IETF Logo Mail Archive

Re: [dmarc-ietf] Second WGLC for draft-ietf-dmarc-psd: Definition of NP

"Murray S. Kucherawy" <superuser@gmail.com> Sat, 21 November 2020 19:12 UTC

Return-Path: <superuser@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F03593A0B62 for <dmarc@ietfa.amsl.com>; Sat, 21 Nov 2020 11:12:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I9am44kcwpDH for <dmarc@ietfa.amsl.com>; Sat, 21 Nov 2020 11:12:04 -0800 (PST)
Received: from mail-vs1-xe2c.google.com (mail-vs1-xe2c.google.com [IPv6:2607:f8b0:4864:20::e2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DE823A0B6B for <dmarc@ietf.org>; Sat, 21 Nov 2020 11:12:04 -0800 (PST)
Received: by mail-vs1-xe2c.google.com with SMTP id r5so6943963vsp.7 for <dmarc@ietf.org>; Sat, 21 Nov 2020 11:12:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=EjyInUOn/td7+pKw0dWGe7GZ0UwWNV0ipN/lokOWzT4=; b=aFzvnbIzLY8p6newkocHpjUOXMBRMLKfmB1x9c2QW//IhSpczS6QTN/dj0FXinc3Oj zEW1aVUUkex6cp3Qf2wn6tiCTLXnbGRpxySjN4K4Q7l7kyZbsyJpiBo+tFzVeHkyIhI4 BrRzLz9XIP9xBAAjPhjLPR0DKNiznd3n3JAhri/d6J9oCqlpopjz0dgSe9Sw8LdV/1Z+ hQc8nzCKaSls+hlX6U1CCfG2vGxbo/gKMcLU3qT438vkPGEUy42nEJfRSgxhEhesAZgg 6xWtVfSW+mJuLCeVaUvyv3LBJrweDusAQQ5aScPxw8+48IskSe4PneEdNP8JEYRDk6oX Y+SQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=EjyInUOn/td7+pKw0dWGe7GZ0UwWNV0ipN/lokOWzT4=; b=I/leg0u/bRZdzQHc5Ho5hV8kQ+21c5MXWCnG06hiQKu2nMBarz5JmSEajrdkWZtmM9 LZOtb9GoV2PEr1ls9A9UJy7UD0bM1TsPZJSZzwMnI4acY/xVRd7yoyMFchJPTSfQfeHI 22JF8ohXqHjyEg4gv0X5PlCJCjInDKs2p+b83EIXmKDEMeBwCj5jcbz3L/0ZYC+EV2/a DMkU9Rol6A6FYoo+tylB1aSSzMOmhiIfo78n46SlvYrOzBgsZk+HzINuN67+XZtZkJiv X8JF7wm+i7d21bvTb6Vk8ZGvhTgYzeISx51VaY0JD40uIsVjlIh/Yo5CVOQsOA+kQWak AImA==
X-Gm-Message-State: AOAM5310z6msPGIE1+WUkW7LO5ciLb2KbtZwyxy+Pvf9d66vDUF/PGUP fO8aTYoM/JICD+XGw/foB3gm9S0yRqsnoCBrFQM=
X-Google-Smtp-Source: ABdhPJzLRz51WO7Tqn0hIh9X8BtGroJDI/6GAV29RtP0+72IhSpbyepjy4U8jz7T/z615WKtRL6hmM1ejvuDDre3K18=
X-Received: by 2002:a67:f1c7:: with SMTP id v7mr949581vsm.40.1605985923499; Sat, 21 Nov 2020 11:12:03 -0800 (PST)
MIME-Version: 1.0
References: <553D43C8D961C14BB27C614AC48FC03128116494@UMECHPA7D.easf.csd.disa.mil> <20201120040420.B3F4727A02FB@ary.qy> <553D43C8D961C14BB27C614AC48FC03128116528@UMECHPA7D.easf.csd.disa.mil> <000001d6bf45$0f62cc30$2e286490$@bayviewphysicians.com> <b6f2bf756f9146daafa717c2645ed58d@bayviewphysicians.com>
In-Reply-To: <b6f2bf756f9146daafa717c2645ed58d@bayviewphysicians.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Sat, 21 Nov 2020 11:11:49 -0800
Message-ID: <CAL0qLwYmRWwLOB7wnPBbChX-fZ3B2xFH5C_Bzh6qLZ9LiTzy5Q@mail.gmail.com>
To: Doug Foster <fosterd@bayviewphysicians.com>
Cc: Doug Foster <fosterd=40bayviewphysicians.com@dmarc.ietf.org>, IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007c08c405b4a2bc86"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/dOW97fAk2MtfNNg2ugLuMEORDAA>
Subject: Re: [dmarc-ietf] Second WGLC for draft-ietf-dmarc-psd: Definition of NP
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Nov 2020 19:12:09 -0000

On Sat, Nov 21, 2020 at 9:02 AM Douglas E. Foster <fosterd=
40bayviewphysicians.com@dmarc.ietf.org> wrote:

> Restating what we all know:
> - The Internet is dependent on the reliable operation of the DNS name
> system.
> - The DNS name system is dependent on the reliable operation of the name
> registration processes.
> - The registrars are given ownership of all unregistered domain names
> within their portion of the hierarchy.
> - The public evidence of registration is the existence of a DNS entry, and
> a NS record is always the first one configured.
>
> Conclusions
> - Unregistered use of any domain name is an attack on the architecture of
> the Internet.
> - PSD for DMARC is asking us to give public suffix operators what they are
> supposed to already have:   control over unregistered names.
> - We should implement new and universal policies:
>     - Unregistered names used as SMTP addresses MUST generate SPF FAIL and
> SHOULD be rejected.
>

That is certainly a defensible assertion, but I would claim it is out of
scope for DMARC.  You're talking about a detail of SPF or perhaps of SMTP
in general, although one could also even argue that this is a local policy
decision and outside the scope of those protocols.  I suspect the SMTP
greybeards would claim that this is not part of SMTP, but rather an
enforcement choice made by implementations.

I believe this falls within the realm of what the IETF calls an
Applicability Statement, which would be a standards track document (if you
could get consensus for it).  You could also include this in the DMARC
usage document, or as non-normative advice in DMARC itself with an
explanation of why it's a good idea, if you can develop consensus to do so.

You also need to account for transient DNS outages.  If your resolver
temporarily thinks "gmail.com" doesn't exist, you will bounce all mail
coming from that domain, and you might seriously piss off your users.
There's a backscatter problem here too: If I send mail to a list you're on
and you temporarily think my domain doesn't exist and you bounce mail
coming from me, the list will unsubscribe you.

    - Unregistered names used as message From header addresses MUST
> generate DMARC FAIL and SHOULD be rejected.
>

This is more in scope for DMARC discussions, though also arguably outside
of the protocol itself, for the same reasons.  I would suggest that it's a
viable discussion for the DMARC usage document, whenever we get around to
working on that again.  But you could certainly test the working group
opinion on this point.

Protecting the integrity of the name registration system is not an optional
> activity to be implemented by a few organizations with the most
> sophisticated implementations of the DMARC specification.   It should be a
> mandatory duty of every legitimate participant on the network.
>
> Starting from the assumption that unregistered domains might be allowable
> creates many problems when trying to design solutions for protecting the
> names that are registered.   This assumption needs to be rejected.
>

These are both probably true statements, but is DMARC the right place to
wage this battle?  For example, isn't it also true for TCP connections for
which PTR records make false claims (or no claim)?

Addressing some straw-man questions:
> Q:  The idea is fine for public suffixes, but my organization doesn't need
> to do that for subdomains under its control.
> A:  Every level of the DNS tree needs coordination of name usage.
>  Publishing an NS record for an organization subdomain proves that the
> organization's process has been followed.   Besides, the boundary between
> public suffixes and organizational domains is imprecise, so recipients
> cannot be expected to apply differential expectations.
>

I still don't understand what the presence or absence of NS tells you that
the presence or absence of MX/A/AAAA doesn't.  If you have a message that
fails the latter test but passes the former, does that change your handling
decision?  If not, why do it?

Q. How do we get all incoming filters to change to default block for
> unregistered domain names?
> A.  I would suggest using the CVE/CCE process.
>

That seems like a big hammer, and certainly outside of the IETF's purview.
We're not the protocol police.  You might try having this discussion in a
context like M3AAWG though; many large operators congregate there to
discuss stuff like this.

-MSK

v2.23.0 | Report a Bug | By Email