Re: [dmarc-ietf] DMARCbis WGLC Issue 136

"Explaining how DNS works is out of scope."

Scott is right.

Also, some folks point use something other than CNAME

$  dig +noall +answer _dmarc.valimail.com ns
_dmarc.valimail.com. 300 IN NS ns.vali.email.

tjw@m2[1098]:  dig +noall +answer _dmarc.valimail.com txt
_dmarc.valimail.com. 595 IN TXT "v=DMARC1; p=reject; rua=mailto:
dmarc_agg@vali.email,mailto:dmarc.reports@valimail.com"

On Thu, Mar 14, 2024 at 5:12 PM Todd Herr <todd.herr=
40valimail.com@dmarc.ietf.org> wrote:

> On Thu, Mar 14, 2024 at 5:05 PM Mark Alley <mark.alley=
> 40tekmarc.com@dmarc.ietf.org> wrote:
>
>> On 3/14/2024 3:49 PM, Todd Herr wrote:
>>
>> On Thu, Mar 14, 2024 at 4:43 PM Mark Alley <mark.alley=
>> 40tekmarc.com@dmarc.ietf.org> wrote:
>>
>>> On 3/14/2024 3:38 PM, Todd Herr wrote:
>>>
>>> On Thu, Mar 14, 2024 at 4:34 PM Scott Kitterman <sklist@kitterman.com>
>>> wrote:
>>>
>>>>
>>>> I think this is correct.  I think it's obviously enough correct that
>>>> I'm surprised anyone was confused.
>>>>
>>>> Do we know what the theory was that led people to think otherwise?
>>>>
>>>> Seems to me we don't really need this, but maybe there's a reason.
>>>>
>>>>
>>> The reasons given were:
>>>
>>>    1. https://www.rfc-editor.org/rfc/rfc5863#section-4.1
>>>    2. https://datatracker.ietf.org/doc/html/rfc6376#section-7.5
>>>    3. Neither RFC 7489 nor DMARCbis contain the phrase "CNAME", so if
>>>    it's not explicitly mentioned...
>>>
>>> Granted, the first two citations are in regards to DKIM records, not
>>> DMARC records, but those were the reasons given.
>>>
>>> Couldn't hurt to clarify explicitly, I'm for it. Domain owners have been
>>> using CNAMEs with DMARC TXT RRs pretty much since its inception.
>>>
>> I agree that clarifying it can't hurt, obviously, but I was quite
>> surprised to hear that CNAMEs were being published for DMARC records, as
>> I'd never seen one. On the other hand, I've seen *lots* of DKIM public keys
>> published as CNAMEs, which I'm sure just wrecks the person citing DKIM RFCs
>> as a reason that DMARC records can't be CNAMEs.
>>
>>
>> Domain owner use cases with DMARC CNAMEs boils down to really either of 2
>> things:
>>
>>    - Single point of policy management for orgs with dozens, hundreds,
>>    or thousands of domains to manage DMARC on, and also applicable to RUA/RUF
>>    addresses.
>>    - Delegation to a third-party for management, similar to DKIM CNAMEs
>>    as you noted that are popularly in use by many ESPs for vendor-managed key
>>    rotation.
>>
>>
> Yup, I grok the use cases. I just hadn't thought of them prior to this
> discussion.
>
> --
>
> Todd Herr | Technical Director, Standards & Ecosystem
> Email: todd.herr@valimail.com
> Phone: 703-220-4153
>
>
> This email and all data transmitted with it contains confidential and/or
> proprietary information intended solely for the use of individual(s)
> authorized to receive it. If you are not an intended and authorized
> recipient you are hereby notified of any use, disclosure, copying or
> distribution of the information included in this transmission is prohibited
> and may be unlawful. Please immediately notify the sender by replying to
> this email and then delete it from your system.
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs