could be
summarized as follows:

"An attacker may seek to hide his own reputation and acquire a better one
by impersonating another domain.  This is of interest to IETF and has been
addressed by the specifications for SPF and DMARC.  An attacker may also
seek to hide his own reputation and acquire a neutral one by impersonating
a non-existent domain.   This is of no interest to IETF.;"

This dichotomy is hard to defend.   It has been made worse by embracing PSD
for DMARC.   The statement must now be revised to say:

"IETF is interested in attacks of the form
'otherdomain.nonexistentdomain.psd', but IETF is not interested in attacks
of the form 'nonexistentdomain.otherdomain.psd'.

Todd's comments suggest that the whole issue of non-existent domains is a
non-problem because everybody who matters is already well protected from
non-existent domains, because they have implemented non-IETF tests such as
return-path-check.    If this were true, attackers would move on to other
strategies and PSD for DMARC would have no advocates.

When we start using ARC to accept results which cannot be independently
tested, we need to know what tests were peformed.   Since address rewrite
can eliminate the ability to reproduce earlier tests for NXDOMAIN or
Return-Path, it must be part of the ARC results.  The success of ARC
depends on having this information included, and the success of "new" DMARC
has been tied to ARC.

Non-existent domain usage is not a minor issue and not an issue that is
already solved.   It is the elephant in the room, and it needs to be
addressed.

Doug


On Thu, Apr 8, 2021 at 1:06 AM Murray S. Kucherawy <superuser@gmail.com>
wrote:

> Further to what Todd said:
>
> On Wed, Apr 7, 2021 at 5:04 AM Douglas Foster <
> dougfoster.emailstandards@gmail.com> wrote:
>
>> I am hearing that we have a defacto standard to check return-path using
>> MX/A/AAAA.  It is implemented with sufficient breadth,that (unlike SPF)
>> senders should consider it mandatory.    Additionally, and more importantly
>> for this group, it is presumed to be equally applicable for validation of
>> the RFC5322.From, even though that address is unrelated to the
>> SMTP return-path.  But because the test is not explicitly documented, some
>> products (my vendors) do not implement it at all, leaving a protection gap.
>>
>
> I think I'm confused about how this ties to DMARC.  What you're describing
> is, I believe, a common anti-spam tactic that was in use even before SPF or
> DKIM were a thing.  It probably still is, irrespective of those protocols.
>
> However, RFC 7489's Appendix A.4 points out that earlier versions of DMARC
> had such a test, but it was removed because of too many false negatives.
>
>
>> If DMARC is to be dependent on return-path-check and inter-dependent with
>> ARC, then I do not see how we can avoid producing a formal specification
>> for the test and integrating it into A-R, as a co-requisite to the DMARC
>> specification.
>>
>
> How is DMARC dependent on a return path check?  SPF is, but DMARC isn't.
> DMARC only cares what the SPF result was, and whether the domain it
> evaluated is aligned with the RFC5322.From domain.  In fact, a DMARC filter
> could operate correctly with no knowledge of what the return path was,
> provided the A-R fields are correct and complete.
>
> Another perspective: If the RFC5322.From domain doesn't exist, it's not
> possible for a DMARC policy to be discovered for it, nor is it possible
> that SPF or DKIM will pass for it or align to it.  Therefore, is such a
> domain even in scope here, much less a need to describe a way to test it?
>
> -MSK
>

v2.23.0 | Report a Bug | By Email