Re: [dmarc-ietf] Tree walk nits
Scott Kitterman <sklist@kitterman.com> Wed, 22 June 2022 01:51 UTC
Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD57CC14CF1C for <dmarc@ietfa.amsl.com>; Tue, 21 Jun 2022 18:51:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=XitJmzqw; dkim=pass (2048-bit key) header.d=kitterman.com header.b=XZ7pLUz1
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GgCKmBDOaYan for <dmarc@ietfa.amsl.com>; Tue, 21 Jun 2022 18:51:02 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA764C14CF1B for <dmarc@ietf.org>; Tue, 21 Jun 2022 18:51:02 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) by interserver.kitterman.com (Postfix) with ESMTPS id DB72EF80301 for <dmarc@ietf.org>; Tue, 21 Jun 2022 21:51:00 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1655862660; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=gC27uTqTdguJYWwiWb0fTqcnrThs87Ngh25NGUnxBz8=; b=XitJmzqwe/vavu8A21sYas9GzHOYb8NtOxd5eP6qAZ/jRxkWZRkNaHdmV9GKAdMJVroeV swO2Mz5kIr03FPjAw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1655862660; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=gC27uTqTdguJYWwiWb0fTqcnrThs87Ngh25NGUnxBz8=; b=XZ7pLUz1ihPVDuJgE0Luo1waVjSGw1zE78o4jPi0aA1fX6RHWRNTaENTYy5oc1MZ4zCaa m7dkJYEqK3Ud5jbuJdRjaCSi8Dn0JwcYra8HQAIikwB4RtnqnWW/fEFzwn8rmHRjGY7RHHU yUAQW+Sjlr5Jbo6c/kmidI0Zf+qMBdjn5vE1+bI2RdEBnniB5uvJdRNeQI8JEIOs7abinE/ EJQOi2wmn4TxcZZIW8e+fBkevxCisGz0P5zazCLcIrhK6NWCNwXMygEI4N22AeaXE4g9fEj 11sSKCS4QF1QvyjhQ+XolSZzAaQpwkFMpxs4gyKWdBDAhDS/81yHwJTPWzOA==
Received: from zini-1880.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTP id AD4B5F801C8 for <dmarc@ietf.org>; Tue, 21 Jun 2022 21:51:00 -0400 (EDT)
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
Date: Tue, 21 Jun 2022 21:51:00 -0400
Message-ID: <29052171.xTAUad66BK@zini-1880>
In-Reply-To: <fc09174a-24d3-1874-0871-152ea3a92b99@taugh.com>
References: <fc09174a-24d3-1874-0871-152ea3a92b99@taugh.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/pV_6XWDwuFthkhRAJHW6-HW1Qko>
Subject: Re: [dmarc-ietf] Tree walk nits
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jun 2022 01:51:07 -0000
On Tuesday, June 21, 2022 7:42:01 PM EDT John R Levine wrote: > I've been staring at the tree walk description and see a few places where > it could be clearer, and one place where I think it's wrong, left over > text from the old downward walk. > > If this discussion isn't clear enough I can do a pull request with the > proposed changes. > > In the description of the tree walk in sec 4.6, it appears that you always > walk up to the root even if you've already found the record you're going > to use. In steps 2 and 7 I would add "If one valid record remains, stop > and use that record." > > The part with the numbered list in sec 4.8 is confusing. Step 3 says > "select the record for the domain with the fewest number of labels" which > I think is wrong, should be the most labels. I would rewrite the whole > section to say to use the record found by the tree walk, and the three > numbered items say how to interpret it. As written, I think it produces the correct result. The trick is that there isn't just one tree walk. There are up to three. You need to know: Org domain for 2822.From Org domain for 2821.MailFrom Org domain for d= domain Let's take the following example (I know things will essentially always not be this complicated, but we need to assess the worst case): 2822.From domain = example.com 2821.Mailfrom = mail.example.com d= domain = internal.dkim.example.com Using RFC 7489, com is in the PSL, so they all have the org domain example.com. They are aligned (same org domain) (see 3.2.4 in the draft). Let's say each of example.com, mail.example.com, internal.dkim.example.com, and dkim.example.com have a DMARC record with no psd= tag and assess using DMARCbis: Based on the description in 4.8 for organizational domain discovery you would do the following walks (in practice this would collapse to fewer steps, but showing the redundant bits for completeness/clarity): 2822.From example.com = record com = no record 2821.Mailfrom mail.example.com = record example.com = record com = no record DKIM d= internal.dkim.example.com = record dkim.example.com = record example.com = record com = no record As written you take the domain with a (non-PSD) DMARC record with the fewest labels, which would be: 2822.From example.com = record 2821.Mailfrom example.com = record DKIM d= example.com = record They all have a common organizational domain, so they are aligned and the result is identical to RFC 7489. If you stopped after the first match they would all be different and nothing would align. If don't stop, but you take the longest match, they are all different and they don't align. I'm all for making it clearer, but I think what's there provides the correct result. For policy discovery (4.7) it's different. It says use the p= tag of the 2822.From DMARC record (if any) or the p/sp/np tags of the org/psd domain it it doesn't. If all we were doing was policy determination, then stopping at the first match would work. At least this is my assessment, maybe I am missing something? Scott K _dmarc.a.b.c.d.e.mail.example.com_dmarc.e.mail.example.com_dmarc.mail.example.com_dmarc.example.com_dmarc.com
- [dmarc-ietf] Tree walk nits John R Levine
- Re: [dmarc-ietf] Tree walk nits Scott Kitterman
- Re: [dmarc-ietf] Tree walk nits John Levine
- Re: [dmarc-ietf] Tree walk nits Scott Kitterman
- Re: [dmarc-ietf] Tree walk nits John Levine
- Re: [dmarc-ietf] Tree walk nits Scott Kitterman
- Re: [dmarc-ietf] Tree walk nits John Levine
- Re: [dmarc-ietf] Tree walk nits Scott Kitterman
- Re: [dmarc-ietf] Tree walk nits Douglas Foster