Re: [dmarc-ietf] Bridging the gap

[Scott Kitterman <sklist@kitterman.com>]

On Saturday, June 18, 2022 7:25:28 AM EDT Alessandro Vesely wrote:
> On Sat 18/Jun/2022 02:40:49 +0200 Scott Kitterman wrote:
> > On Thursday, June 16, 2022 11:57:08 AM EDT Alessandro Vesely wrote:
> >> On Wed 15/Jun/2022 19:47:42 +0200 John Levine wrote:
> >>> It appears that Alessandro Vesely  <vesely@tana.it> said:
> >>>> I think we found the few critical domains which need a flag.
> >>> 
> >>> We may have found some domains that need a psd flag, but it's silly to
> >>> assert we have found all or even most of them.
> >>> 
> >>> The PSL has 9300 entries and there are surely far more places in the DNS
> >>> than that where you want sibling domains to be separate.
> >> 
> >> Is there someone who is going to contact, on behalf of the WG, the
> >> domains
> >> that were found in order to have their owners publish psd= flags before
> >> the
> >> RFC is published?
> > 
> > It is a project I intend to work on once the psd= tag has been assigned.
> > Until the working group has settled on it more definitively than "it's in
> > the current draft" I think it would be premature to bother them.
> 
> Agreed, we can wait until RFC queue.

I don't think we need to wait that long.  I have heard the designated expert 
for the registry is open to early registration if the chairs determine there 
is rough consensus for psd=.

> I think many of the required tasks can be discussed here.  Namely:
> 
>   * Listing relevant domains,
>   * finding contacts for listed domains,
>   * composing the text of an email to send them.
> 
> Actually sending those messages would sound more credible if done From:
> Someone@IETF.org.  Does such a role exist?

I don't think so.  In my experience it's external groups that are interested 
in a new technology that deal with evangelizing it once developed by the IETF.  
Since RFCs don't write themselves, there's generally someone.

> > From your list further down the thread, why do you think having a psd=y
> > tag on gov.uk, police.uk, and mil will have?  While it would be more
> > descriptively correct, I don't think there's any operational difference
> > if it's there or not since sub-domains of those PSDs are controlled by
> > one organization.
> I don't know how much control do parent domains exercise downwards.  It
> probably varies widely in each case.  Anyway, the tree walk needs those
> flags in order to work properly.
> 
> > If us.com had a DMARC record, that would be worth a discussion, but they
> > don't.
> 
> Why does uk.com differ?  They do have a DMARC record.

I have no idea why they are different, but that's the best example I've seen so 
far of a record for which psd=y would be important.  Once the tag is assigned, 
someone should definitely discuss this with CentralNic.  If no one on the list 
knows someone there, my guess is that it's almost a certainty that someone on 
the list knows someone who does.

> > It's not even the ~500 domains on the PSL that have DMARC records
> > published
> > that we need to concern ourselves with, it's a small subset of them.
> 
> I counted 238 of them, discarding the ones with '*'s.  Many can be grouped,
> for example blogspots and all Google stuff.  The PSL refers contacts in
> comments.
> 
> I don't know how to better select the domains which need to set the flag.
> Presumably, the mail will say something such that each domain owner can
> understand which domains are involved.

I'm willing to work on this at the appropriate time and i know others who are 
as well.  I think, for now, we should proceed on the assumption that the 
evangelization of the psd= tag will get done.  It needn't be done overnight as 
it will have no effect until mail receivers implement the associated 
processing.  That will be the bigger lift in my opinion.

Scott K