On Mon 01/Apr/2019 09:03:34 +0200 Ian Levy wrote: > * SPF and ASDP polices can still be published for non-existent domains > > Sure, but I can’t predict what non-existent subdomains criminals are going to > use next. Should I publish a set of TXT records for dougfoster.gov.uk > uniquely? > Given we’ve no way of predicting that, we’re responding to any query for TXT > records for any undelegated gov.uk subdomain with an SPF and DMARC record. > Regardless of how we intend to detect non-existent subdomains (for some value > of non-existent), we’ll need to stop responding with those default records on > gov.uk to do something approaching real world testing of PSD-DMARC.
This argument is utterly confusing to me. When I read Scott's draft, I understood he was talking about _existing_ domains. Indeed, that sounded somewhat strange, since the higher level domain's owner should have a say on the policies that subdomains have to follow, but IANAL. DMARC had reject-on-nxdomain, but then reduced it to appendix A.4. ADSP (historic) left it to undefined. Yet, it's the only (deprecated) auth-method having a "nxdomain" code. If we are seeking a spec that enables parent domains to specify reject-on-nxdomain for their subdomains, it doesn't seem to be necessarily related to DMARC. (I mean DMARC as a spec, not the dmarc WG.) ale@pcale:~/tmp$ dig +short dougfoster.gov.uk txt "v=DMARC1;p=reject;rua=mailto:govuk-...@dmarc.service.gov.uk" "v=spf1 ?all" I agree that's an evil kludge. (Why ?all?) Dave just posted a draft about DNS perimeter, which might possibly evolve so as to allow only the _dmarc label to return the above record (can it?), while dougfoster.gov.uk perhaps returns the spf1 stuff. It is still overly complicated w.r.t. such a simple task as reject-on-nxdomain. Best Ale -- _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc