Re: [dmarc-ietf] Do is need a new ptype? Was Re: New authentication method, DNSWL

Alessandro Vesely <vesely@tana.it> Sat, 03 August 2019 15:28 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4A6C1200C3 for <dmarc@ietfa.amsl.com>; Sat, 3 Aug 2019 08:28:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1152-bit key) header.d=tana.it
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V7L1nXtHv3k7 for <dmarc@ietfa.amsl.com>; Sat, 3 Aug 2019 08:28:16 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B78912008F for <dmarc@ietf.org>; Sat, 3 Aug 2019 08:28:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1564846093; bh=fxkxS/n7IdepFSFx6J0tHIw4XUelW6MwGARBIJJwOqo=; l=1207; h=To:References:From:Date:In-Reply-To; b=AHj4tnw/OJNwX/5d2bKzLSpAZMhAUx1+fLNJ0pwzsCIYo2C+DlOtSwyebQTPaPqHX LHxQIOBAY2RPAuYRWvPsUK1Jx9i9pUCDt284sPe8kZTMBjNNtPGIw4/mjif8wTwCqg MoGGRhVrtD55bh4O/SrdBofKjvHz3LtgbtJfOmraT9zXixMfWEH/ozsjjuZ/V
Authentication-Results: tana.it; auth=pass (details omitted)
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k) by wmail.tana.it with ESMTPA id 00000000005DC042.000000005D45A80D.00000696; Sat, 03 Aug 2019 17:28:13 +0200
To: dmarc@ietf.org
References: <e580ada3-d9b5-0e5b-9ac3-eade41ac92d2@tana.it> <CAL0qLwa5yR5dVzkDSD48MDgpUa11+ri=KOwrNSqOxi8fB2i6PA@mail.gmail.com> <eabefc6b-7542-1a46-4272-b786433ed0b5@tana.it> <4783309.BXR8ZdE9c3@l5580> <CAL0qLwb5FAaYZ7AX_H=aeUFkv8cvY+xd1bQ5uCDp4tmrbx2CQg@mail.gmail.com> <7a21b80b-e6bb-d8b9-cf63-601a8d1e47e7@tana.it> <C1E711A8-F3A6-4A20-B71D-53FA773A61D9@kitterman.com> <aca25d30-3b01-4eaf-6d0b-3bae6f3f796b@tana.it> <CAL0qLwaY=YPskxLwZXkm9Gj4yvYEdJTMBSECOxvg6B4+Xb4EJA@mail.gmail.com>
From: Alessandro Vesely <vesely@tana.it>
Openpgp: id=0A5B4BB141A53F7F55FC8CBCB6ACF44490D17C00
Message-ID: <a2bcc8a6-8fe6-54b8-5134-f1c51f74a35d@tana.it>
Date: Sat, 3 Aug 2019 17:28:13 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <CAL0qLwaY=YPskxLwZXkm9Gj4yvYEdJTMBSECOxvg6B4+Xb4EJA@mail.gmail.com>
Content-Type: text/plain; charset=us-ascii
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/h-6cuc9XlTGH0VpqZ7xd0ClR90Q>
Subject: Re: [dmarc-ietf] Do is need a new ptype? Was Re: New authentication method, DNSWL
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Aug 2019 15:28:18 -0000

On Fri 02/Aug/2019 21:58:30 +0200 Murray S. Kucherawy wrote:
> 
> Why would the thing attaching "dnswl=pass" not also interpret "policy.ip"?
> I would expect it to have that knowledge, not downstream things.  Again, I
> don't know what the value of "dnswl=pass" is if the thing attaching it
> doesn't even know how to interpret the result it got.


If the A-R producer could interpret the encoding then it could write something
like policy.trustworthiness=x instead of policy.ip=127.x.y.z.  However, in the
words of rfc5782:

   There is no widely used convention for mapping sublist names to bits
   or values, beyond the convention that all A values SHOULD be in the
   127.0.0.0/8 range to prevent unwanted network traffic if the value is
   erroneously used as an IP address.

It turned out that there is no simple syntax to configure which bits of the A
value bear which meaning.  For usability reason, in the case at hand, the
syntax was simplified  by requiring the color of the zone, that is[*]:

   -block=zone[,var[/n.n.n.n][,msg]] or -allow=zone[,var[/n.n.n.n[,]]]

IOW, dnswl=pass means the sender was whitelisted.


Best
Ale

-- 
[*] https://www.courier-mta.org/couriertcpd.html