On Mon 01/Apr/2019 09:03:34 +0200 Ian Levy wrote:
> * SPF and ASDP polices can still be published for non-existent domains
>
> Sure, but I can’t predict what non-existent subdomains criminals are going to
> use next. Should I publish a set of TXT records for dougfoster.gov.uk
> uniquely?
> Given we’ve no way of predicting that, we’re responding to any query for TXT
> records for any undelegated gov.uk subdomain with an SPF and DMARC record.
> Regardless of how we intend to detect non-existent subdomains (for some value
> of non-existent), we’ll need to stop responding with those default records on
> gov.uk to do something approaching real world testing of PSD-DMARC.
This argument is utterly confusing to me. When I read Scott's draft, I
understood he was talking about _existing_ domains. Indeed, that sounded
somewhat strange, since the higher level domain's owner should have a say on
the policies that subdomains have to follow, but IANAL.
DMARC had reject-on-nxdomain, but then reduced it to appendix A.4. ADSP
(historic) left it to undefined. Yet, it's the only (deprecated) auth-method
having a "nxdomain" code. If we are seeking a spec that enables parent domains
to specify reject-on-nxdomain for their subdomains, it doesn't seem to be
necessarily related to DMARC. (I mean DMARC as a spec, not the dmarc WG.)
ale@pcale:~/tmp$ dig +short dougfoster.gov.uk txt
"v=DMARC1;p=reject;rua=mailto:govuk-...@dmarc.service.gov.uk";
"v=spf1 ?all"
I agree that's an evil kludge. (Why ?all?) Dave just posted a draft about DNS
perimeter, which might possibly evolve so as to allow only the _dmarc label to
return the above record (can it?), while dougfoster.gov.uk perhaps returns the
spf1 stuff. It is still overly complicated w.r.t. such a simple task as
reject-on-nxdomain.
Best
Ale
--
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
