Hi, These are both a species of the same problem, yes. The solution so > far has been to say that you're supposed to match the longest of the > candidate set...
Right. And the suggestion that Kurt made was to modify this to: 1. Check the domain itself 2. Check the longest of the organizational domain candidate set 3. Check the shortest of the organizational domain candidate set Which covers the case where that candidate set has cardinality 2 or less, but leaves some question about cases where the cardinality is 3 or more. I don't know how common the latter is - not sure if we have stats on that. Do you mean this _across_ TLDs (e.g. the "variants" case such as > differnet spellings of China depending on the writing system) or do > you just mean that the top most label and everything flowing down from > there is all under the same policy? The latter. To be more clear, there are now a significant number of TLDs that are managed exclusively by one entity (e.g. .microsoft, .google) as well as other TLDs that make specific guarantees around DMARC (e.g. .bank). In those cases it may make sense to give the registry owners some defined mechanism for imposing global DMARC policy across the TLD. This is especially important for organizational domain names that don't resolve for that TLD. So, for example, let's consider an email seemingly sent from [email protected] . A query to the domain iamareal.bank returns an NXDOMAIN, as does the a TXT query to the corresponding DMARC record _dmarc.iamareal.bank domain. So there's no DMARC policy in place. So a receiver may wind up delivering this email to the inbox, especially if it passes SPF and DKIM in an unaligned fashion. But to an end user it looks like this is an email from a '.bank' domain, which undermines the .bank TLDs goal of providing a higher trust set of domains. And it is therefore attractive to bad actors as a possible channel of abuse. The question is whether the DMARC lookup scheme should somehow address this issue. Alternately, we could simply say that this is a case that DMARC itself doesn't handle, and that the registry owner may choose to modify their DNS responses to ensure they always return a DMARC record for any organizational domain on that TLD. Best, Peter On Thu, Apr 5, 2018 at 6:07 AM, Andrew Sullivan <[email protected]> wrote: > Hi, > > On Wed, Apr 04, 2018 at 11:19:20AM -0700, Peter M. Goldstein wrote: > > > it definitely seems clear that some sort of modification to the lookup > > algorithm would be required to address the issue. > > Right. We attempted to specify some system that would sort this all > out over in the DBOUND WG, but that WG failed because of disagreement > about whether we cared about web-type (cross-site issues, cookies, > &c.) problems or anti-spam (roughly, "parent's policy wins") issues. > > > 1. A domain which contains two public suffixes - i.e. abc.gov.uk, which > > contains the public suffixes .gov.uk, .uk. > > > 2. A domain which contains three or more public suffixes - I'm not sure > given > > the content of the public suffix list today that you can actually > construct one > > of these. > > These are both a species of the same problem, yes. The solution so > far has been to say that you're supposed to match the longest of the > candidate set. There is a possible hitch because of non-terminals, > which never have any real records in them but that might have > subordinate things that are also public suffixes. Except for .jp (and > I'm not sure there), I think nobody is doing that any more. Some of > us argued that the system ought to accommodate such uses anyway, and > others argued that we shouldn't solve any problem nobody has today > (and tell people who later invent this problem, "Don't do that"). > > > > 3. New gTLDs - With the recent expansion of the list of TLDs, many of > the new > > TLDs are controlled by a single organization. It may make sense to > allow those > > gTLDs to define a DMARC record on the TLD itself or on some 'default' > domain - > > both for administrative simplification and to ensure against abuse. > > Do you mean this _across_ TLDs (e.g. the "variants" case such as > differnet spellings of China depending on the writing system) or do > you just mean that the top most label and everything flowing down from > there is all under the same policy? > > Best regards, > > A > > -- > Andrew Sullivan > [email protected] > > _______________________________________________ > dmarc mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
