I have to overly agree with Murray here. Where there should be discussions around using CNAMEs for DMARC records would be in a DMARC best practice document.
I spent some time yesterday digging through all the DKIM RFCs, and there is no place where there are discussions about using CNAMEs (Except in passing in RFC5016). And the use of using CNAMEs for DKIM TXT records is not just widely used, but is consider a best practice by M3AAWG: https://www.m3aawg.org/sites/default/files/m3aawg-dkim-key-rotation-bp-2019-03.pdf As for those few folks who have seen DNS issues around using CNAMEs, I really want to hear from you off list. Tracking down esoteric DNS error operational behavior is something I am slightly obsessive about. "I'm from the DNS, and I'm here to help" thanks tim On Wed, Mar 3, 2021 at 12:28 PM Murray S. Kucherawy <superu...@gmail.com> wrote: > On Tue, Mar 2, 2021 at 3:51 AM Douglas Foster < > dougfoster.emailstanda...@gmail.com> wrote: > >> Because CNAME usage was not mentioned in the previous DMARC document, >> existing implementations may not have tested this configuration. For the >> policy publishing organization, this increases the possibility that some >> recipients may treat the mail as not protected by DMARC. As with any >> deployment issue, the publishing organization has no reliable way to know >> if the deployment of DMARC implementations with full CNAME support is >> "essentially complete". This uncertainty may be acceptable for some >> organizations, but may be an obstacle for others, depending on their >> motivations for implementing DMARC. >> >> On the implementation side, the use of CNAME will introduce the >> possibility of referral errors, which may or may not require mentioning in >> the DMARC specification, since such issues have probably been addressed in >> core DNS documents. The issues that come to mind are: >> CNAME referrals to non-existent names >> Nested CNAME referrals (what depth is allowed?) >> CNAME referrals that produce loops or excessive nesting depth. >> > > I don't understand why we need to say anything special about CNAMEs here. > They are processed by the resolver as they would be for any other > application. > > If there's a bug in opendmarc, that's a different question that has > nothing to do with the output of the working group. > > -MSK >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
