Re: [dmarc-ietf] Nonexistent Domain Policy was: Re: Working Group Last Call: draft-ietf-dmarc-psd

[Scott Kitterman <sklist@kitterman.com>]

On Thursday, July 18, 2019 11:42:36 AM EDT Kurt Andersen (b) wrote:
> On Wed, Jul 17, 2019 at 7:35 PM Scott Kitterman <sklist@kitterman.com>
> 
> wrote:
> > > On July 17, 2019 8:14:54 PM UTC, "Kurt Andersen (b)" <kboth@drkurt.com>
> > > 
> > > wrote:
> > > >Firstly, I'm a little concerned with the sentence which says 'Note that
> > > >"np" will be ignored for DMARC records published on subdomains of
> > > >Organizational Domains and PSDs due to the effect of the DMARC policy
> > > >discovery mechanism described in DMARC [RFC7489] Section 6.6.3.' I
> > > >don't
> > > >think that is an accurate portrayal. When DMARC evaluation libraries
> > > >are
> > > >updated to do both PSD lookups and handle the np tag, I would expect
> > > >the
> > > >presence of np tags below the PSD level would be processed exactly the
> > > >way
> > > >that any other tag in a DMARC record is processed. np will only be
> > > >ignored
> > > >(per the terms of the DMARC spec) when it is an "unrecognized" tag. I
> > > >realized that this text is sort of picked up from the current
> > > >description
> > > >of "sp", but the inclusion of "and PSDs" makes it inaccurate. You can't
> > > >publish an np record on a non-existent Org domain or any subdomain
> > > >thereof
> > 
> > At first, I thought Kurt was right, but after further thought, I don't
> > think
> > so.
> > 
> > To review the 'sp' definition that I took this from:
> > 
> > Imagine sub.sub.example.com where example.com is the org domain.  If
> > sub.sub.example.com has no DMARC record, then the next lookup is for a
> > DMARC
> > record at the org domain (example.com).  If sub.example.com has a DMARC
> > record
> > with an 'sp' tag, it's never retrieved.
> > 
> > The same thing would apply to 'np' when used in a non--PSD context.  No
> > different.
> > 
> > Keeping in mind that our definition of non-existent is a domain that has
> > none
> > of A, AAAA, or MX.  It could have other types.  It could also have
> > subdomains
> > called "_dmarc" that have TXT records.  Non-existent domains (in our
> > context)
> > can have DMARC records, so I think the description is correct, but
> > narrowly
> > focused.
> 
> Most MTAs will also follow CNAMEs. Should they be included (along with
> other things like DNAME records) within the scope of existence? I'm a
> little concerned that we are making a special definition of "non-existence"
> which differs from the standard DNS concepts of NODATA and NXDOMAIN without
> having a correspondingly special name.

OK.  I wish you'd jumped in earlier when we were discussing that exact topic.

https://mailarchive.ietf.org/arch/msg/dmarc/44sVJzvPkXkdT7Np-0ANr9Wm2Zc

If we want to take another run at this and put it in more standard DNS 
terminology, then maybe:

... a domain for which there is an NXDOMAIN or NODATA response for A, AAAA, 
and MX records.

I think that cures John's concern with my last proposal and addresses yours as 
well (the response to a CNAME/DNAME is not NODATA/NXDOMAIN, so they are 
correctly followed).

> > Modifying the example I used above slightly:
> > 
> > Imagine sub2.sub1.org.example where example has a PSD DMARC record with
> > 'np',
> > org.example has no DMARC record, sub1.org.example also has a DMARC record
> > with
> > 'np', and sub2.sub1.org.example has no DMARC record.  In this case, the
> > policy
> > lookup is for sub2.sub1.org.example (exact domain), org.example (org
> > domain),
> > and then example (PSD).  Just as with 'sp' and regular DMARC, 'np' (or
> > 'sp')
> > in non-org subdomains of PSDs don't get discovered.
> 
> I was considering the case of a domain such as
> subX.sub1.org.pub2.pub1.example:
> * subX (and sub1) domains would only have direct lookup DMARC records
> applied if they exist and would fall back to org
> * org would be direct unless it doesn't have a record in which case if fall
> back to LPD (pub2's record)
> * pub2, pub1, and example would only have direct lookups since they are
> already above the PSL line <-- this is where my concern with the "and PSDs"
> phrase resides

It's possible that could happen, but it's not the most general case.  There 
are probably a nearly infinite variety of ways this could work or not work, I 
don't think we have to describe them all.

> I'm not sure how well this maps to what we describe. I'm also concerned
> that a wildcard null MX record at the org level would end up having all
> subdomains "exist", but the policy that should be applied would be the more
> restrictive "np" policy, not the (possibly) more permissive "sp" policy.

I think this is one of those "you must be this tall to ride on this ride" 
situations.  DNS comes equipped with multiple footguns and you have to know a 
bit about what you're doing to make sure you get the effects you're after.

Scott K