IETF Logo Mail Archive

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

OLIVIER HUREAU <olivier.hureau@univ-grenoble-alpes.fr> Fri, 15 March 2024 02:29 UTC

Return-Path: <olivier.hureau@univ-grenoble-alpes.fr>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBA13C14F6A0 for <dmarc@ietfa.amsl.com>; Thu, 14 Mar 2024 19:29:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.093
X-Spam-Level:
X-Spam-Status: No, score=-7.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=univ-grenoble-alpes.fr
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nek-ICkiWa_c for <dmarc@ietfa.amsl.com>; Thu, 14 Mar 2024 19:29:22 -0700 (PDT)
Received: from zm-mta-out-3.u-ga.fr (zm-mta-out-3.u-ga.fr [152.77.200.56]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97676C14F5F6 for <dmarc@ietf.org>; Thu, 14 Mar 2024 19:29:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=univ-grenoble-alpes.fr; s=2020; t=1710469755; bh=Dz0qJLn+Da/QUFr5r29kbU/nJ6H0NIH4l6wAw1w1V+Y=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From; b=W25hSLsf2N+c2jrd1j/S/INB9qdA2ZdFtbMZwny0rBoIr6CJSHEMS3EUD+kz7AFpL bIZ6bszD3Yr4ngeAvA9ISl1sXNPEa3LnuA8Nu/shiVoGCgZ+I93mrLxptG0DTuhSfO nf77gRrSCOxQpajXL6mUTFxrrevFWvRhWTrxcGkE6DbMMvpdIfEWsN+/Z4rNxZ12X+ NHJuvWHvTBTdbDpNYsCvmCGQO/wbCr16L1iYtDO3GcLVSwhmqABJV9HTgdm3iTpf5x Fj7tGQ53IZ7gqoTt54IZcqQQa3t/FVDO/p+uKGmS1BG/95Nnry3uTTybYIunofAgz2 qsxGf7F18vT/A==
Received: from mailhub.u-ga.fr (mailhub-1.u-ga.fr [129.88.178.98]) by zm-mta-out-3.u-ga.fr (Postfix) with ESMTP id 0A06240304; Fri, 15 Mar 2024 03:29:15 +0100 (CET)
Received: from mailhost.u-ga.fr (mailhost2.u-ga.fr [129.88.177.242]) by mailhub.u-ga.fr (Postfix) with ESMTP id D922C100055; Fri, 15 Mar 2024 03:29:17 +0100 (CET)
Received: from zm-mbx10.u-ga.fr (zm-mbx10.u-ga.fr [152.77.200.34]) by mailhost.u-ga.fr (Postfix) with ESMTP id DD6BE6006E; Fri, 15 Mar 2024 03:29:17 +0100 (CET)
Date: Fri, 15 Mar 2024 03:29:17 +0100
From: OLIVIER HUREAU <olivier.hureau@univ-grenoble-alpes.fr>
To: Mark Alley <mark.alley=40tekmarc.com@dmarc.ietf.org>
Cc: dmarc <dmarc@ietf.org>
Message-ID: <1193231831.5834441.1710469757768.JavaMail.zimbra@univ-grenoble-alpes.fr>
In-Reply-To: <54b44e40-e298-432b-9fc0-1269a328ae58@tekmarc.com>
References: <CAHej_8kip_p+n56=Y5WuVG2M_+HXHj51fyY3k6dx-itJRZkCpQ@mail.gmail.com> <54b44e40-e298-432b-9fc0-1269a328ae58@tekmarc.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_e10da2b0-7a2b-4e52-ad42-ccf9dff6f3f5"
X-Originating-IP: [90.112.160.226]
X-Mailer: Zimbra 10.0.7_GA_4598 (ZimbraWebClient - GC122 (Win)/10.0.7_GA_4598)
Thread-Topic: DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs
Thread-Index: 4CL7TOFVkEEZ0CUwQCVsvk9Ky1LavQ==
X-Greylist: Whitelist-UGA MAILHOST (SMTP non authentifie) depuis 152.77.200.34
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/mRXGOc93NLHz2p8f2WsN4aPMi0Y>
Subject: Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Mar 2024 02:29:27 -0000

> If we need some real world examples of this, got a few here: 

According to my measurements, 14M domain names out of 280M active domains have a CNAME at _dmarc. 
871,245 has a valid DMARC record. Part of them, 7609 are a 1M top popular domain (tranco) 

For those without DMARC records (I haven't digged a lot, just on the fly stats) it's either an "SPF" CNAME or wildcard TXT records 

Olivier 

De: "Mark Alley" <mark.alley=40tekmarc.com@dmarc.ietf.org> 
À: "dmarc" <dmarc@ietf.org> 
Envoyé: Jeudi 14 Mars 2024 21:28:11 
Objet: Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs 



If we need some real world examples of this, got a few here: 

_dmarc.oit.alabama.gov 

_dmarc.tjx.com 

_dmarc.walmart.com 

_dmarc.novanta.com 
- Mark Alley 
On 3/14/2024 3:18 PM, Todd Herr wrote: 



Colleagues, 

There was a discussion among M3AAWG members on March 13 that centered on the question of whether DMARC records can be published in DNS as CNAMEs, e.g., 


BQ_BEGIN



_ [ http://dmarc.example.com/ | dmarc.example.com ] IN CNAME _ [ http://dmarc.example.org/ | dmarc.example.org ] 


_ [ http://dmarc.example.org/ | dmarc.example.org ] IN TXT "v=DMARC1; p=reject; rua= [ mailto:dmarc-reports@example.org | mailto:dmarc-reports@example.org ] ;" 





Section 3.6.2 of RFC 1034 seems to indicate that it is permissible to publish DMARC records in this fashion, and describes the following scenario using an CNAME record and an A record: 

BQ_BEGIN



For example, suppose a name server was processing a query with for USC- 


ISIC.ARPA, asking for type A information, and had the following resource 


records: 
USC-ISIC.ARPA   IN      CNAME [ http://c.isi.edu/ | C.ISI.EDU ] 
[ http://c.isi.edu/ | C.ISI.EDU ] IN      A       10.0.0.52 


Both of these RRs would be returned in the response to the type A query, 


while a type CNAME or * query should return just the CNAME. 

BQ_END



I recommend adding a paragraph to DMARCbis, section 5.1 DMARC Policy Record at the end of that section that reads: 

BQ_BEGIN



Per RFC 1034 section 3.6.2, a DMARC record MAY be published as a CNAME record, so long as the corresponding canonical name ultimately resolves to a TXT record so as to ensure that queries of type TXT return a DNS RR in the expected format. 

BQ_END

Issue 136 has been opened for this. 

-- 


Todd Herr | Technical Director, Standards & Ecosystem 
Email: [ mailto:todd.herr@valimail.com | todd.herr@valimail.com ] 
Phone: 703-220-4153 


This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system. 

_______________________________________________
dmarc mailing list [ mailto:dmarc@ietf.org | dmarc@ietf.org ] [ https://www.ietf.org/mailman/listinfo/dmarc | https://www.ietf.org/mailman/listinfo/dmarc ] 

BQ_END

_______________________________________________ 
dmarc mailing list 
dmarc@ietf.org 
https://www.ietf.org/mailman/listinfo/dmarc

v2.23.0 | Report a Bug | By Email