[dmarc-ietf] New Version of draft-levine-dbound-dns-03 with code

"John R Levine" <johnl@taugh.com> Sat, 27 April 2019 19:20 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 788BE12015A for <dmarc@ietfa.amsl.com>; Sat, 27 Apr 2019 12:20:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=0hDeRn8T; dkim=pass (1536-bit key) header.d=taugh.com header.b=OXGnGrGZ
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 02aBNlduFF3o for <dmarc@ietfa.amsl.com>; Sat, 27 Apr 2019 12:19:59 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 510AE120019 for <dmarc@ietf.org>; Sat, 27 Apr 2019 12:19:59 -0700 (PDT)
Received: (qmail 74923 invoked from network); 27 Apr 2019 19:19:57 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:subject:in-reply-to:references:mime-version:content-type:user-agent; s=124a6.5cc4ab5d.k1904; i=johnl-iecc.com@submit.iecc.com; bh=ENRuAzKxtAvMKPCcIck4XUIG+jyG5a8sFI2vIJNU1so=; b=0hDeRn8TA+ig6Zht2efT3dkfYtjtDOUNOxdBZmampSCqjPWs00QOQd5CSKzKeqId2ofSfthR2P8hSo2hpVQZI3rZq1d2Y9AL5J3ltj0hdm5yaE7+2yLEXy5/EDNcBI/0vx5P+egh3BjQumUk/QA//VGGnGtTZD5QyxioYb09FwN+Wwdfsvg/4RkEejjA2GXwORZaeFsiNYv5kCYUP74ds9scNMsL1M2q1ZIqw3QXQh8R1sssOQM65brNDSdh8uRp
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:subject:in-reply-to:references:mime-version:content-type:user-agent; s=124a6.5cc4ab5d.k1904; olt=johnl-iecc.com@submit.iecc.com; bh=ENRuAzKxtAvMKPCcIck4XUIG+jyG5a8sFI2vIJNU1so=; b=OXGnGrGZ5Sf/kMIiMkagVUgbauL2fj6XmKtWjtfsiu7J7hz6huJXgAw1zWbjeCzUz+NFI0WSPw+oiVer4a9zfKAhST1pUHmEVfKn7UMF9DtQ9JnQXW8m5M6pKJ4Rh4cZlP/jEQL+Vj8CEJHAFG+/pssOmRBk2YALOM1rb5A+xy0Tpm/woCkn12T0ic0OvpmiJiFlPzJyCE/Y+1sO4fSmARE7ipXno7zs7+C7P+R6DrRAqbm6sz6X1JFv6UJqnicK
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPSA (TLS1.2 ECDHE-RSA AES-256-GCM AEAD, johnl@iecc.com) via TCP6; 27 Apr 2019 19:19:57 -0000
Date: 27 Apr 2019 15:19:57 -0400
Message-ID: <alpine.OSX.2.21.1904271455140.33452@ary.qy>
From: "John R Levine" <johnl@taugh.com>
To: dbound@ietf.org, dmarc@ietf.org
In-Reply-To: <alpine.OSX.2.21.1904061813160.8799@ary.qy>
References: <alpine.OSX.2.21.1904061813160.8799@ary.qy>
User-Agent: Alpine 2.21 (OSX 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/gBhE-q6T-MFSg1JyAY5UgiSAPbk>
Subject: [dmarc-ietf] New Version of draft-levine-dbound-dns-03 with code
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Apr 2019 19:20:02 -0000

You may recall that we've been discussing ways to publish DNS authority 
boundaries, like the Mozilla PSL but in the DNS itself, not a text file.

I've been claiming that with careful use of wildcards one make the number 
of lookups depend on the number of boundaries, not the number of labels 
in the name being checked, so it's reliably reasonably fast.

I figured I should put my bits where my mouth is so I wrote a script to 
translate the Mozilla PSL into DNS rules.  It turned out to be harder than 
I thought because the PSL has wildcard rules with exceptions, e.g.:


That turned out to be straightforward to handle with a tweak to the spec I 
just made in the -03 version.

The code to make the DNS records, and another script to take a domain name 
and look it up in those records are here:


I think the lookup code is OK but there may be some glitches in the PSL 
translator for some of the more arcane combination of wildcard and 
non-wildcard boundaries.  Take a look if interested.

John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

PS to Scott: I think it would be pretty easy to add a tag for PSD TLDs.