On December 24, 2014 2:20:30 AM EST, "Murray S. Kucherawy" <superu...@gmail.com> wrote: >On Wed, Dec 24, 2014 at 2:13 AM, Franck Martin <fra...@peachymango.org> >wrote: > >> I think we should recommend something here, not sure if it needs to >be >> normative. We do say to ignore the SPF policy when p!=none, though I >think >> we can be normative on the lower layers. I see 2 options here: >> 1)tempfail the message is either SPF and DKIM have a tempfail status >> 2)tempfail the message if both SPF and DKIM have a tempfail status >> >> 1) is my preferred and is aggressive, therefore not sure people will >like >> it. I'll settle for 2) >> >> As explained in another post, I'm worried I can run a DNS attack (or >just >> a self inflicted DNS bad config) and get DMARC to reject emails it >should >> have accepted (has the DMARC policy in cache, but cannot assert SPF >and >> DKIM). >> >> >I think it's reasonably clear from 5.6.3 that the "fail open" choice is >possibly dangerous, as is anything that fails open. > >But more importantly, I'm also worried about making a normative >decision >now about something we deliberately haven't specified up to this point >for >whatever reason. We are supposed to be documenting current practice >with >this effort, not establishing something new. > >Might this something best left for the standards track WG effort?
5.6.2 promises 5.6.3 addresses the question and it doesn't. At the very least, 5.6.2 should be fixed not to over promise what 5.6.3 will provide. I do think it's better to answer it now. I'm not sure when or if the WG will address missing chunks of protocol definition. The charter pretty well assumes there aren't any. Scott K _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
