Re: [dmarc-ietf] DNS library queries for DKIM and DMARC records?
Dave Crocker <dcrocker@gmail.com> Sun, 14 April 2019 14:05 UTC
Return-Path: <dcrocker@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E7AA12004D for <dmarc@ietfa.amsl.com>; Sun, 14 Apr 2019 07:05:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yAjBqEoEiO2j for <dmarc@ietfa.amsl.com>; Sun, 14 Apr 2019 07:05:17 -0700 (PDT)
Received: from mail-oi1-x22e.google.com (mail-oi1-x22e.google.com [IPv6:2607:f8b0:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 930FC120003 for <dmarc@ietf.org>; Sun, 14 Apr 2019 07:05:17 -0700 (PDT)
Received: by mail-oi1-x22e.google.com with SMTP id i21so11658738oib.11 for <dmarc@ietf.org>; Sun, 14 Apr 2019 07:05:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=q6Fg+aPpPj6Y4iA79wdc/+4vVKDHP2hVfs43hQLCNyo=; b=DXekpUwJSOHp0ZQ8dXgPNPBIC/lUch9/tQXXf0+R/jglWoMCV9VpGKvAo8AABnlPiF 9X7LohbxrZYm0ipdA+XHJw7Wmn9dXOvhGp+Sh7T1hM5LxWXZuuxHaAALeFi1dB/l9vfI FLQGHAcv4/sOGRZoiJHBy7Ct40umhDnELylCuVPjPii7K6SmauNMFrQljonlN0TC309C D64TaHqmSRWgN+OD6+TaOkUnWUOnue6r6kck9u59kiopskswSM0sZ5RXHdu0+z/Zpl3T u4OWCJo8i6RGSaGT1bWeTMMygIiCcCiaU/4TAYIlw4IvnSB6JdWrwRfsFNRIj/47LS12 tvWA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=q6Fg+aPpPj6Y4iA79wdc/+4vVKDHP2hVfs43hQLCNyo=; b=p5+mQeXTNwu0tooIRonYisMcqfF1wlM8UtSgMrJiDEskYtUZALDYW35VscMbhLr+ar VWOf4IgVF1yVScQMY0oQlAOwSWUKjJBuvBu4PnVTjWXPeWpmYM7LMGmQab2NsEeZxTW7 +65Z4y3mjY/buJ3FaP1gO8dSPVT7SETmIwcZjCE6KVp5+hOd9jzSs8OVhhZo3dmde2lC 7/67E9cpTr1c62ihVbzJd4Psg4CgBpz5EDvOUhxp6g9eBEgYx0elmK7gX1iW8pA4Sejk TY00ydg5aWcSieXE41GruLT/Li9ZLUYmmos94XlTWqNWODrVFmPaQdcBFnA1QiW3Vu8V BjoA==
X-Gm-Message-State: APjAAAV2YRSRf1rM7DxI7RF56W7Xg8p0siuKmu2QoR0uqmhmCE0Bx8L9 4c3GQTAWt2MXFUn6ltS4yKu8xG9e
X-Google-Smtp-Source: APXvYqxXvS/5ZzGF4IgMBSzJmAbcAibcn9F4xUdaHuCr4OtHBgw/omEJuidA0a7LSsnaT2VrQTSFUQ==
X-Received: by 2002:aca:3905:: with SMTP id g5mr16889684oia.49.1555250716034; Sun, 14 Apr 2019 07:05:16 -0700 (PDT)
Received: from ?IPv6:2600:1700:a3a0:4c80:8981:f659:72f2:350f? ([2600:1700:a3a0:4c80:8981:f659:72f2:350f]) by smtp.gmail.com with ESMTPSA id m22sm12425437otq.47.2019.04.14.07.05.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 14 Apr 2019 07:05:14 -0700 (PDT)
To: John R Levine <johnl@taugh.com>
Cc: dmarc@ietf.org
References: <20190414032049.113592011EB715@ary.qy> <dbd660f4-25fe-6fd9-8a94-748ec6e92c01@gmail.com> <alpine.OSX.2.21.1904132343330.29848@ary.qy>
From: Dave Crocker <dcrocker@gmail.com>
Message-ID: <7741d1b8-852e-37ba-ad7b-6b0103b4518d@gmail.com>
Date: Sun, 14 Apr 2019 07:05:13 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <alpine.OSX.2.21.1904132343330.29848@ary.qy>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/tzI-iYbgYnRg4b6k4U7zObkZq9A>
Subject: Re: [dmarc-ietf] DNS library queries for DKIM and DMARC records?
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Apr 2019 14:05:20 -0000
On 4/13/2019 8:51 PM, John R Levine wrote: >>> As I understand it, your design depends on putting NXDOMAIN signals >>> in the additional section to show that there aren't any boundaries >>> between the names it returns. How do you plan to do that? >> >> John, I don't understand your note. > > In draft-dcrocker-dns-perimeter-00, it says this: > > Another approach is use of the DNS Additional section in the server > response. When there is a query for a Perimeter node, the server > would include the associated Perimeter BEGIN record from earlier in > the hierarchy, if the queried node is within that hierarchy -- that > is, is above the actual or virtual END record. > > If you asked for _perim.a.b.c.example.com, and the perimeter is actually > at "c", there, you hope that modified DNS servers will return NXDOMAIN > and in the additional section add _perim.c.example.com. Good. That language seems about right. > But since the > additional section info is just advisory, that doesn't tell you anything > about _perim.b.c.example.com, which might exist or might not. To avoid > doing a tree walk, you'd need a signal that _perim.b.c.example.com does > not exist, and there's no way to do that in an additional section. The rest of your paragraph, again, is confusing and probably misleading. First, by definition, the fact that NXDomain is returned means that _perim.b.c.example.com does not exist. There is no need or suggestion that the Additional section also indicate that that name doesn't exist. Rather, a query to such a non-existent domain will provide information that it doesn't exist by using the usual NXdomain response, except that response will /also/ have an Additional section, containing information about the node up the branch that contains the Perimeter 'begin'. My draft doesn't yet offer a detailed specification for this. It's phrased to explore an approach. So the details of exactly what would go into the Additional section for an NXDomain response are tbd. Let's wait to criticize or improve those details until after they've been written. As for the concern about 'advisory', that merely means that the client would need to confirm the information from the Additional section. That's one more direct query to the referenced _perim.c.example.com. Doing exactly one more query is already demonstrated to be acceptable, at least for some applications. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net
- [dmarc-ietf] DNS library queries for DKIM and DMA… Dave Crocker
- Re: [dmarc-ietf] DNS library queries for DKIM and… Scott Kitterman
- Re: [dmarc-ietf] DNS library queries for DKIM and… Murray S. Kucherawy
- Re: [dmarc-ietf] DNS library queries for DKIM and… Dave Crocker
- Re: [dmarc-ietf] DNS library queries for DKIM and… Scott Kitterman
- Re: [dmarc-ietf] DNS library queries for DKIM and… Scott Kitterman
- Re: [dmarc-ietf] DNS library queries for DKIM and… John Levine
- Re: [dmarc-ietf] DNS library queries for DKIM and… Dave Crocker
- Re: [dmarc-ietf] DNS library queries for DKIM and… John R Levine
- Re: [dmarc-ietf] DNS library queries for DKIM and… Dave Crocker
- Re: [dmarc-ietf] DNS library queries for DKIM and… Doug Foster
- Re: [dmarc-ietf] DNS library queries for DKIM and… Chris Newman