IETF Logo Mail Archive

Re: [dmarc-ietf] moving past pad=y?

Douglas Foster <dougfoster.emailstandards@gmail.com> Thu, 30 June 2022 12:05 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B169BC159484 for <dmarc@ietfa.amsl.com>; Thu, 30 Jun 2022 05:05:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pFVjD8GERqVP for <dmarc@ietfa.amsl.com>; Thu, 30 Jun 2022 05:05:48 -0700 (PDT)
Received: from mail-ot1-x32b.google.com (mail-ot1-x32b.google.com [IPv6:2607:f8b0:4864:20::32b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D3A4C157B52 for <dmarc@ietf.org>; Thu, 30 Jun 2022 05:05:48 -0700 (PDT)
Received: by mail-ot1-x32b.google.com with SMTP id l9-20020a056830268900b006054381dd35so14510833otu.4 for <dmarc@ietf.org>; Thu, 30 Jun 2022 05:05:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6rJ6DgVgP2fTi0nqRfnwELEDNKWA+K/d8GOHhnZsGIY=; b=ecLABcfbuNBQ/Xk45Hlf7sMAuensm1soQIXLluQHJZj3r9tPiKhX+/CAbg130254Kd yk6MbmHZnXC/kvqtk1BS5KnlQ5cE9QcA7qVb55VzrQCD/8J0pIQnT4obTCQEMVy/nBtv cOWuBaWgYfuIrY6tox83sVMV3Ptk/iqLb4Y8GrVnlKfyHvVeg7urinpc3TdpV8iZbbDr Xu7TMgMNtaPdM6fLSQIrgmvzPsNnUxE6l2yTne4VtTNK2BLaUC/PrlTMKLCZaRMmLSMl A3NB8lYjOPhVhnrXauABRV8qJWYbripNgqjfbzt1nX4u21J5LIgeK26fVd8NR6MBQOjy 05NA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6rJ6DgVgP2fTi0nqRfnwELEDNKWA+K/d8GOHhnZsGIY=; b=ZBcHQho2WZVkpTUEDNVokwB5c9KQZ+HIbnmqTLhj2qNA9Qhf7y+RfW00kAYNX2duHM sZCVmrfJFkBr07aW8vdnmvo0lgEll4x43VFjJ+cVSPb8H7JnYmeIr0RDahWt5KlujGkx BRJcdjxTB+6okX6epLCIRW7Gc9CMWsev31KZKwgB5nA3Z3bL9YknukFSl/q9pVOTW7vX OZfnwqjSq8rEfvJQHdWYWoITOXKT7z2avou2qWAZ6b2BHVQn7hL4Bov9kJlK2nrPGhxp tmb4RNI74mtp8ushlu8dFI/Gz+8/tPUJvTA7ejFJtqs2zXG5ml/0//0GbB2YEcUbAPVN s6nA==
X-Gm-Message-State: AJIora8CPC4WtnUrB4PF6JGbReOtMR5k3bdACxx4OCu99g8Pyno+v7OI ZakESzdK4JtzsXEh4BcbV4LzcQYH90kYd3X4jIZE91Jw
X-Google-Smtp-Source: AGRyM1tPJqBGu7auI8zS3nZBYeHW+rM/kznLp8MBvmpNcKWFQqWHQcxcLCcu6xD6Ly0/FtMPT4P6gLQtklmOMIVprrk=
X-Received: by 2002:a9d:7b51:0:b0:616:de05:1279 with SMTP id f17-20020a9d7b51000000b00616de051279mr3959832oto.82.1656590746055; Thu, 30 Jun 2022 05:05:46 -0700 (PDT)
MIME-Version: 1.0
References: <20220626154211.6893F4452D0F@ary.qy> <2bc4e123-8711-7538-599e-727d8ea9caff@tana.it> <bedf51e9-6fe6-d52b-1083-bac67d8906ea@taugh.com> <be56e041-d588-c8e7-bd37-bf2858773b75@tana.it> <6c2a2820-5b60-636c-bf04-da99ee0a85b0@taugh.com> <0813aeaf-fa95-d9a1-04f5-d1e5dbed7b78@tana.it> <5518c83c-7960-20c1-876e-2dff175a9634@taugh.com> <CAH48Zfy5wExOOoQP2YvMfOCSQ9iJy+nO4QsVsFPoZreDyGLiZg@mail.gmail.com> <CAL0qLwZEA5m53Y9pSNaPu7wXY3J0N7-maS_iEM=TCaB5JAbzQQ@mail.gmail.com>
In-Reply-To: <CAL0qLwZEA5m53Y9pSNaPu7wXY3J0N7-maS_iEM=TCaB5JAbzQQ@mail.gmail.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Thu, 30 Jun 2022 08:05:36 -0400
Message-ID: <CAH48ZfwXLR5dcuvpfX=vK8=ORZG8v9Qo2kRTMcLeMpfeFJ40iw@mail.gmail.com>
To: "Murray S. Kucherawy" <superuser@gmail.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f4f8a805e2a916fc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/xvG7uUIOhHlxF5JXXiyZfXI8Lg8>
Subject: Re: [dmarc-ietf] moving past pad=y?
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jun 2022 12:05:52 -0000

I think the formal term for "DNS Segment" is an A-label.

US.COM is a single label between the PSO Domain ("com") and the client
domains ("client1.us.com")

There are a lot of important questions derived from Ale's topic, which
originally started because he observed that registries like "us.com" need
to publish both PSD=Y, to indicate a boundary below, and PSD=N, to indicate
a boundary above.   John replied that the PSD=N could be discarded because
we will assume that all registries (PSD=Y) are also org domains (PSD=N) and
therefore only able to use strict alignment. This was not fully discussed.

Do we know that all private registries are single-labels, or can they have
two levels, such as "client1.registry.private.tld", or even three levels,
such as "cient1.registry.something.private.tld"?

If a private registry organization can be more than a single domain, can it
use DMARC with relaxed authentication?   Specifically, does
"registry.private.tld" align with "private.tld"?

I believe we have assumed that PSO domains cannot have an organization
structure; only strict alignment is allowed because every PSO domain is a
self-contained pseudo-organization.   If PSO domains cannot use relaxed
authentication, but private registry organizations can use relaxed
authentication, then perhaps we need two different tags for the two
different types of registries.

If we use the same tagging for PSO domains and private registration
domains, we prevent all PSD=Y domains from participating in relaxed
alignment.    Maybe this is acceptable?

I think the other part of Ale's question was whether our design would be
undermined if a private registry contained a private registry.   I think
this is intertwined with the assumption that no registry domain will have
more than 4 segments, and no organizational domains will have more than 5
segments.   With those assumptions, multiple layers are difficult to
assemble.   The current design assumes that all private registration
boundaries will be explicitly tagged.   As long as that assumption holds, I
think the design works properly, even with additional private registry
layers.


DF


On Thu, Jun 30, 2022 at 2:30 AM Murray S. Kucherawy <superuser@gmail.com>
wrote:

> On Wed, Jun 29, 2022 at 7:18 AM Douglas Foster <
> dougfoster.emailstandards@gmail.com> wrote:
>
>> Based on our psl information, a private registry will be at DNS segment 3
>> or 4.  If the PSO registration is at DNS segment 2, the private registry
>> could be either one or two segments thick.
>>
>
> What is a "DNS segment"?
>
> -MSK
>

v2.23.0 | Report a Bug | By Email