IETF Logo Mail Archive

Re: [dmarc-ietf] Final, I hope, tweaks to the tree walk

Alessandro Vesely <vesely@tana.it> Wed, 29 June 2022 17:13 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14E3DC15790B for <dmarc@ietfa.amsl.com>; Wed, 29 Jun 2022 10:13:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.004
X-Spam-Level:
X-Spam-Status: No, score=-4.004 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-1.876, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=tana.it header.b=FuXXYA0X; dkim=pass (1152-bit key) header.d=tana.it header.b=BHlunYF8
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8qzpDF99798u for <dmarc@ietfa.amsl.com>; Wed, 29 Jun 2022 10:13:18 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A274C147930 for <dmarc@ietf.org>; Wed, 29 Jun 2022 10:13:16 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=tana.it; s=epsilon; t=1656522795; bh=UDF58wjuOTBjMGRpJ8slZLWmMqFsCwFLBRKxmRtvjfo=; h=Date:Subject:To:References:From:In-Reply-To; b=FuXXYA0XodA2sMJVWJGjmVSdXVuqQT1f/A//MT2AUXQWugwX/OoSM/FYXyPjZH6L/ b1cBFhi4tzXg7PpycQJCg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1656522795; bh=UDF58wjuOTBjMGRpJ8slZLWmMqFsCwFLBRKxmRtvjfo=; h=Date:To:References:From:In-Reply-To; b=BHlunYF8ITrwiRnfCINUQUo3xAglus42t6QAWZUxlRn+OGdMfArRGjROgOMOdhjFT 91H3eV1swovkHEZY7mqyIvrHK5X7uPCfghl/MQnrkivhjQ8oG5Zap5PUWIvsEYt44j PSI7DksMrTR7SWwe3TxvyfPxiUJj2pov8ESERuIL9Z+gKUf3EBCU2WLAYj+Vy
Author: Alessandro Vesely <vesely@tana.it>
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC076.0000000062BC882A.00004304; Wed, 29 Jun 2022 19:13:14 +0200
Message-ID: <3483c07f-830e-0c81-0a34-5653c654e5ca@tana.it>
Date: Wed, 29 Jun 2022 19:13:14 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.0
Content-Language: en-US
To: dmarc@ietf.org
References: <20220626154211.6893F4452D0F@ary.qy> <2bc4e123-8711-7538-599e-727d8ea9caff@tana.it> <bedf51e9-6fe6-d52b-1083-bac67d8906ea@taugh.com> <be56e041-d588-c8e7-bd37-bf2858773b75@tana.it> <ED978D2A-ADD1-4FFA-B101-239D333019CB@kitterman.com> <7b584f9f-1e03-93f7-bb8a-0a899dfdfe8c@tana.it> <05C14229-67E4-475E-AD2E-0421E122BEA5@kitterman.com>
Authentication-Results: tana.it; auth=pass (details omitted)
From: Alessandro Vesely <vesely@tana.it>
In-Reply-To: <05C14229-67E4-475E-AD2E-0421E122BEA5@kitterman.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/XelTLN68Ptk3fGqlhh2lk1UXmjg>
Subject: Re: [dmarc-ietf] Final, I hope, tweaks to the tree walk
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jun 2022 17:13:25 -0000

On Wed 29/Jun/2022 12:40:36 +0200 Scott Kitterman wrote:
> On June 29, 2022 10:16:00 AM UTC, Alessandro Vesely <vesely@tana.it> wrote:
>>On Tue 28/Jun/2022 18:46:18 +0200 Scott Kitterman wrote:
>>> On June 28, 2022 4:33:15 PM UTC, Alessandro Vesely <vesely@tana.it> wrote:
>>> 
>>>> What can one find continuing the walk after psd=y?
>>>> 
>>>> For example, let's consider an imaginary bank, com.bank, say.  They use that domain as corporate domain, and have a DMARC record.  They also delegate zones to local subsidiaries.  One of them, uk.com.bank in turn delegates to other banks in the UK and sends mail like uk.com.  So you may end up having a DMARC record at each level:
>>>> 
>>>> bank -> psd=y,
>>>> com.bank -> psd=n or psd=u (for private use),
>>>> uk.com.bank -> psd=y.
>>>> 
>>>> Does our model support that?  How else should they set their records up?
>>> 
>>> I think that's sufficiently obscure that I doubt we care, but I think it is supported just fine.
>>> 
>>> The only nuance is that in this scenario, mail that is 5322.from uk.com.bank would have to use 5321.mailfrom and DKIM d= uk.com.bank.  Subdomains wouldn't align, which I think is fine.
>>
>>
>>However, if you continue the tree walk after uk.com.bank, you'll find the org domain is com.bank.  That way, d=whatever.com.bank in a signature would be aligned, which is not correct.
> 
> Why is it not correct?  If it shouldn't be used for alignment, then come.bank should have psd=y.


Hm... not sure.  Say you want full usage for your domain, including alignment. 
  Then you publish psd=n or u.  Delegations are done from subdomains which 
publish psd=y.  This is a logic similar to that sometimes used by mailing lists 
hosted at a domain --using @lists.example.com rather than @example.com directly.

The point is that there can be a domain with a DMARC record with psd!=y after 
one with psd=y.


>>> The operational distinction between a PSD and a non-PSD is that subdomains of a PSD are different organizations and subdomains of non-PSDs are part of the same organization.  I believe that's the correct distinction.
>>
>>Yes.
> 
> If uk.com.bank is a part of com.bank as an organization, then alignment with other subdomains within com.bank is appropriate.  If they aren't, then come.bank's record is wrong.


Uk.com.bank should've been just the base domain for UK branches of the 
commercial bank, perhaps london.uk.com.bank and the like, each one 
administratively independent of the central com.bank.  Uk.com.bank weren't 
supposed to use their domain to send mail, but they did.  This is similar to 
uk.com restricted to bank subjects.

Recall that sites like uk.com are the reason why we cannot just assume that 
PSDs cannot have MX records.


> I think you have answered the question you asked John regarding why not stop if psd=y in step 2.  The current process produces a more logically consistent result than if that constraint were added (in this admittedly contrived case).


Did I?  I don't understand John's pet example.  Why would cats.petlovers.com 
set psd=y, by mistake?  If cats and dogs have antagonistic instincts toward 
each other, perhaps they shouldn't be associated under the same administration.

Yes, the example is contrived, but since there are no rules limiting delegation 
to third parties, we cannot be sure how subdomains are going to evolve.


Best
Ale
--

v2.23.0 | Report a Bug | By Email