IETF Logo Mail Archive

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

Scott Kitterman <sklist@kitterman.com> Thu, 14 March 2024 20:34 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36416C14F6F7 for <dmarc@ietfa.amsl.com>; Thu, 14 Mar 2024 13:34:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.407
X-Spam-Level:
X-Spam-Status: No, score=-4.407 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b="pxHa8zcQ"; dkim=pass (2048-bit key) header.d=kitterman.com header.b="cHCQ1NJe"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XU9Os3oHKuTP for <dmarc@ietfa.amsl.com>; Thu, 14 Mar 2024 13:34:13 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E02D6C14F6A2 for <dmarc@ietf.org>; Thu, 14 Mar 2024 13:34:12 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) by interserver.kitterman.com (Postfix) with ESMTPS id 3DE88F802A5; Thu, 14 Mar 2024 16:34:00 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1710448425; h=date : from : to : subject : in-reply-to : references : message-id : mime-version : content-type : content-transfer-encoding : from; bh=jxB8x5nwKQU5eicweM5ZSIPriO6GELehUuSfCHUqxjc=; b=pxHa8zcQ/XRb5F/m3rlLxGMBdofkjc3iKTiEkLxONV3eSHjmtoiU2AZHkHwLx01JWLkkG qZYcARpk0kdl3rwDQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1710448425; h=date : from : to : subject : in-reply-to : references : message-id : mime-version : content-type : content-transfer-encoding : from; bh=jxB8x5nwKQU5eicweM5ZSIPriO6GELehUuSfCHUqxjc=; b=cHCQ1NJeD1Jp5l1w3dKu/KI7/zHmjDL7wOcUlF9IrhmVm2oKDKKWEwNo3Zce1MWf9xWRU TiyV7LBUfMIlW23alxAjsCN7E9Se4jTYYOB5epsqV+KC49Yf6UTqKUG20QlC9RvHxPIcURP teXoDUJn7G7pxfI/psVCE/mpmZWtYk6OGZJsmPQrsrAaNwYk5JADC7HtMffiHxLrGBUNFd6 3sGJAuYJvZvTN2iZiUuiwTETEh+B1IK1eNod+cXq3Okpnf3RPra4ZPv6JW2+3vvKFJICw8n d5aB9gQEKbPBaApCmVx+hPG2K5LBfhk4Q5lXzZDgt0abDUuqloePmzKOUSOQ==
Received: from [127.0.0.1] (mobile-166-170-34-122.mycingular.net [166.170.34.122]) by interserver.kitterman.com (Postfix) with ESMTPSA id 5F758F80245; Thu, 14 Mar 2024 16:33:45 -0400 (EDT)
Date: Thu, 14 Mar 2024 20:33:40 +0000
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
In-Reply-To: <CAHej_8kip_p+n56=Y5WuVG2M_+HXHj51fyY3k6dx-itJRZkCpQ@mail.gmail.com>
References: <CAHej_8kip_p+n56=Y5WuVG2M_+HXHj51fyY3k6dx-itJRZkCpQ@mail.gmail.com>
Message-ID: <B18FD596-D342-4569-8A23-3E01B137DDDA@kitterman.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/_zqqq88uoBDJ5mlz_ZcQEch5RC8>
Subject: Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2024 20:34:18 -0000


On March 14, 2024 8:18:31 PM UTC, Todd Herr <todd.herr=40valimail.com@dmarc.ietf.org> wrote:
>Colleagues,
>
>There was a discussion among M3AAWG members on March 13 that centered on
>the question of whether DMARC records can be published in DNS as CNAMEs,
>e.g.,
>
>_dmarc.example.com IN CNAME _dmarc.example.org
>
>_dmarc.example.org IN TXT "v=DMARC1; p=reject; rua=
>mailto:dmarc-reports@example.org <dmarc-reports@example.org>;"
>
>Section 3.6.2 of RFC 1034 seems to indicate that it is permissible to
>publish DMARC records in this fashion, and describes the following scenario
>using an CNAME record and an A record:
>
>For example, suppose a name server was processing a query with for USC-
>
>ISIC.ARPA, asking for type A information, and had the following resource
>
>records:
>
>USC-ISIC.ARPA   IN      CNAME   C.ISI.EDU
>
>C.ISI.EDU       IN      A       10.0.0.52
>
>Both of these RRs would be returned in the response to the type A query,
>
>while a type CNAME or * query should return just the CNAME.
>
>I recommend adding a paragraph to DMARCbis, section 5.1 DMARC Policy Record
>at the end of that section that reads:
>
>Per RFC 1034 section 3.6.2, a DMARC record MAY be published as a CNAME
>record, so long as the corresponding canonical name ultimately resolves to
>a TXT record so as to ensure that queries of type TXT return a DNS RR in
>the expected format.
>
>Issue 136 has been opened for this.
>

I think this is correct.  I think it's obviously enough correct that I'm surprised anyone was confused.

Do we know what the theory was that led people to think otherwise?

Seems to me we don't really need this, but maybe there's a reason.

Scott K

v2.23.0 | Report a Bug | By Email