Re: [dmarc-ietf] Genart last call review of draft-ietf-dmarc-psd-08

Todd Herr <> Fri, 10 April 2020 13:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 329D93A0B13 for <>; Fri, 10 Apr 2020 06:38:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id C2Qwweqx0Log for <>; Fri, 10 Apr 2020 06:38:53 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::e31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BB9C33A0AEE for <>; Fri, 10 Apr 2020 06:38:52 -0700 (PDT)
Received: by with SMTP id b5so1333546vsb.1 for <>; Fri, 10 Apr 2020 06:38:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LzRGr+mhMwkD0/LI/ZXPRixza9rQ5Klu6Th50UCUSkI=; b=TDgE/iXGJr1b1MkX74B6CpCf++MNeGOnjuPVqyxa61C7cKHNMsT0GozKAJQIDKP8kh 2FatB+U70gRjyqF3jkyxZQ+/KY7q3w/7HRzoevqdcp47sZTUKvU0OVqWQHedfMjo068C ok562CEouMWs5dNgPlTf7wfFaD/JtDKreYjNWnbMvFwrfh8fXjcqNrF8ClsHpD4KIFhH gn6N67zVhGLkOb5kk9zeDYSaxY5KybOea1a53tNcN1/nuLx72Tbce7DrQ2E9U+/h3plA nG/InQp8SP+Xy9u7L++rpt63dfdzP1jcw1KXWi2I/TX4vhbig77Hq24c56PDbu+l/rgg rzGQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LzRGr+mhMwkD0/LI/ZXPRixza9rQ5Klu6Th50UCUSkI=; b=X092EAw80keo1O6jqxY6WCY05pc6wFle0b95g+H9+GDwJOHbwpTfgIvXB3ARdnG+U/ z5MjaYx7VgoagnMDLKVQv2FX0vlkXJ/YLQpQUCyVl+z3AxoLsU6Zq3AcdxArI+A4DGgD Cd+oMsyanRV6aHFZh8EUtRdIyVqn4ARxxu8RSaHEHUZVW8188wMRlwwjgffqAD3AQc4h RMB+c1h+/WnrrP4MXzhM7voOC7wX1wqZuSTeRPk2aIGHw41e3EhlDqFSWo9UkHCnLFho TUAM55G+dvg+wczdj1IYT7UUnEsVY1hcpz22tUuhXZO70CqGY1BWyvQKZD1eqCtCFZym UPYA==
X-Gm-Message-State: AGi0PuYhWH98NtaPeG6gyObH9Mk6bRcWGIITgRyQnWSAFdf9WHSifsE/ urXIwkyLhZfBWtqi+dRz6cJk55qf4ypNVWN9diSfiQcOP4o=
X-Google-Smtp-Source: APiQypJxE+UafMNAe/w1h4aInHYCTyPAh3byRsv2TXvX81SNkhTrxWS02UEd6D+tss9rRkF8us5WbksUUS8lq1OSae8=
X-Received: by 2002:a05:6102:1043:: with SMTP id h3mr2203325vsq.39.1586525931527; Fri, 10 Apr 2020 06:38:51 -0700 (PDT)
MIME-Version: 1.0
References: <> <20200409230933.E0CBD17638B4@ary.qy>
In-Reply-To: <20200409230933.E0CBD17638B4@ary.qy>
From: Todd Herr <>
Date: Fri, 10 Apr 2020 09:38:40 -0400
Message-ID: <>
To: John Levine <>
Cc: dmarc <>,
Content-Type: multipart/alternative; boundary="0000000000009363fa05a2efdaa1"
Archived-At: <>
Subject: Re: [dmarc-ietf] Genart last call review of draft-ietf-dmarc-psd-08
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 10 Apr 2020 13:39:02 -0000

On Thu, Apr 9, 2020 at 7:09 PM John Levine <> wrote:

> In article <CABuGu1rekWo3mRkK_OpRksYNrSmPaFHD6k1_K=
>> you write:
> >   1. "" is not a TLD. TLDs are single label domains - there are
> >   ccTLDs and gTLDs.
> Right.

I don't disagree, but what I was going for here was some level of
consistency with section 3.2 of RFC 7489, which reads in part:

   1.  Acquire a "public suffix" list, i.e., a list of DNS domain names
       reserved for registrations.  Some country Top-Level Domains
       (TLDs) make specific registration requirements, e.g., the United
       Kingdom places company registrations under ""; other TLDs
       such as ".com" appear in the IANA registry of top-level DNS
       domains.  A public suffix list is the union of all of these.
       Appendix A.6.1
<> contains some
discussion about obtaining a public
       suffix list.

The point of the paragraph in question wasn't to define TLDs (or PSDs) but
rather to better define "domain names reserved for registration".

> >   2. The invocation of the PSL compounds the issue that was raised by
> Dave
> >   Crocker. How DMARC (RFC 7489) determines the organizational domain is
> >   orthogonal to this proposal which simply calls for a conditional
> additional
> >   check at the "org - 1" level. I recommend striking the penultimate
> >   paragraph in the proposal.
> I'd suggest weasel wording it to say that the domain above an org
> domain is often known as a public suffix domain, which typically
> delegates the org domains below it to a unrelated parties.  This spec
> allows public suffix domains to publish policies to supplant those of
> their child org domains ...
> I agree we should stay as far from mentioning the PSL and its specific
> implementation as possible.  Who knows, someday people might get
> around to trying my dbound in DNS implementation instead.

Dale twice in his comments expresses doubt that it's possible for anyone to
know all PSDs; the mention of a specific PSL in the abstract was an attempt
to answer those doubts.

The second paragraph could be rewritten as

*The original design of DMARC applies only to domains that are registered
with a domain name registrar (called “Organizational Domains” in RFC 7489)
and nodes in the tree below Organizational Domains. Organizational Domains
are themselves nodes in the tree below domain names reserved for
registration, the latter of which will be referred to as Public Suffix
Domains (PSDs) in this document.*

But how to address Dale's concerns about how one knows all PSDs?

Todd Herr