Re: [dmarc-ietf] Doing a tree walk rather than PSL lookup

Jesse Thompson <jesse.thompson@wisc.edu> Tue, 24 November 2020 16:55 UTC

Return-Path: <jesse.thompson@wisc.edu>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 643BC3A11FF for <dmarc@ietfa.amsl.com>; Tue, 24 Nov 2020 08:55:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.2
X-Spam-Level:
X-Spam-Status: No, score=-0.2 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wisc.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UxnIM_OD19mt for <dmarc@ietfa.amsl.com>; Tue, 24 Nov 2020 08:55:36 -0800 (PST)
Received: from wmauth1.doit.wisc.edu (wmauth1.doit.wisc.edu [144.92.197.141]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED15B3A1203 for <dmarc@ietf.org>; Tue, 24 Nov 2020 08:55:35 -0800 (PST)
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (mail-co1nam11lp2175.outbound.protection.outlook.com [104.47.56.175]) by smtpauth1.wiscmail.wisc.edu (Oracle Communications Messaging Server 8.0.2.4.20190812 64bit (built Aug 12 2019)) with ESMTPS id <0QKB0069K8C4ZAM0@smtpauth1.wiscmail.wisc.edu> for dmarc@ietf.org; Tue, 24 Nov 2020 10:55:17 -0600 (CST)
X-Wisc-Env-From-B64: amVzc2UudGhvbXBzb25Ad2lzYy5lZHU=
X-Spam-PmxInfo: Server=avs-1, Version=6.4.7.2805085, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2020.11.24.164518, AntiVirus-Engine: 5.79.0, AntiVirus-Data: 2020.11.17.5790001, SenderIP=[104.47.56.175]
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Qs6eXZoNhfV5TCcS7ijgz2pXg9zU9ZVZ7133ucwOannfCtb0q01x11wLVqnStmA3bg8pc9qpYUunZ8Rw21ed8S/61Q5DIj4pY2nKZeSJ7/X6EIehfvxhW7qyYLObsDJhf9ULsEeic+pWeD11UoSPeZbnK27M2WHkO4ZHMnOYazoyLM8LzBAHaamVB+n57xEaJloCzlMRd7euIaa6Ht9pUD8mdI+VC5mfzmARpPKfmrRMqjQa2STXuNVQlDHy8fgl5Q9HUQqs9ZdICLJhOPfDor5OV7i5ljsWKZ85124CNn18AHP0kI7FRJ+UDrKfJT7US7rHWPJFtcA68COyzbdPyg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8dRFGUtsnmQe1iFTy8PCkUu0gZFyDF3DA8TxI86jam8=; b=DNaRDDKUyCZX3Qm+3hsqwOeUar74DP47cNVJN7lnzwscKNH5nBVl6Wv0GX8vPf9f27UmWzULRyQq+QmjmIMZzoBBNEg9gQdtxXW4K3aeNZb7tBz/nl2pdsE8HLRuc6dzn9xVgzWr0cXIa10Uf45LxPFKuMgAjej/yR+2Aus1KNip7O7S6pMCDRG+dY/rPOKzEEZWlZ3F5OhPE+ODT6a0ZjLVOCUmOKhEh5z5hXUlHT9cbhSs6W6sVvdksVOVPdAtxzScM9l2v+tgnaYXu0wPe0Fil2teAOsBBKKtLfWNTjBm3/LTJrgIMmhkKwjcNTJ/uMUKzh6FBNj01IodkCIz+A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=wisc.edu; dmarc=pass action=none header.from=wisc.edu; dkim=pass header.d=wisc.edu; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wisc.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8dRFGUtsnmQe1iFTy8PCkUu0gZFyDF3DA8TxI86jam8=; b=tB2HFGxUp+W0gAlTEL9OLX6pEvIUlIWwqyfJaCAX+GxIr1oIxcitjX7pVb6Xj8JySWTMlJcr2lHF1Ka2E/aquomsLBbI7/zn+UetaZMQy9aPHsEozM2wCkpHtNhgZ/7tncHrooyXtjIqqPH6MwGhS5Z9YgN61/j/hlasgTAmPJg=
Received: from CO6PR06MB7059.namprd06.prod.outlook.com (2603:10b6:5:342::18) by CO6PR06MB7252.namprd06.prod.outlook.com (2603:10b6:5:345::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3589.29; Tue, 24 Nov 2020 16:55:15 +0000
Received: from CO6PR06MB7059.namprd06.prod.outlook.com ([fe80::39b8:8441:c452:a4b5]) by CO6PR06MB7059.namprd06.prod.outlook.com ([fe80::39b8:8441:c452:a4b5%7]) with mapi id 15.20.3589.022; Tue, 24 Nov 2020 16:55:15 +0000
To: dmarc@ietf.org
References: <20201123213846.EB14127C8160@ary.qy> <efa0117e-5b17-800d-820d-b5d2413c6075@tana.it> <CAMSGcLBimU5NSBnxDEfSLnBkjhosrxd8_7BaTfA-A5bQyrTe1g@mail.gmail.com> <29d3b145-1652-8b62-5eb2-74993e95eb45@gmail.com> <CAHej_8k_o1yVjOP4wWR1Xz_Tuq-XA0snPAzNQeNPaApbRWy8fw@mail.gmail.com> <be400e78-091c-196c-2d7a-461050e9bab3@gmail.com> <CAHej_8mW3ENNMR7D_Jf6G5uz=EuGc3LCddtmrzVJR-GDq8Q7ow@mail.gmail.com>
From: Jesse Thompson <jesse.thompson@wisc.edu>
Message-id: <9ab0d7b9-2e35-f64b-02ea-a111c10acabd@wisc.edu>
Date: Tue, 24 Nov 2020 10:55:12 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.4.3
In-reply-to: <CAHej_8mW3ENNMR7D_Jf6G5uz=EuGc3LCddtmrzVJR-GDq8Q7ow@mail.gmail.com>
Content-type: text/plain; charset=utf-8
Content-language: en-US
Content-transfer-encoding: 8bit
X-Originating-IP: [47.12.96.133]
X-ClientProxiedBy: CH2PR05CA0045.namprd05.prod.outlook.com (2603:10b6:610:38::22) To CO6PR06MB7059.namprd06.prod.outlook.com (2603:10b6:5:342::18)
MIME-version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [10.0.2.111] (47.12.96.133) by CH2PR05CA0045.namprd05.prod.outlook.com (2603:10b6:610:38::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3611.9 via Frontend Transport; Tue, 24 Nov 2020 16:55:14 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: a2273de3-541c-48bc-8df4-08d89099b737
X-MS-TrafficTypeDiagnostic: CO6PR06MB7252:
X-Microsoft-Antispam-PRVS: <CO6PR06MB7252A9A0D93F91B9CDA04211F6FB0@CO6PR06MB7252.namprd06.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:2000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: U9VqaDXqoAZJdE0Lp4mvtLxdKbTRJWDqMs+i1NCg4yLmmb9HLDwPn8NQYozHtvEGDzcQX7A+goJr1NW+4dUZbwU3/Tx3UKHphpiXM5yz+t3JDCei0BZO56UHLPoRr7pc4y7qCCnTewZOmWTHNHXwumeG3IgltNXh8Ca7NqUjeATOObFH+am0t03PsDaANOt3blRpn76ofHYm5qggNdl07+srwFn0s7EaET+ZqE5UJ0KNTvzANgmOSXjHcklN5+Unq+v0WW/M+tgAlj5wBneqSu48cQqFsKXKDwL29vp5ZUxzucoQGuKkxmmNaJfnBvgyuMm77vG+qf0IcAT9/lGu9tW3uqZ1Trog3LaYuyrhEl91UG25S2uA2y3bpRiXyJEU4R58e62P6zU3VKV4zb/neGJLLU39mYGVL+3XY6kkoXUey8ZOsPNZC1grLXtfAnJGIJ0A1cBGWmDfFcnZEEBylw==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO6PR06MB7059.namprd06.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(396003)(346002)(376002)(39860400002)(366004)(6486002)(31686004)(53546011)(66476007)(66556008)(66946007)(316002)(786003)(26005)(6916009)(16576012)(5660300002)(75432002)(83380400001)(16526019)(31696002)(186003)(2906002)(478600001)(44832011)(956004)(36756003)(8936002)(8676002)(2616005)(86362001)(43740500002); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: =?utf-8?B?VUF5MzNqcVhkRkk0UmpyTWhEc2pIWlNIc3A4ZlhickdoYlZyRTkyRTUrQm9B?= =?utf-8?B?ZlB0Uk9jVHV4cm5JVnRKWGpLcHR6eEl4VVlSTlBPd0tlb2JUYXllQ2h4QlYz?= =?utf-8?B?c0w2amVSZ2p1Z1ZoRldBUHpseVdNUGJkTlNBQWh5SkovQS9nWlFMR2hiWmxY?= =?utf-8?B?QmFRbnY5ZGIrdHl3ekFZREJXSEoxTnpSYllXVFhjK2FCTFJQUnhRUHNlb3Qv?= =?utf-8?B?R1VCNVBzdlE1WkQyNi9aNGR0KzdrY3BpQjFTckNtRXRuQ3lEOHBQb3JRTTVl?= =?utf-8?B?NExrLzZsbEppbndocUhRSjF0UzhDTmhQaGJtVGVYU01jMERxU1dqem9WN1Zs?= =?utf-8?B?Vjd6b0l6a0dyaFpBQ2lJK1o2TWM1TnZ3L05QU2prUHdsaFJQZFlmMkhUK3pt?= =?utf-8?B?L1M3NWcrYytRc0NsTUJhSWszZ1JhbUlaOCtxZFhiU0lncTVlT3RxOXR0YVBL?= =?utf-8?B?YWpOMjFnSk9sajl5Rk0zcTh3Mi9MamlyZHN6ZmtVaG52T21nVXFzblpHRjFQ?= =?utf-8?B?WGYvRlFpdWNDYk0vczdzN0pkZDJuY256N0lqZXNHOTRSSngrZktuYTgvN1dy?= =?utf-8?B?T2d3SVVLT253NnpveHJiSlg5VGN4UnlNYTZyWHN4MmJMRTFzL0tmbCtOK01y?= =?utf-8?B?dVl2WEt6UWM3aDNEU0VVMmR3Q2wzTzY2OUR4R2x0RlhHaHRqY3BhTWlzODBU?= =?utf-8?B?SGZmR1ZWd2Z1emx6TlpQOWg5c1dWUStXZW90TGhaWFBmUGpCV3FLUXNpVWZn?= =?utf-8?B?QUVuTDRQM1V2QXFLZDhzaUlmaVdFSHV1eUdMQUVmeWtJRzZqU282K042STdi?= =?utf-8?B?YW05NVRZY2grdXpzMXVlcENGOWJwYmhHTllLSmdRd01xakJwczk4R2llWnVk?= =?utf-8?B?bkt4Y1RyOUhWaXBhbm9RUEdUWmNVZUpjdFlheWg2WktmeDE5NG1GSmx1cVli?= =?utf-8?B?bktWM1VNbmJGMzFGZVkrZHpmQWQxZG9OYk42bkIwc1M5SjZLVGVwYVpXVDJD?= =?utf-8?B?KzRhYzgzVXlLeitVNkw0ZFdrR1pOMTFwMkRYU1ZWTjdwa3ZTbWFlQXBKa24y?= =?utf-8?B?Z3hOb0tTSy80MzVLUjJZN0tPR2Uwczd3S3Z4YjFHY1dDYzhya0FpenprQlRG?= =?utf-8?B?Q2hpNllsU1REUVpTL0NQVC9SWDN2dDJuZ3VCb294U1IxQWdTeDdhNUlkbnJw?= =?utf-8?B?NnNpcFB4S2ZuTUNQRE00OUx2ZXBMeCsxcmlIYTNBWStNUkNqVHNTY2lEbEZU?= =?utf-8?B?MlVMKzhMdjdKT2ZvRkNLaGFMWi9kc0JOdVBtTEl0TWlmcmFZa1hid3RGVU53?= =?utf-8?Q?eEoGNyRbyvR1ZHX33wuo2EcvJce/KVeEj7?=
X-OriginatorOrg: wisc.edu
X-MS-Exchange-CrossTenant-Network-Message-Id: a2273de3-541c-48bc-8df4-08d89099b737
X-MS-Exchange-CrossTenant-AuthSource: CO6PR06MB7059.namprd06.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Nov 2020 16:55:15.2984 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 2ca68321-0eda-4908-88b2-424a8cb4b0f9
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: N92Mh2zqXO2hjiAkUB4Kg+tB/BjWae7AdDsTJHrsq/ec9/ds8LMMuVENnGkkkC6C5QQZ9avTm+QX85I/WPHIHQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO6PR06MB7252
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/ubVc6E1aAFU4Don1Jwkf6iQ1NPo>
Subject: Re: [dmarc-ietf] Doing a tree walk rather than PSL lookup
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Nov 2020 16:55:38 -0000

On 11/24/20 9:52 AM, todd.herr=40valimail.com@dmarc.ietf.org wrote:
> On Tue, Nov 24, 2020 at 10:37 AM Dave Crocker <dcrocker@gmail.com <mailto:dcrocker@gmail.com>> wrote:
> 
>     Just to be clear, I'm not challenging the need.  Rather I'm just looking for text that explains the need.  And I'm not finding it...
> 
>     On 11/24/2020 7:28 AM, Todd Herr wrote:
>>     There are two reasons (at least) for needing the Organizational Domain, and they are discussed in RFC 7489:
>>
>>      1. DMARC also allows for the explicit or implicit expression of policy for sub-domains at the Organizational Domain level. This matters for those times when _dmarc.RFC5322.From.domain is non-existent and RFC5322.From.domain is a sub-domain of the Organizational Domain.
>>      2. The default mode for authenticated identifier alignment, relaxed, requires only that the Organizational Domains for both identifiers are the same, and so the Organizational Domain must be known in order for relaxed alignment to be ascertained.
>>
>     Except that I do not find either of these points provided in the document.
> 
> For point 1, this is from Section 6.6.3, Policy Discovery:
> 
>    1.  Mail Receivers MUST query the DNS for a DMARC TXT record at the
>        DNS domain matching the one found in the RFC5322 <https://tools.ietf.org/html/rfc5322>.From domain in
>        the message.  A possibly empty set of records is returned.
> 
>    2.  Records that do not start with a "v=" tag that identifies the
>        current version of DMARC are discarded.
> 
>    3.  If the set is now empty, the Mail Receiver MUST query the DNS for
>        a DMARC TXT record at the DNS domain matching the Organizational
>        Domain in place of the RFC5322 <https://tools.ietf.org/html/rfc5322>.From domain in the message (if
>        different).  This record can contain policy to be asserted for
>        subdomains of the Organizational Domain.  A possibly empty set of
>        records is returned.
> 
> 
> 
> For point 2, this is from Section 3.1.1, DKIM-Authenticated Identifiers:
> 
>    In relaxed mode, the Organizational Domains of both the [DKIM <https://tools.ietf.org/html/rfc7489#ref-DKIM>]-
>    authenticated signing domain (taken from the value of the "d=" tag in
>    the signature) and that of the RFC5322 <https://tools.ietf.org/html/rfc5322>.From domain must be equal if
>    the identifiers are to be considered aligned.  In strict mode, only
>    an exact match between both of the Fully Qualified Domain Names
>    (FQDNs) is considered to produce Identifier Alignment.

The end of Section 3.1 might need to be clarified:

"Relaxed mode can be used when the operator also wishes to affect message flows bearing subdomains of the verified domains."

* I assume that relaxed mode can be set in the DMARC policy of a subdomain even if the Organizational Domain doesn't have (or want) that in its policy

* The subdomains in this context are the subdomains of the Organizational Domain, rather than the subdomains of the domain that published the relaxed mode in its policy

So if acme.example publishes aspf=s adkim=s 
It does not prevent finance.acme.example from publishing aspf=r adkim=r
Which would align widgets.acme.example with finance.acme.example even if the intent was to only align delegated-esp.finance.acme.example with finance.foo.example

Suggested better wording:

"Relaxed mode is determined from the policy of the RFC5322.From domain or from the Organizational Domain policy if the RFC5322.From domain has no policy.  It can be used when the operator also wishes to affect message flows bearing subdomains of the Organizational Domain."

If "walking the tree" is viable, then perhaps it should be:

"Relaxed mode is determined from the policy of the RFC5322.From domain or from [something about walking the tree to determine the policy].  It can be used when the operator also wishes to affect message flows bearing subdomains of the domain that published the relaxed mode policy."

Jesse