Re: [dmarc-ietf] Nonexistent Domain Policy was: Re: Working Group Last Call: draft-ietf-dmarc-psd

Scott Kitterman <sklist@kitterman.com> Fri, 19 July 2019 05:42 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33C23120110 for <dmarc@ietfa.amsl.com>; Thu, 18 Jul 2019 22:42:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=kwnrAonk; dkim=pass (2048-bit key) header.d=kitterman.com header.b=BkEd28KF
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NxoOcaF_pTpJ for <dmarc@ietfa.amsl.com>; Thu, 18 Jul 2019 22:42:02 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C154B120043 for <dmarc@ietf.org>; Thu, 18 Jul 2019 22:42:02 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) by interserver.kitterman.com (Postfix) with ESMTPS id A823CF8008C for <dmarc@ietf.org>; Fri, 19 Jul 2019 01:41:31 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1563514891; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=bxPQ4lMEt1LT3W5BOH1QR95judfcmk25dJrkOR5Nh3g=; b=kwnrAonkE8e1Ujd9CowQyOICFuQCBb7pbLZylPZfTvhtji2uTTeVmwqW 8AwwEmq42lLc0vwZ5lDnam6gcx0JBA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1563514891; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=bxPQ4lMEt1LT3W5BOH1QR95judfcmk25dJrkOR5Nh3g=; b=BkEd28KF+WiFz2gCF5AAbBPCdRfHVOIEHsaDNNFpj2+gkZ481RzydPfr HICWZaqUvgNNml4tWvnirD0VQw6ItI9j3sRQtrNn3KUjuA+bBzgzbAOQaf tC+zR/XziR1a1GuEt8nlPyv75APo5pqwIS9qwyXlGG6sHbb7JftLitm+7l YQHfhX/wA85iU3XJ2Ih5Px+k0U+qg5YJ09iXpHSG+ZvHdHIY3SLKzlLRg7 dRC4bHtNUL6tvBE6h3ELH3EubNBo2Qo3owAeeKhD10eOwWtidRhQBePLHm 4EsfOV0vKvEV616xyQKlXxQLl6W9SL+Yr9i0H3Oz4HbUxSotTNG7pQ==
Received: from l5580.localnet (wsip-68-224-171-140.sd.sd.cox.net [68.224.171.140]) by interserver.kitterman.com (Postfix) with ESMTPSA id EF266F80042 for <dmarc@ietf.org>; Fri, 19 Jul 2019 01:41:30 -0400 (EDT)
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
Date: Fri, 19 Jul 2019 01:41:28 -0400
Message-ID: <3280991.vD5HP6B0ME@l5580>
In-Reply-To: <CABuGu1qGJq2fes9B1vwb1v=JMi3HcydvzDvoi0+ZrEwC4rYk1A@mail.gmail.com>
References: <CAL0qLwbbz_UhBLsURg=eXhRBC2g9OghiN==T9Uq9pFuLtd=b7w@mail.gmail.com> <4249121.lBB2AW0kmB@l5580> <CABuGu1qGJq2fes9B1vwb1v=JMi3HcydvzDvoi0+ZrEwC4rYk1A@mail.gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/frfgRgwvHuy6QUABxoVgx_c8W6A>
Subject: Re: [dmarc-ietf] Nonexistent Domain Policy was: Re: Working Group Last Call: draft-ietf-dmarc-psd
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jul 2019 05:42:06 -0000

On Thursday, July 18, 2019 11:42:36 AM EDT Kurt Andersen (b) wrote:
> On Wed, Jul 17, 2019 at 7:35 PM Scott Kitterman <sklist@kitterman.com>;
> 
> wrote:
> > > On July 17, 2019 8:14:54 PM UTC, "Kurt Andersen (b)" <kboth@drkurt.com>;
> > > 
> > > wrote:
> > > >Firstly, I'm a little concerned with the sentence which says 'Note that
> > > >"np" will be ignored for DMARC records published on subdomains of
> > > >Organizational Domains and PSDs due to the effect of the DMARC policy
> > > >discovery mechanism described in DMARC [RFC7489] Section 6.6.3.' I
> > > >don't
> > > >think that is an accurate portrayal. When DMARC evaluation libraries
> > > >are
> > > >updated to do both PSD lookups and handle the np tag, I would expect
> > > >the
> > > >presence of np tags below the PSD level would be processed exactly the
> > > >way
> > > >that any other tag in a DMARC record is processed. np will only be
> > > >ignored
> > > >(per the terms of the DMARC spec) when it is an "unrecognized" tag. I
> > > >realized that this text is sort of picked up from the current
> > > >description
> > > >of "sp", but the inclusion of "and PSDs" makes it inaccurate. You can't
> > > >publish an np record on a non-existent Org domain or any subdomain
> > > >thereof
> > 
> > At first, I thought Kurt was right, but after further thought, I don't
> > think
> > so.
> > 
> > To review the 'sp' definition that I took this from:
> > 
> > Imagine sub.sub.example.com where example.com is the org domain.  If
> > sub.sub.example.com has no DMARC record, then the next lookup is for a
> > DMARC
> > record at the org domain (example.com).  If sub.example.com has a DMARC
> > record
> > with an 'sp' tag, it's never retrieved.
> > 
> > The same thing would apply to 'np' when used in a non--PSD context.  No
> > different.
> > 
> > Keeping in mind that our definition of non-existent is a domain that has
> > none
> > of A, AAAA, or MX.  It could have other types.  It could also have
> > subdomains
> > called "_dmarc" that have TXT records.  Non-existent domains (in our
> > context)
> > can have DMARC records, so I think the description is correct, but
> > narrowly
> > focused.
> 
> Most MTAs will also follow CNAMEs. Should they be included (along with
> other things like DNAME records) within the scope of existence? I'm a
> little concerned that we are making a special definition of "non-existence"
> which differs from the standard DNS concepts of NODATA and NXDOMAIN without
> having a correspondingly special name.

OK.  I wish you'd jumped in earlier when we were discussing that exact topic.

https://mailarchive.ietf.org/arch/msg/dmarc/44sVJzvPkXkdT7Np-0ANr9Wm2Zc

If we want to take another run at this and put it in more standard DNS 
terminology, then maybe:

... a domain for which there is an NXDOMAIN or NODATA response for A, AAAA, 
and MX records.

I think that cures John's concern with my last proposal and addresses yours as 
well (the response to a CNAME/DNAME is not NODATA/NXDOMAIN, so they are 
correctly followed).

> > Modifying the example I used above slightly:
> > 
> > Imagine sub2.sub1.org.example where example has a PSD DMARC record with
> > 'np',
> > org.example has no DMARC record, sub1.org.example also has a DMARC record
> > with
> > 'np', and sub2.sub1.org.example has no DMARC record.  In this case, the
> > policy
> > lookup is for sub2.sub1.org.example (exact domain), org.example (org
> > domain),
> > and then example (PSD).  Just as with 'sp' and regular DMARC, 'np' (or
> > 'sp')
> > in non-org subdomains of PSDs don't get discovered.
> 
> I was considering the case of a domain such as
> subX.sub1.org.pub2.pub1.example:
> * subX (and sub1) domains would only have direct lookup DMARC records
> applied if they exist and would fall back to org
> * org would be direct unless it doesn't have a record in which case if fall
> back to LPD (pub2's record)
> * pub2, pub1, and example would only have direct lookups since they are
> already above the PSL line <-- this is where my concern with the "and PSDs"
> phrase resides

It's possible that could happen, but it's not the most general case.  There 
are probably a nearly infinite variety of ways this could work or not work, I 
don't think we have to describe them all.

> I'm not sure how well this maps to what we describe. I'm also concerned
> that a wildcard null MX record at the org level would end up having all
> subdomains "exist", but the policy that should be applied would be the more
> restrictive "np" policy, not the (possibly) more permissive "sp" policy.

I think this is one of those "you must be this tall to ride on this ride" 
situations.  DNS comes equipped with multiple footguns and you have to know a 
bit about what you're doing to make sure you get the effects you're after.

Scott K