IETF Logo Mail Archive

Re: [dmarc-ietf] Been Quiet Around Here - Org Domain? Tree Walk?

Scott Kitterman <sklist@kitterman.com> Wed, 06 April 2022 13:23 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9AF13A1BCA for <dmarc@ietfa.amsl.com>; Wed, 6 Apr 2022 06:23:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.11
X-Spam-Level:
X-Spam-Status: No, score=-2.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=w4bqjLEm; dkim=pass (2048-bit key) header.d=kitterman.com header.b=gMGqytYg
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nkDUTz5ttDVh for <dmarc@ietfa.amsl.com>; Wed, 6 Apr 2022 06:23:43 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0848A3A1BBF for <dmarc@ietf.org>; Wed, 6 Apr 2022 06:22:58 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) by interserver.kitterman.com (Postfix) with ESMTPS id 58B52F80298 for <dmarc@ietf.org>; Wed, 6 Apr 2022 09:22:54 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1649251374; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=X9DheJzAq561VSgkTn7lzo0E73f5T7h4Hw7566V9JUg=; b=w4bqjLEmzcAkoMVbwo1EcBGXdqdmF2G/zsuUbMKSEJINGy5LYUqMTAADnZWTL2v6EpPBD 4ie+X0/8J8S4tvEDw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1649251374; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=X9DheJzAq561VSgkTn7lzo0E73f5T7h4Hw7566V9JUg=; b=gMGqytYg6Uh0dZDVmTLbMdW2cuXrHZPjr8HkyevyV/khNXUeZxeUn8q6WPJqgpLhx/bSU iff1XreEfxhP8i6vuU8mJbLbh2JNa3b45+SxkCVbqNFbHNQGGcv7e2Ov0eweoMOz8XrLc/s HnmckJaBjEznwKtKbtBDZULxqE6ZzZGxxfbliKZPnkgb206YxXliUldy+HTsmiwkk06OXRz R+eY3ByEWi8LxV7YVmMz2+nw7ARKikjFmzufKR0+Z3YJf+nq2XWZCUYyLAi+qpJsLnUkgMZ MoyNgyO26pR98h4FVPzTXV5WiskcGblLxI//N2GKtUVpiVSvgMpDR5FURVlg==
Received: from zini-1880.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTP id 39D05F801B7 for <dmarc@ietf.org>; Wed, 6 Apr 2022 09:22:54 -0400 (EDT)
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
Date: Wed, 06 Apr 2022 09:22:53 -0400
Message-ID: <1741686.IyTgDu5SPi@zini-1880>
In-Reply-To: <59591b94-9428-be13-0219-16c28fba23b5@tana.it>
References: <20220317195040.E6EFD3954931@ary.qy> <15132233.jvnO6Z6p63@zini-1880> <59591b94-9428-be13-0219-16c28fba23b5@tana.it>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/cc0f_y3UH9GpBn1VS9Jjk20PxF0>
Subject: Re: [dmarc-ietf] Been Quiet Around Here - Org Domain? Tree Walk?
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Apr 2022 13:23:57 -0000

On Wednesday, April 6, 2022 6:05:53 AM EDT Alessandro Vesely wrote:
> On Wed 06/Apr/2022 00:44:50 +0200 Scott Kitterman wrote:
> > On Monday, April 4, 2022 1:39:35 PM EDT Alessandro Vesely wrote:
> >> On Mon 04/Apr/2022 15:14:07 +0200 Scott Kitterman wrote:
> >>> On Sunday, April 3, 2022 12:15:23 PM EDT Alessandro Vesely wrote:
> >>>> On Mon 21/Mar/2022 23:02:03 +0100 Scott Kitterman wrote:
> >>>>> On March 21, 2022 5:42:42 PM UTC, Alessandro Vesely <vesely@tana.it> 
wrote:
> >>>>>> According to the definition, two identical domains having psd=y
> >>>>>> are in strict alignment but not in relaxed alignment, which is
> >>>>>> somewhat counterintuitive.
> >>>>> 
> >>>>> Actually, no:
> >>>>> 
> >>>>> "If this process does not determine the Organizational Domain, then
> >>>>> 
> >>>>>     the initial target domain is the Organizational Domain."
> >>>>> 
> >>>>> This text in DMARCbis06 addresses that case.
> >>>> 
> >>>> While that's true, it could be possible to revise the comparison
> >>>> process so as to account for identical domains.  In that case, we
> >>>> could avoid to call Organizational Domain one with no DMARC record.
> >>> 
> >>> I thought I had covered this already in Section 4.8.  I'll add it to the
> >>> list in the note.
> >> 
> >> Yeah, the text you wrote Sunday night looks better.  I'd say:
> >>     If this process does not determine the Organizational Domain, then
> >>     there is no Organizational Domain.
> >> 
> >> That requires rewording the definitions of relaxed alignment.
> 
> (Besides, we have too many definitions of alignment.)
> 
> > So far, I don't think we've messed with those definitions.  I'd prefer not
> > to change them.
> 
> The point is to not have conflicting definitions.  It can be acceptable that
> the algorithm to determine the org domain finds none, if there is no org
> domain.  Currently, the org domain found by the algorithm is not
> necessarily PSD + 1.  So, it is not what we defined to be the org domain. 
> Isn't this messed up?

There are some definitional issues we need to straighten out (but not, IMO, 
ones that need to be addressed before the next revision is published.

Food for thought:

> 3.2.4.  Identifier Alignment
> 
>    When the domain in the address in the RFC5322.From header field has
>    the same Organizational Domain as a domain verified by an
>    authenticated identifier, it has Identifier Alignment. (see
>    Section 3.2.7)

An implication of that definition is that if there is no organizational domain, 
there is no alignment.  Even if 5322.From, 5321.MailFrom, and d= are the same, 
if there is no organizational domain, they are not aligned.  I think this is 
fine.  This is the reason why I added the fallback that if you don't find an 
organizational domain, the original domain is the organizational domain.

> 3.2.7.  Organizational Domain
> 
>    The Organizational Domain is typically a domain that was registered
>    with a domain name registrar.  More formally, it is any Public Suffix
>    Domain plus one label.  The Organizational Domain for the domain in
>    the RFC5322.From domain is determined by applying the algorithm found
>    in Section 4.8.

I think the second and third sentences in the current Organizational Domain 
definition conflict.  I think the second sentence should be deleted (it's not 
essential, but I believe this could be done for the next revision).

> 3.2.8.  Public Suffix Domain (PSD)
> 
>    The global Internet Domain Name System (DNS) is documented in
>    numerous RFCs.  It defines a tree of names starting with root, ".",
>    immediately below which are Top-Level Domain names such as ".com" and
>    ".us".  The domain name structure consists of a tree of names, each
>    of which is made of a sequence of words ("labels") separated by
>    period characters.  The root of the tree is simply called ".".  The
>    Internet community at large, through processes and policies external
>    to this work, selects points in this tree at which to register domain
>    names "owned" by independent organizations.  Real-world examples of
>    these points are ".com", ".org", ".us", and ".gov.uk".  Names at
>    which such registrations occur are called "Public Suffix Domains
>    (PSDs)", and a registration consists of a label selected by the
>    registrant to which a desirable PSD is appended.  For example,
>    "ietf.org" is a registered domain name, and ".org" is its PSD.

This definition works for RFC 9091.  It's an indirect way of implying "things 
in the PSL", but I don't think we need it to be so broad anymore.

In RFC 9091 we talked about multi-organization and single organization PSDs.  
For RFC 7489 + RFC 9091, that was essential, but I don't think single 
organization PSDs need special treatment anymore.  Presumably entities like 
.google can keep their own house in order.  The key element from that 
definition is 'register domain names "owned" by independent organizations'.

I think we could (and should) rework the PSD definition around that concept.

On a related note, we still need to pull the new Privacy Considerations in 
from RFC 9091 and update them for the new design.

These two things should be done in concert.  I'll work on that and provide 
something after the next revision is out.

Scott K

Scott K

v2.8.7 | Report a Bug | By Email