IETF Logo Mail Archive

Re: [dmarc-ietf] Issue opened: Use a four-valued token for the four roles of a DMARC policy

Scott Kitterman <sklist@kitterman.com> Mon, 29 August 2022 15:27 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A1CCC157B37 for <dmarc@ietfa.amsl.com>; Mon, 29 Aug 2022 08:27:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=vUgTv37g; dkim=pass (2048-bit key) header.d=kitterman.com header.b=o2Fe6LQK
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ShwPqifq2VMT for <dmarc@ietfa.amsl.com>; Mon, 29 Aug 2022 08:27:12 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 208B1C157B33 for <dmarc@ietf.org>; Mon, 29 Aug 2022 08:27:11 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) by interserver.kitterman.com (Postfix) with ESMTPS id E3306F802FC for <dmarc@ietf.org>; Mon, 29 Aug 2022 11:27:07 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1661786827; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=GNzRqlzQnFD1e+bxn47wZ09XYIxPpgUENDO1wPR6yw4=; b=vUgTv37gM6iq13eAhvOOIfHzR+rADjTdgkCFHqzZeCitML7+tr7FEdOZWAQw9GFUwxphO sAg3BRK0fkfbJ5ODw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1661786827; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=GNzRqlzQnFD1e+bxn47wZ09XYIxPpgUENDO1wPR6yw4=; b=o2Fe6LQK4b1zNPC8S6KGnqmdEaOTz8z/6pdj0fsTI/d0WB1JdWYKlYigCCJ7aRQDsnEkG SpDhDN7v6t1VTNGX49ZG28/cgcd18FcLHTkLDAVpW+0StejlSh7bvTphSn27kUw5b8YkFq3 y/mYHIgYp/Vy8BaiuI9jZUY3aWqcmO6Ny/MNF0Bie7jKwhlwY9gSQYrNfColV37sVVj0SsJ 5VxbAwVWOgapWtncFSKNxaJQ4ty7c/DHt67g/uqp47VVKQ0uq1OjFIvf115BGPVevYpd4Gl gSp0taC0egVqoE8k0gTr8Pqb+RBs2YhXyKRjDIVkhmA/H/z7MXqbc5rnUyyQ==
Received: from zini-1880.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTP id A1EE4F80153 for <dmarc@ietf.org>; Mon, 29 Aug 2022 11:27:07 -0400 (EDT)
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
Date: Mon, 29 Aug 2022 11:27:07 -0400
Message-ID: <1808206.0TLCzVvF1F@zini-1880>
In-Reply-To: <CAH48ZfxTMu1O1=1BsR3Nvyfer6b5LK77+Xcg-5FLjOQ9k80-VQ@mail.gmail.com>
References: <CAH48Zfy7hwRNsFbufA1nfFhC8takoipRY298oNO9RpHCaKuZaA@mail.gmail.com> <8F21F0C0-D9F5-4677-A3D0-1039AC04A540@kitterman.com> <CAH48ZfxTMu1O1=1BsR3Nvyfer6b5LK77+Xcg-5FLjOQ9k80-VQ@mail.gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/jnSVn28_k_EHSI7vQicslAMDvNY>
Subject: Re: [dmarc-ietf] Issue opened: Use a four-valued token for the four roles of a DMARC policy
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Aug 2022 15:27:17 -0000

On Monday, August 29, 2022 7:50:18 AM EDT Douglas Foster wrote:
> Not strongly opinionated about location.
> 
> For the first insertion:  Since the definition of psd=n  occurs in the
> policy record, and after the tree walk, this seems to fit in with the psd=n
> definition.
> 
> Some organizations have subtrees within their DNS structure that represent
> client sub-organizations, which are unaffiliated for purposes of relaxed
> authentication.   Before putting a PSD=N tag on an organizational domain
> policy, the domain owner MUST ensure that all sub-organization boundaries
> are properly identifiable.   Identification can be accomplished by placing
> a PSD=Y tag on the domain which is the parent of the sub-organizations, by
> placing a PSD=Y tag on the organizational domain of every client
> sub-organization, or both.

I do not support this.  That's not at all how it works.

Unless you are something like .gov or .us.com you don't need to use psd=y.  I 
think this is likely to lead to confusion and mis-deployment.  The only reason 
to use psd=n is if the entity above yours in the DNS tree has a DMARC record 
without psd=y and is an actual PSD.

When we discussed this before, we concluded that while the current protocol 
definition does technically support embedded PSDs lower in the tree below DMARC 
organization domains, it's not something that actually happens.

I think the draft, as written, adequately addresses PSDs and adding this kind 
of exposition, even if it were technically correct, would lead to confusion.
> 
> For the second insertion:  Also append it to the definition of psd=y.  If
> the tree walk description was more algorithmic, I would place the second
> paragraph with the description of how the initial exact-match policy is
> handled, but that is not an option.
> 
> "Most registrar domains are self-contained, meaning that the parent domain
> is a PSD and child domains are PSDs or unaffiliated organizations or PSDs.
> When this is the case, the domain owner should publish PSD=Y as well as
> askim=s and aspf=s.   This ensures that the Tree Walk will terminate and
> use the current domain policy as the default policy.
> 
> When a registrar and its parent are in the same organization, and the
> organization sends mail, DMARC policies using relaxed alignment may be
> desired.  When "psd=y" is encountered on the initial exact-match domain,
> and relaxed alignment is specified, the "psd=y" term is ignored and the
> Tree Walk is used to find the parent record which is the organizational
> domain."

I don't think this is a good idea either.  We should not go down this path.

It doesn't matter if a PSD (with psd=y) that sends mail specifies adkim/apsf=s.  
Given the current design, an exact match is all that will ever align.  While I 
agree actually putting adkim/apsf=s in a PSD's DMARC record would be clearer 
for human interpretation, for the machines they don't matter.  I don't believe 
there's any benefit to specifying them.

Once again, PSD is an infinitesimal fraction of DMARC.  It is currently 
correctly specified and putting too much emphasis on it will just create 
confusion.

I've snipped the rest of the message to make the flow easier to follow.  I 
don't think it's needed to support further discussion.

Scott K

v2.23.0 | Report a Bug | By Email