Re: [dmarc-ietf] Nonexistent Domain Policy was: Re: Working Group Last Call: draft-ietf-dmarc-psd
Scott Kitterman <sklist@kitterman.com> Fri, 19 July 2019 05:42 UTC
Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33C23120110 for <dmarc@ietfa.amsl.com>; Thu, 18 Jul 2019 22:42:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=kwnrAonk; dkim=pass (2048-bit key) header.d=kitterman.com header.b=BkEd28KF
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NxoOcaF_pTpJ for <dmarc@ietfa.amsl.com>; Thu, 18 Jul 2019 22:42:02 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C154B120043 for <dmarc@ietf.org>; Thu, 18 Jul 2019 22:42:02 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) by interserver.kitterman.com (Postfix) with ESMTPS id A823CF8008C for <dmarc@ietf.org>; Fri, 19 Jul 2019 01:41:31 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1563514891; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=bxPQ4lMEt1LT3W5BOH1QR95judfcmk25dJrkOR5Nh3g=; b=kwnrAonkE8e1Ujd9CowQyOICFuQCBb7pbLZylPZfTvhtji2uTTeVmwqW 8AwwEmq42lLc0vwZ5lDnam6gcx0JBA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1563514891; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=bxPQ4lMEt1LT3W5BOH1QR95judfcmk25dJrkOR5Nh3g=; b=BkEd28KF+WiFz2gCF5AAbBPCdRfHVOIEHsaDNNFpj2+gkZ481RzydPfr HICWZaqUvgNNml4tWvnirD0VQw6ItI9j3sRQtrNn3KUjuA+bBzgzbAOQaf tC+zR/XziR1a1GuEt8nlPyv75APo5pqwIS9qwyXlGG6sHbb7JftLitm+7l YQHfhX/wA85iU3XJ2Ih5Px+k0U+qg5YJ09iXpHSG+ZvHdHIY3SLKzlLRg7 dRC4bHtNUL6tvBE6h3ELH3EubNBo2Qo3owAeeKhD10eOwWtidRhQBePLHm 4EsfOV0vKvEV616xyQKlXxQLl6W9SL+Yr9i0H3Oz4HbUxSotTNG7pQ==
Received: from l5580.localnet (wsip-68-224-171-140.sd.sd.cox.net [68.224.171.140]) by interserver.kitterman.com (Postfix) with ESMTPSA id EF266F80042 for <dmarc@ietf.org>; Fri, 19 Jul 2019 01:41:30 -0400 (EDT)
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
Date: Fri, 19 Jul 2019 01:41:28 -0400
Message-ID: <3280991.vD5HP6B0ME@l5580>
In-Reply-To: <CABuGu1qGJq2fes9B1vwb1v=JMi3HcydvzDvoi0+ZrEwC4rYk1A@mail.gmail.com>
References: <CAL0qLwbbz_UhBLsURg=eXhRBC2g9OghiN==T9Uq9pFuLtd=b7w@mail.gmail.com> <4249121.lBB2AW0kmB@l5580> <CABuGu1qGJq2fes9B1vwb1v=JMi3HcydvzDvoi0+ZrEwC4rYk1A@mail.gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/frfgRgwvHuy6QUABxoVgx_c8W6A>
Subject: Re: [dmarc-ietf] Nonexistent Domain Policy was: Re: Working Group Last Call: draft-ietf-dmarc-psd
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jul 2019 05:42:06 -0000
On Thursday, July 18, 2019 11:42:36 AM EDT Kurt Andersen (b) wrote: > On Wed, Jul 17, 2019 at 7:35 PM Scott Kitterman <sklist@kitterman.com> > > wrote: > > > On July 17, 2019 8:14:54 PM UTC, "Kurt Andersen (b)" <kboth@drkurt.com> > > > > > > wrote: > > > >Firstly, I'm a little concerned with the sentence which says 'Note that > > > >"np" will be ignored for DMARC records published on subdomains of > > > >Organizational Domains and PSDs due to the effect of the DMARC policy > > > >discovery mechanism described in DMARC [RFC7489] Section 6.6.3.' I > > > >don't > > > >think that is an accurate portrayal. When DMARC evaluation libraries > > > >are > > > >updated to do both PSD lookups and handle the np tag, I would expect > > > >the > > > >presence of np tags below the PSD level would be processed exactly the > > > >way > > > >that any other tag in a DMARC record is processed. np will only be > > > >ignored > > > >(per the terms of the DMARC spec) when it is an "unrecognized" tag. I > > > >realized that this text is sort of picked up from the current > > > >description > > > >of "sp", but the inclusion of "and PSDs" makes it inaccurate. You can't > > > >publish an np record on a non-existent Org domain or any subdomain > > > >thereof > > > > At first, I thought Kurt was right, but after further thought, I don't > > think > > so. > > > > To review the 'sp' definition that I took this from: > > > > Imagine sub.sub.example.com where example.com is the org domain. If > > sub.sub.example.com has no DMARC record, then the next lookup is for a > > DMARC > > record at the org domain (example.com). If sub.example.com has a DMARC > > record > > with an 'sp' tag, it's never retrieved. > > > > The same thing would apply to 'np' when used in a non--PSD context. No > > different. > > > > Keeping in mind that our definition of non-existent is a domain that has > > none > > of A, AAAA, or MX. It could have other types. It could also have > > subdomains > > called "_dmarc" that have TXT records. Non-existent domains (in our > > context) > > can have DMARC records, so I think the description is correct, but > > narrowly > > focused. > > Most MTAs will also follow CNAMEs. Should they be included (along with > other things like DNAME records) within the scope of existence? I'm a > little concerned that we are making a special definition of "non-existence" > which differs from the standard DNS concepts of NODATA and NXDOMAIN without > having a correspondingly special name. OK. I wish you'd jumped in earlier when we were discussing that exact topic. https://mailarchive.ietf.org/arch/msg/dmarc/44sVJzvPkXkdT7Np-0ANr9Wm2Zc If we want to take another run at this and put it in more standard DNS terminology, then maybe: ... a domain for which there is an NXDOMAIN or NODATA response for A, AAAA, and MX records. I think that cures John's concern with my last proposal and addresses yours as well (the response to a CNAME/DNAME is not NODATA/NXDOMAIN, so they are correctly followed). > > Modifying the example I used above slightly: > > > > Imagine sub2.sub1.org.example where example has a PSD DMARC record with > > 'np', > > org.example has no DMARC record, sub1.org.example also has a DMARC record > > with > > 'np', and sub2.sub1.org.example has no DMARC record. In this case, the > > policy > > lookup is for sub2.sub1.org.example (exact domain), org.example (org > > domain), > > and then example (PSD). Just as with 'sp' and regular DMARC, 'np' (or > > 'sp') > > in non-org subdomains of PSDs don't get discovered. > > I was considering the case of a domain such as > subX.sub1.org.pub2.pub1.example: > * subX (and sub1) domains would only have direct lookup DMARC records > applied if they exist and would fall back to org > * org would be direct unless it doesn't have a record in which case if fall > back to LPD (pub2's record) > * pub2, pub1, and example would only have direct lookups since they are > already above the PSL line <-- this is where my concern with the "and PSDs" > phrase resides It's possible that could happen, but it's not the most general case. There are probably a nearly infinite variety of ways this could work or not work, I don't think we have to describe them all. > I'm not sure how well this maps to what we describe. I'm also concerned > that a wildcard null MX record at the org level would end up having all > subdomains "exist", but the policy that should be applied would be the more > restrictive "np" policy, not the (possibly) more permissive "sp" policy. I think this is one of those "you must be this tall to ride on this ride" situations. DNS comes equipped with multiple footguns and you have to know a bit about what you're doing to make sure you get the effects you're after. Scott K
- [dmarc-ietf] Working Group Last Call: draft-ietf-… Murray S. Kucherawy
- Re: [dmarc-ietf] Working Group Last Call: draft-i… Seth Blank
- Re: [dmarc-ietf] Working Group Last Call: draft-i… Seth Blank
- Re: [dmarc-ietf] Working Group Last Call: draft-i… Kurt Andersen (b)
- Re: [dmarc-ietf] Working Group Last Call: draft-i… Scott Kitterman
- Re: [dmarc-ietf] Working Group Last Call: draft-i… Alessandro Vesely
- Re: [dmarc-ietf] Working Group Last Call: draft-i… Hollenbeck, Scott
- Re: [dmarc-ietf] Working Group Last Call: draft-i… John Levine
- Re: [dmarc-ietf] Working Group Last Call: draft-i… Scott Kitterman
- [dmarc-ietf] Introduction context was: Re: Workin… Scott Kitterman
- Re: [dmarc-ietf] Working Group Last Call: draft-i… Scott Kitterman
- Re: [dmarc-ietf] Introduction context was: Re: Wo… Hollenbeck, Scott
- Re: [dmarc-ietf] Introduction context was: Re: Wo… Scott Kitterman
- [dmarc-ietf] Mention ICANN/operational limitation… Scott Kitterman
- [dmarc-ietf] Nonexistent Domain Policy was: Re: W… Scott Kitterman
- [dmarc-ietf] Implemnetations was: Re: Working Gro… Scott Kitterman
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Kurt Andersen (b)
- Re: [dmarc-ietf] Mention ICANN/operational limita… Stan Kalisch
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Seth Blank
- Re: [dmarc-ietf] Mention ICANN/operational limita… Dotzero
- Re: [dmarc-ietf] Mention ICANN/operational limita… Scott Kitterman
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Scott Kitterman
- Re: [dmarc-ietf] Mention ICANN/operational limita… Hollenbeck, Scott
- Re: [dmarc-ietf] Mention ICANN/operational limita… Stan Kalisch
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… John Levine
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Dotzero
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Scott Kitterman
- Re: [dmarc-ietf] Introduction context was: Re: Wo… Scott Kitterman
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… John Levine
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Scott Kitterman
- Re: [dmarc-ietf] Mention ICANN/operational limita… Alessandro Vesely
- Re: [dmarc-ietf] Working Group Last Call: draft-i… Alessandro Vesely
- Re: [dmarc-ietf] Mention ICANN/operational limita… Scott Kitterman
- Re: [dmarc-ietf] Working Group Last Call: draft-i… Scott Kitterman
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Scott Kitterman
- Re: [dmarc-ietf] Mention ICANN/operational limita… Alessandro Vesely
- Re: [dmarc-ietf] Working Group Last Call: draft-i… Alessandro Vesely
- Re: [dmarc-ietf] Mention ICANN/operational limita… Tim Wicinski
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Ian Levy
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Tim Wicinski
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Richard C
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Alessandro Vesely
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Chudow, Eric B CIV NSA DSAW (USA)
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Ian Levy
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Scott Kitterman
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Scott Kitterman
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Scott Kitterman
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Scott Kitterman
- Re: [dmarc-ietf] Working Group Last Call: draft-i… Scott Kitterman
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Seth Blank
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Scott Kitterman
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Seth Blank
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Scott Kitterman
- Re: [dmarc-ietf] Working Group Last Call: draft-i… Murray S. Kucherawy
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Tim Wicinski
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Chudow, Eric B CIV NSA DSAW (USA)
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Kurt Andersen (b)
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… John Levine
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Kurt Andersen (b)
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Scott Kitterman
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Scott Kitterman
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Kurt Andersen (b)
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Scott Kitterman
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Ian Levy
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Dotzero
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Kurt Andersen (b)
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Kurt Andersen (b)
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Scott Kitterman
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Scott Kitterman
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Tim Wicinski
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Scott Kitterman
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Scott Kitterman
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Scott Kitterman
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… John Levine
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Ian Levy
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Alessandro Vesely
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Scott Kitterman
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Alessandro Vesely
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Scott Kitterman
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Douglas E. Foster
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Scott Kitterman
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Dotzero
- Re: [dmarc-ietf] Nonexistent Domain Policy was: R… Kurt Andersen