Re: [dmarc-ietf] Do is need a new ptype? Was Re: New authentication method, DNSWL

Alessandro Vesely <vesely@tana.it> Fri, 02 August 2019 10:00 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B202C12007A for <dmarc@ietfa.amsl.com>; Fri, 2 Aug 2019 03:00:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1152-bit key) header.d=tana.it
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VEfldhp4boAS for <dmarc@ietfa.amsl.com>; Fri, 2 Aug 2019 03:00:01 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 080EC12004E for <dmarc@ietf.org>; Fri, 2 Aug 2019 03:00:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1564739999; bh=Znue5edqXI04H0iw+BGskbgegG8lwxsQYMhtYTKYqmw=; l=1143; h=To:References:From:Date:In-Reply-To; b=AVE3aBUkv4yKEjQGEB2PM9cxc+7jd9Uvj28QtCb5QB7lBAFLB3YeTDg0r9K8YMqyR K8dXr+frdfL69WNWAEK6OVL6bcxTvWG8tMlPFQVXN3E4AjpPKQio4vcmGZ6wmbgYzx DKFKdX5BnVql4Bmx3BcgghzzU5PcyIasPcy03F3TG0OMI05PZjPoO+1NjPVDI
Authentication-Results: tana.it; auth=pass (details omitted)
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k) by wmail.tana.it with ESMTPA id 00000000005DC02F.000000005D44099E.000030A7; Fri, 02 Aug 2019 11:59:58 +0200
To: dmarc@ietf.org
References: <e580ada3-d9b5-0e5b-9ac3-eade41ac92d2@tana.it> <CAL0qLwa5yR5dVzkDSD48MDgpUa11+ri=KOwrNSqOxi8fB2i6PA@mail.gmail.com> <eabefc6b-7542-1a46-4272-b786433ed0b5@tana.it> <4783309.BXR8ZdE9c3@l5580> <CAL0qLwb5FAaYZ7AX_H=aeUFkv8cvY+xd1bQ5uCDp4tmrbx2CQg@mail.gmail.com> <7a21b80b-e6bb-d8b9-cf63-601a8d1e47e7@tana.it> <C1E711A8-F3A6-4A20-B71D-53FA773A61D9@kitterman.com>
From: Alessandro Vesely <vesely@tana.it>
Openpgp: id=0A5B4BB141A53F7F55FC8CBCB6ACF44490D17C00
Message-ID: <aca25d30-3b01-4eaf-6d0b-3bae6f3f796b@tana.it>
Date: Fri, 2 Aug 2019 11:59:58 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <C1E711A8-F3A6-4A20-B71D-53FA773A61D9@kitterman.com>
Content-Type: text/plain; charset=us-ascii
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/f1xWZ0YuH-XeuXml2z7e6-3Nszo>
Subject: Re: [dmarc-ietf] Do is need a new ptype? Was Re: New authentication method, DNSWL
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Aug 2019 10:00:23 -0000

On Fri 02/Aug/2019 00:15:30 +0200 Scott Kitterman wrote:

> Taking a step back, iprev uses the policy ptype.  It's also based on local interpretation of DNS data.  Why doesn't policy work for dnswl just like for iprev?

Let me note that Section 3 of rfc8601, /The "iprev" Authentication Method/,
does not contain the term "policy".  My recollection is that reporting the
client IP is immaterial, as for SPF.  The term policy.iprev is certainly
misleading, since the value is not related to a locally-defined policy, and is
not a reversed ip.  To stick with A-R semantics, it should have been named
tcp.ip, remote.ip or some such.  If a property warrants deprecation, it's
policy.iprev.

Now for dnswl.  Knowing which zone was queried is substantial in order to
interpret policy.ip, because there is no standard format.  Yet, an
implementation could just throw a DNS query to a given local IP, instead of a
FQDN to the default DNS server.  In that case, one would have, for example:

   dnswl=pass policy.ip=127.0.9.2 policy.zone=127.0.0.2

In that case one can hardly tell which is which.  A meaningful ptype helps.


Best
Ale
--