Re: [dmarc-ietf] Nonexistent Domain Policy was: Re: Working Group Last Call: draft-ietf-dmarc-psd

Scott Kitterman <sklist@kitterman.com> Sun, 21 July 2019 19:42 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF5F4120110 for <dmarc@ietfa.amsl.com>; Sun, 21 Jul 2019 12:42:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=QlePSHzt; dkim=pass (2048-bit key) header.d=kitterman.com header.b=bQ1lvJqx
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YvJZmNlGC8x7 for <dmarc@ietfa.amsl.com>; Sun, 21 Jul 2019 12:42:32 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF0CE1200CE for <dmarc@ietf.org>; Sun, 21 Jul 2019 12:42:31 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) by interserver.kitterman.com (Postfix) with ESMTPS id C6F34F80721; Sun, 21 Jul 2019 15:42:00 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1563738120; h=date : in-reply-to : references : mime-version : content-type : content-transfer-encoding : subject : to : from : message-id : from; bh=MeyEid982M8p9udna0INjQR2tBtwyyMVXVlZy8dWdqI=; b=QlePSHzt6fNk0KnkgyJLG6eFCiXA+uG9kXE6/bxza3fVa/314/Y0c4ka 2PCnY6tH/YlA44lbz7fEgiJLZ1cAAw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1563738120; h=date : in-reply-to : references : mime-version : content-type : content-transfer-encoding : subject : to : from : message-id : from; bh=MeyEid982M8p9udna0INjQR2tBtwyyMVXVlZy8dWdqI=; b=bQ1lvJqxBHwY/CuTVdZ/lgO2l5bNt271mXt4rb0mh/I8fNHZuUl/7Yjj agJR0h9Q/+Du/0GjWq7Hngti0tCLa62rHzmZEGCbCfncP0mQKomRCLVSwE 9k/Um5H5jF6qGacRoReXTF1K/JVoGW+1H1tm83BOmBllzWoPVq53DhGpfZ 7j5W1jDdZ9i/3bPrSAARhM21d4lDwSoixq3OtbUyXPMl3xNg4KuRYyF7vC /wC49u8VV0uE3quLEpqClOho/r3HG7RXX2HjmrbcxSDlW8u9SkT5NgygVv 6fqCGq6k7YWh5sD3vuzACUs/MiOTsRO4PdPZy/RrQGQjC4OHG+pEGA==
Received: from [192.168.1.184] (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTPSA id 93178F804B2; Sun, 21 Jul 2019 15:42:00 -0400 (EDT)
Date: Sun, 21 Jul 2019 19:41:59 +0000
In-Reply-To: <855283a4-ece7-019b-f075-04eee82b0614@tana.it>
References: <CAL0qLwbbz_UhBLsURg=eXhRBC2g9OghiN==T9Uq9pFuLtd=b7w@mail.gmail.com> <1808303.aIhlromXIS@l5580> <CAD2i3WN42v0RHzu+2=+_mjX5kmxw6B-0F3-=bY-bTEsJM1qLvA@mail.gmail.com> <1692123.ljdY5SVR4M@l5580> <CAD2i3WPGWe8Z3av1Jua6sazsoStc7VTOLBve7psVo=K4VGTgig@mail.gmail.com> <D42C419C-F02E-4B5A-BB10-E8D49000349B@kitterman.com> <659dfb1f-dcb2-86ca-55a1-b3af6ce7ed1c@tana.it> <5949BCE3-52DA-41D0-8DCA-E2D06973F798@kitterman.com> <855283a4-ece7-019b-f075-04eee82b0614@tana.it>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
To: dmarc@ietf.org
From: Scott Kitterman <sklist@kitterman.com>
Message-ID: <D8DE9BD3-48FF-4C28-B78C-984C2A26D17C@kitterman.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/uD2fSAauYU2otAnV7lj4gK8P6jU>
Subject: Re: [dmarc-ietf] Nonexistent Domain Policy was: Re: Working Group Last Call: draft-ietf-dmarc-psd
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Jul 2019 19:42:35 -0000


On July 21, 2019 6:01:05 PM UTC, Alessandro Vesely <vesely@tana.it>; wrote:
>On Sun 21/Jul/2019 18:53:35 +0200 Scott Kitterman wrote:
>>>
>>>> Keep in mind that senders do send from what we call non-existent
>domains for
>>>> reasons that seem good and sufficient to them.  Let's take that as
>a fact,
>>>> whether it makes sense to us or not.
>>>
>>>
>>> Fair enough.  Let me quote the current spec:
>>>
>>> A.4.  Domain Existence Test
>>>
>>>   A common practice among MTA operators, and indeed one documented
>in
>>>   [ADSP], is a test to determine domain existence prior to any more
>>>   expensive processing.  This is typically done by querying the DNS
>for
>>>   MX, A, or AAAA resource records for the name being evaluated and
>>>   assuming that the domain is nonexistent if it could be determined
>>>   that no such records were published for that domain name.
>>>
>>>   The original pre-standardization version of this protocol included
>a
>>>   mandatory check of this nature.  It was ultimately removed, as the
>>>   method's error rate was too high without substantial manual tuning
>>>   and heuristic work.  There are indeed use cases this work needs to
>>>   address where such a method would return a negative result about a
>>>   domain for which reporting is desired, such as a registered domain
>>>   name that never sends legitimate mail and thus has none of these
>>>   records present in the DNS.
>> 
>> Yes, but that was for a different use case.  It was , AIUI,
>considered that
>> reporting could be skipped on such 'non-existant' domains, but that
>proved
>> problematic since such domains as these are used in mail.
>
>Wasn't it for rejecting non-existent domains?  That is, IIRC,
><sciencefiction>
>as if there were a root DMARC record (_dmarc.) with
>np=reject.</sciencefiction>

I think no.  I think it was about skipping reporting on 'non-existant' domains.  Perhaps someone who was more involved at that point can clarify.

>> 'np' doesn't have the same issue.  It uses non-existence in a
>positive (do
>> some processing) not a negative sense (reporting can be skipped for
>these),
>> so the problems described in that paragraph are not only not
>relevant, the
>> paragraph supports the case for 'np'.
>
>
>Uh?  (I don't understand your parenthesized phrase...)
>
>
>At any rate, the first paragraph gives a definition of non-existence
>equal to
>the one we've been discussing these days, doesn't it?
>

Yes, but since we're using it for a different, opt-in, purpose, the caution doesn't apply.

Scott K