I reviewed the list of DMARC-publishing PSL entries and realized that the 10-fold increase in PSL DMARC participation was due to the success of RFC 9091. Private registries are deploying policies to protect their sub-registry clients.
It is indeed unfortunate that concerns about PSL accuracy were not raised prior to that document being published, as it could have included a requirement to add a PSL tag. But since a PSD tag was not specified in RFC 9091, we have a problem: Registries have published policies to be interpreted as the default policy for an organizational domain one label lower, but the tree walk interprets it as an organizational domain, leading to the sibling impersonation vulnerability. The RFC 9091 defense suddenly becomes an attack vector. Options seem to be: 1) Publish an errata or amendment to RFC 9091 and wait for all DMARC-publishing PSL entries to add the PSD=Y flag before publishing DMARCbis, or 2) Specify that the tree walk stops at the lower of PSD=N, one label below PSD=Y, or one label below the PSL entry. This allows domain owners to correct for missing PSL entries that cause the selected organizational domain to land too high. (Another tag strategy could be created to allow domain owners to correct for PSL entries that land too low, but we don't have that defined now.) What will we do? Doug Foster
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc