IETF Logo Mail Archive

Re: [dmarc-ietf] Final, I hope, tweaks to the tree walk

Alessandro Vesely <vesely@tana.it> Sun, 26 June 2022 11:20 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA673C17A753 for <dmarc@ietfa.amsl.com>; Sun, 26 Jun 2022 04:20:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.006
X-Spam-Level:
X-Spam-Status: No, score=-9.006 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-1.876, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=tana.it header.b=QesWOYvy; dkim=pass (1152-bit key) header.d=tana.it header.b=BbTNqbSf
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CEKCY1mK8WRn for <dmarc@ietfa.amsl.com>; Sun, 26 Jun 2022 04:20:48 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 592EEC17A752 for <dmarc@ietf.org>; Sun, 26 Jun 2022 04:20:44 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=tana.it; s=epsilon; t=1656242440; bh=1gi0pGDvzx7jMJ0nTbW3Xbell0bAnY6apLQST7tfrqg=; h=Date:Subject:To:References:From:In-Reply-To; b=QesWOYvyrHsXK7u+YT08Xmpa8QlrX6fyDZuCGlReJwAcFbthSCDd4Qg17KdcWPrUp LKp6iKC9Nozbd1kwHDiCg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1656242440; bh=1gi0pGDvzx7jMJ0nTbW3Xbell0bAnY6apLQST7tfrqg=; h=Date:To:References:From:In-Reply-To; b=BbTNqbSfpfY0PhLmOHlvPo1/e13bex6wKceWLkVQSLTdpa8wRCqXPn0K78JbvR0GU I0qPc/74vIc8T0JClIgT5a23YlBvkLpE3UTNv3Mhqb2147/wBnFSzo1e93F4pUydnI aezuCrwyHD2MUfAr4BpYG/eyF/ZtIh17dzvkhxYxkM/4JapjsJuqL25AQUhd+
Author: Alessandro Vesely <vesely@tana.it>
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC083.0000000062B84107.00004D68; Sun, 26 Jun 2022 13:20:39 +0200
Message-ID: <f896a2c7-0343-dc8a-205f-6704efa7df9f@tana.it>
Date: Sun, 26 Jun 2022 13:20:39 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.0
Content-Language: en-US
To: dmarc@ietf.org
References: <0d0dd2e1-90b0-424f-ee5c-fd9e324f4021@iecc.com>
Authentication-Results: tana.it; auth=pass (details omitted)
From: Alessandro Vesely <vesely@tana.it>
In-Reply-To: <0d0dd2e1-90b0-424f-ee5c-fd9e324f4021@iecc.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/i70Y3nnu_uf4rIb6o0CkelUh0v8>
Subject: Re: [dmarc-ietf] Final, I hope, tweaks to the tree walk
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Jun 2022 11:20:54 -0000

On Sun 26/Jun/2022 02:42:31 +0200 John R. Levine wrote:
> I made a pull requests with a few tweaks to the tree walk so it will get the 
> right answer even with psd tags at multiple levels.
> 
> https://github.com/ietf-wg-dmarc/draft-ietf-dmarc-dmarcbis/pull/47
> 
> One question is what do you do if the DMARC record for your original From: 
> domain has psd=y.  My text says you ignore it since if you're sending mail, 
> you're not really a PSD.


I disagree.  If a PSD sends messages, e.g. uk.com, it should still set psd=y, 
and there's no reason to ignore it.  We said that, in such cases, they 
practically have an implicit adkim=s.  Thus, it makes no sense to look for an 
org domain toward the root.


Taken off this bit, I re-propose the shorter (6 step) algorithm I posted in April:



-------- Forwarded Message --------
Subject: Re: [dmarc-ietf] 5.5.4. Publish a DMARC Policy for the Author Domain - 
dmarcbis-06
Date: Tue, 5 Apr 2022 10:43:49 +0200
From: Alessandro Vesely <vesely@tana.it>
To: dmarc@ietf.org

On Mon 04/Apr/2022 15:29:40 +0200 Scott Kitterman wrote:
 >
 > The diff is relative the last text I posted.


Section 5 has to stay before Section 4.  It makes no sense to exemplify 
_dmarc.example.com if we haven't yet said that:

    Domain Owner and PSO DMARC preferences are stored as DNS TXT records
    in subdomains named "_dmarc".
                                                   [Current Section 5.1]


Then, let's make a statement like so:

    Retrieving the DMARC record of a domain implies the following steps:

    1.  Prepend the label "_dmarc" to the domain name and issue a DNS Query for
        a TXT record at the resulting domain.  For example, if the domain is
        example.com, query _dmarc.example.com.

    2.  Collate any string returned, in the order returned.

    3.  Records that do not start with a "v=" tag that identifies the
        current version of DMARC are discarded.  If multiple DMARC
        records are returned, they are all discarded.


At this point, the algorithm can be expressed in a shorter form like so:

    1.  Set the current target to the identifier at hand, which is one of the
        domain(s) described above.

    2.  Retrieve the DMARC record of the current target.

    3.  If the record exists and contains either psd=y or psd=n, stop.

    4.  Break the current target name into a set of "n" ordered
        labels.  Number these labels from right to left; e.g., for
        "a.mail.example.com", "com" would be label 1, "example" would be
        label 2, "mail.example.com" would be label 3, and so forth.

    5.  Count the number of labels in the current target.  Let that number
        be "x".  If x = 1, stop.  If x < 5, remove the left-most (highest-
        numbered) label from the subject domain.  If x >= 5, remove the
        left-most (highest-numbered) labels from the subject domain until
        4 labels remain.  The resulting DNS domain name is the new target
        for subsequent lookups.

    6.  Go to 2.


Better?


Best
Ale
-- 






_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

v2.23.0 | Report a Bug | By Email