IETF Logo Mail Archive

Re: [dmarc-ietf] Final, I hope, tweaks to the tree walk

Alessandro Vesely <vesely@tana.it> Wed, 29 June 2022 10:21 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64F8EC15C7C2 for <dmarc@ietfa.amsl.com>; Wed, 29 Jun 2022 03:21:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.002
X-Spam-Level:
X-Spam-Status: No, score=-4.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-1.876, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=tana.it header.b=J97OOdKv; dkim=pass (1152-bit key) header.d=tana.it header.b=BtvRB/MY
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 47JX2igTzPzl for <dmarc@ietfa.amsl.com>; Wed, 29 Jun 2022 03:21:02 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4BE34C15A740 for <dmarc@ietf.org>; Wed, 29 Jun 2022 03:21:02 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=tana.it; s=epsilon; t=1656497760; bh=aUbeOhDjMWSpwXBjgvoixwUm/PRBL132J8sisQNeJKU=; h=Date:Subject:To:References:From:In-Reply-To; b=J97OOdKvWwpD6xlcmcV4suiNievHHJYj8txTqvNYJ8/rYACSXBdBbpolAPsKR49vm 8/uhrDV+yPifA2Vrsp3Bg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1656497760; bh=aUbeOhDjMWSpwXBjgvoixwUm/PRBL132J8sisQNeJKU=; h=Date:To:References:From:In-Reply-To; b=BtvRB/MYIAiyRskBTmv+OIE9FSkhlvSBRrN1D9F7g9x6vs+1AsMe/FwJd3CSsb1qk GoyoXaC+9Hu8VuUF5fuyFX5EQ7S8MjweMAaXm4unWg8FVnLv4ejWU30wISjbwzV8Hl deCf5dK093WE8JILVfg2Drld0YXWJS4fboEnyPXVEEdgAZOrAwT2VwNCWo8Jo
Author: Alessandro Vesely <vesely@tana.it>
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC0F0.0000000062BC2660.0000783D; Wed, 29 Jun 2022 12:16:00 +0200
Message-ID: <7b584f9f-1e03-93f7-bb8a-0a899dfdfe8c@tana.it>
Date: Wed, 29 Jun 2022 12:16:00 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.0
Content-Language: en-US
To: dmarc@ietf.org
References: <20220626154211.6893F4452D0F@ary.qy> <2bc4e123-8711-7538-599e-727d8ea9caff@tana.it> <bedf51e9-6fe6-d52b-1083-bac67d8906ea@taugh.com> <be56e041-d588-c8e7-bd37-bf2858773b75@tana.it> <ED978D2A-ADD1-4FFA-B101-239D333019CB@kitterman.com>
Authentication-Results: tana.it; auth=pass (details omitted)
From: Alessandro Vesely <vesely@tana.it>
In-Reply-To: <ED978D2A-ADD1-4FFA-B101-239D333019CB@kitterman.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/lSV2cJfYKoUmJU7_sb_NuuAITto>
Subject: Re: [dmarc-ietf] Final, I hope, tweaks to the tree walk
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jun 2022 10:21:10 -0000

On Tue 28/Jun/2022 18:46:18 +0200 Scott Kitterman wrote:
> On June 28, 2022 4:33:15 PM UTC, Alessandro Vesely <vesely@tana.it> wrote:
>
>>What can one find continuing the walk after psd=y?
>>
>>For example, let's consider an imaginary bank, com.bank, say.  They use that domain as corporate domain, and have a DMARC record.  They also delegate zones to local subsidiaries.  One of them, uk.com.bank in turn delegates to other banks in the UK and sends mail like uk.com.  So you may end up having a DMARC record at each level:
>>
>>bank -> psd=y,
>>com.bank -> psd=n or psd=u (for private use),
>>uk.com.bank -> psd=y.
>>
>>Does our model support that?  How else should they set their records up?
> 
> I think that's sufficiently obscure that I doubt we care, but I think it is supported just fine.
> 
> The only nuance is that in this scenario, mail that is 5322.from uk.com.bank would have to use 5321.mailfrom and DKIM d= uk.com.bank.  Subdomains wouldn't align, which I think is fine.


However, if you continue the tree walk after uk.com.bank, you'll find the org 
domain is com.bank.  That way, d=whatever.com.bank in a signature would be 
aligned, which is not correct.


> The operational distinction between a PSD and a non-PSD is that subdomains of a PSD are different organizations and subdomains of non-PSDs are part of the same organization.  I believe that's the correct distinction.

Yes.


Best
Ale
--

v2.23.0 | Report a Bug | By Email