Re: [dmarc-ietf] Second WGLC for draft-ietf-dmarc-psd: Definition of NP
Tim Wicinski <tjw.ietf@gmail.com> Fri, 20 November 2020 04:04 UTC
Return-Path: <tjw.ietf@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 433573A17C3 for <dmarc@ietfa.amsl.com>; Thu, 19 Nov 2020 20:04:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id STjzkzX5VoGa for <dmarc@ietfa.amsl.com>; Thu, 19 Nov 2020 20:04:48 -0800 (PST)
Received: from mail-oi1-x235.google.com (mail-oi1-x235.google.com [IPv6:2607:f8b0:4864:20::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 424203A1841 for <dmarc@ietf.org>; Thu, 19 Nov 2020 20:04:36 -0800 (PST)
Received: by mail-oi1-x235.google.com with SMTP id q206so8955719oif.13 for <dmarc@ietf.org>; Thu, 19 Nov 2020 20:04:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=iVtzhkAw15EhIuaj/iRuZfc0hBMtneF4MaBEp2vkgyw=; b=LNF67mRsivrlwAFnuR2DVjcVK8XdbTaLH6qFZ7KriWeixFEFeXza67dlQzgZidu04W Ffi94D7HE5Ic2yyEZVTob8ol26AOxRFKZsc2kFiykwrKdbv6K82aDuw1gx9ziBMaPeen kmDtFSyE09N9QidG4w88qvDDDWAh3TDY4b+yx+4k/S1bQGI6Ju4N4htXr+MIe0X5aoy0 R34LiMT6HmZ7Tq2A5f64V6a/L6SDGltR5qgT0TmM7yMaXzmWn8KsCOFqdghmB5gK3G8Q 2x1Y3E1cIa0SUw5uvOnz9CGcQ3gC6ztbzmDjwPFnbT4CmWqgaJHs0eR7FEKXQAntyIF2 eDsg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iVtzhkAw15EhIuaj/iRuZfc0hBMtneF4MaBEp2vkgyw=; b=HP6FBTKtyraVx76XvutPIghcRnYz/OtexV4irmpOCvAro2wZ4EkcsPNJwSDS7bfMFb SdLZJWggcbmHPtTzPL7EgroyzyzvgVusVujEbVg+TOwhysnLi8EBDy+nV3O7KZbfw//m dmxWGNkqM785qFWQ3Oz90AwwKpcqeGOEKeVZH2OEEinIvNzcEJYKJU71wDYCMObNTjs/ hUOfzCgBQmAHSk61JxOsFfVI3Dpd2SVJs9+C2yVU+Vr79UDGHEJnFyK5kxjT1qF2jfK9 Y0BZBJOxUURohmnkhx/cmwpcONFWzDmanlnJPzBsQCX6vd6s1oQEqiijsq0S+1d9LaPZ U/LA==
X-Gm-Message-State: AOAM5331zmgRVyTrW5lXz5ynITjf39ddBotaX+0xb0neGTuj1LHnx7bD +LmHYeU/M6anVrvisluo+jBAo+dXlgSpHCCXSIA=
X-Google-Smtp-Source: ABdhPJzTnQlO5Hy1ZRsd6NBr6vFBbcBU6c2Mi0GcTdA7k35ewLXbEwy6/rN2XC221r0IYy3ERboSXQMA9iUg0DzqRB4=
X-Received: by 2002:aca:e155:: with SMTP id y82mr5287604oig.21.1605845075603; Thu, 19 Nov 2020 20:04:35 -0800 (PST)
MIME-Version: 1.0
References: <003f01d6bcf0$69055b60$3b101220$@bayviewphysicians.com> <553D43C8D961C14BB27C614AC48FC03128116494@UMECHPA7D.easf.csd.disa.mil> <b4bcc478ce3f4bac9f4b554909c03350@bayviewphysicians.com> <90433555c5d34c2a98744c408e617f06@bayviewphysicians.com>
In-Reply-To: <90433555c5d34c2a98744c408e617f06@bayviewphysicians.com>
From: Tim Wicinski <tjw.ietf@gmail.com>
Date: Thu, 19 Nov 2020 23:04:24 -0500
Message-ID: <CADyWQ+EOxudrc1vxwQ2Ufz=RiL0ipwTBNPCQ_B4Gkg6G=SoZFg@mail.gmail.com>
To: fosterd@bayviewphysicians.com
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004bb33905b481f16f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/eBmolxaiK1c6FxaKaZyG38Z4RD4>
Subject: Re: [dmarc-ietf] Second WGLC for draft-ietf-dmarc-psd: Definition of NP
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Nov 2020 04:04:56 -0000
Doug In looking for domain presence most folks will look at the domain itself. There are a few web tools to enumerate such as https://dnschecker.org/ Some examples https://dnschecker.org/#MX/dmarc.org https://dnschecker.org/#TXT/dmarc.org https://dnschecker.org/#TXT/_dmarc.dmarc.org There are unix tools - such as 'dig' - which are also quite useful. hope this helps tim On Thu, Nov 19, 2020 at 10:44 PM Douglas E. Foster <fosterd= 40bayviewphysicians.com@dmarc.ietf.org> wrote: > Time to show my ignorance again. > > How do I check a domain for presence or absence of A, AAAA, or MX records? > I thought most domains were protected from enumeration, so one had to know > a name to find out if it is defined > > DF > > > ------------------------------ > *From*: "Douglas E. Foster" <fosterd@bayviewphysicians.com> > *Sent*: 11/19/20 9:27 PM > *To*: "IETF DMARC WG" <dmarc@ietf.org> > *Subject*: RE: [dmarc-ietf] Second WGLC for draft-ietf-dmarc-psd: > Definition of NP > > Thank you for the pointer Eric. > > Can someone explain why the chosen algorithm, which requires testing > multiple conditions, is preferable to a single query for a name server > record? Minimizing DNS traffic has been part of our recent discussion, > and minimizing software complexity is always a good thing. > > Can someone also explain why the DMARC appendix takes such a strong stance > against all queries for non-existent domains, regardless of technique? It > seems like the philosophical incompatibilities need to be addressed before > both documents advance. > > DMARC is specified only as a test for the RFC5322.From domain. > RFC5321.MailFrom domains may also be non-existent. They will return SPF > NONE, but that is an ambiguous result, and SPF has no organization default > mechanism. > > - Is there data to indicate whether evaluators have found that > checking the RFC5321.MailFrom for non-existence is useful? > - Suppose that the NP policy becomes generalized, and a domain has > asserted a "must-exist" DMARC policy. Should a non-existent subdomain > used in the RFC5321.MailFrom address be treated skeptically? > > I can imagine a scenario where a spammer uses a bogus subdomain of a > legitimate organization, in an attempt to get whitelisted by spam filters > which primarily evaluate the RFC5321.MailFrom address. This attack could > be paired with an unrelated and non-DMARC RFC5322.From address which is > newly minted or otherwise not generally known to be suspicious, So my > instinct is that some extension of DMARC to the SMTP address will be > beneficial. > > Doug Foster > > > > > ------------------------------ > *From*: "Chudow, Eric B CIV NSA DSAW (USA)" <eric.b.chudow.civ@mail.mil> > *Sent*: 11/19/20 5:31 PM > *To*: 'Doug Foster' <fosterd@bayviewphysicians.com>, 'IETF DMARC WG' < > dmarc@ietf.org> > *Cc*: "'dmarc-chairs@ietf.org'" <dmarc-chairs@ietf.org> > *Subject*: RE: [dmarc-ietf] Second WGLC for draft-ietf-dmarc-psd: > Definition of NP > > Section 2.7. defines a non-existent domain as "a domain for which there is > an NXDOMAIN or NODATA response for A, AAAA, and MX records. This is a > broader definition than that in NXDOMAIN [RFC8020]." This should be > sufficient for determining that the domain is not intended to be used and > therefore could have a more stringent policy applied. > > The idea of looking for a "mail-enabled domain" based on if an "MX record > exists or SPF policy exists" is interesting. Although there may be domains > that send email but not receive email and so may not have an MX record. > Also, even if there is no SPF record, the domain may still send email, but > then it might be held to a more stringent DMARC policy that would further > penalize it for not having an SPF record. > > Also, for the revision of the document I like the way that the three parts > of the experiment are now laid out more clearly. My only comment is that > the title of Appendix A is overly specific to just one of the experiments > and so should be broader. > > Thanks, > > Eric Chudow > DoD Cybersecurity Mitigations > > From: Doug Foster <fosterd@bayviewphysicians.com> > Sent: Tuesday, November 17, 2020 9:46 AM > To: 'IETF DMARC WG' <dmarc@ietf.org> > Cc: dmarc-chairs@ietf.org > Subject: Re: [dmarc-ietf] Second WGLC for draft-ietf-dmarc-psd: Definition > of NP > > I did not see a definition of a "non-existent domain" (the np policy). A > definition is needed. > > To my thinking, the obvious rule should be to query for a NS record for > the domain. If the record exists, then the domain owner could create a > DMARC record for that domain, or could create a default entry for the > domain at the organizational level. If no record exists, it is because the > domain owner chose to not create one. > > However, the DMARC Bis document conflicts strongly with this. In section > A.4, it suggest several ways to do a test of this type, then repudiates all > of them. NS lookup is not one of the mentioned options. > > There is a possible second-level policy test for a "mail-enabled domain". > I would define that test as "MX record exists or SPF policy exists". > That could be an additional option to NP, but should not be a replacement > for it. > > PSD for DMARC clearly intends for the NP policy to be a general solution > to a general problem. If there are still objections to it becoming a > general solution, this should be addressed soon. > > Doug Foster > > > From: dmarc [mailto:dmarc-bounces@ietf.org] On Behalf Of Tim Wicinski > Sent: Friday, November 13, 2020 1:42 PM > To: IETF DMARC WG > Cc: dmarc-chairs@ietf.org > Subject: [dmarc-ietf] Second WGLC for draft-ietf-dmarc-psd > > > All > > During the IESG reviews of draft-ietf-dmarc-psd, there were several issues > raised with some of the document. Most of them are editorial but the one > big item was the description of the Experiment. The chairs sat down and > broke out the experiment section into three separate experiments, and > included language on how to capture the data to confirm how the experiment > worked. > > It's enough of a change that we wanted to do a second working group last > call to make sure the working group agrees with our changes. The diff of > the current version with the previous version is here: > > > https://www.ietf.org/rfcdiff?url1=draft-ietf-dmarc-psd-08&url2=draft-ietf-dmarc-psd-09 > > This starts a *one* week second working group last call for > draft-ietf-dmarc-psd > Please review the changes and offer up comments to the working group. > > This working group last call 20 November 2020 > > Thanks, > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc >
- Re: [dmarc-ietf] Second WGLC for draft-ietf-dmarc… Doug Foster
- Re: [dmarc-ietf] Second WGLC for draft-ietf-dmarc… Chudow, Eric B CIV NSA DSAW (USA)
- Re: [dmarc-ietf] Second WGLC for draft-ietf-dmarc… Douglas E. Foster
- Re: [dmarc-ietf] Second WGLC for draft-ietf-dmarc… Douglas E. Foster
- Re: [dmarc-ietf] Second WGLC for draft-ietf-dmarc… John Levine
- Re: [dmarc-ietf] Second WGLC for draft-ietf-dmarc… Tim Wicinski
- Re: [dmarc-ietf] Second WGLC for draft-ietf-dmarc… Murray S. Kucherawy
- Re: [dmarc-ietf] Second WGLC for draft-ietf-dmarc… Chudow, Eric B CIV NSA DSAW (USA)
- Re: [dmarc-ietf] Second WGLC for draft-ietf-dmarc… Douglas E. Foster
- Re: [dmarc-ietf] Second WGLC for draft-ietf-dmarc… Doug Foster
- Re: [dmarc-ietf] Second WGLC for draft-ietf-dmarc… Kurt Andersen (b)
- Re: [dmarc-ietf] Second WGLC for draft-ietf-dmarc… Douglas E. Foster
- Re: [dmarc-ietf] Second WGLC for draft-ietf-dmarc… Murray S. Kucherawy
- Re: [dmarc-ietf] Second WGLC for draft-ietf-dmarc… Douglas E. Foster
- Re: [dmarc-ietf] tree walk and Org and PSD, Secon… Murray S. Kucherawy
- Re: [dmarc-ietf] Second WGLC for draft-ietf-dmarc… Douglas E. Foster
- Re: [dmarc-ietf] Second WGLC for draft-ietf-dmarc… Murray S. Kucherawy
- Re: [dmarc-ietf] Second WGLC for draft-ietf-dmarc… Murray S. Kucherawy
- Re: [dmarc-ietf] Second WGLC for draft-ietf-dmarc… Murray S. Kucherawy
- Re: [dmarc-ietf] Second WGLC for draft-ietf-dmarc… Douglas E. Foster
- Re: [dmarc-ietf] tree walk and Org and PSD, Secon… John Levine
- Re: [dmarc-ietf] Second WGLC for draft-ietf-dmarc… Murray S. Kucherawy
- Re: [dmarc-ietf] tree walk and Org and PSD, Secon… Laura Atkins
- Re: [dmarc-ietf] tree walk and Org and PSD, Secon… Douglas E. Foster
- Re: [dmarc-ietf] tree walk and Org and PSD, Secon… Chudow, Eric B CIV NSA DSAW (USA)
- Re: [dmarc-ietf] tree walk and Org and PSD, Secon… Jesse Thompson
- Re: [dmarc-ietf] Second WGLC for draft-ietf-dmarc… Doug Foster
- Re: [dmarc-ietf] tree walk and Org and PSD, Secon… John Levine
- Re: [dmarc-ietf] tree walk and Org and PSD, Secon… Brotman, Alex
- Re: [dmarc-ietf] tree walk and Org and PSD, Secon… Alessandro Vesely
- Re: [dmarc-ietf] tree walk and Org and PSD, Secon… John Levine