I think the formal term for "DNS Segment" is an A-label.
US.COM is a single label between the PSO Domain ("com") and the client
domains ("client1.us.com")
There are a lot of important questions derived from Ale's topic, which
originally started because he observed that registries like "us.com" need
to publish both PSD=Y, to indicate a boundary below, and PSD=N, to indicate
a boundary above. John replied that the PSD=N could be discarded because
we will assume that all registries (PSD=Y) are also org domains (PSD=N) and
therefore only able to use strict alignment. This was not fully discussed.
Do we know that all private registries are single-labels, or can they have
two levels, such as "client1.registry.private.tld", or even three levels,
such as "cient1.registry.something.private.tld"?
If a private registry organization can be more than a single domain, can it
use DMARC with relaxed authentication? Specifically, does
"registry.private.tld" align with "private.tld"?
I believe we have assumed that PSO domains cannot have an organization
structure; only strict alignment is allowed because every PSO domain is a
self-contained pseudo-organization. If PSO domains cannot use relaxed
authentication, but private registry organizations can use relaxed
authentication, then perhaps we need two different tags for the two
different types of registries.
If we use the same tagging for PSO domains and private registration
domains, we prevent all PSD=Y domains from participating in relaxed
alignment. Maybe this is acceptable?
I think the other part of Ale's question was whether our design would be
undermined if a private registry contained a private registry. I think
this is intertwined with the assumption that no registry domain will have
more than 4 segments, and no organizational domains will have more than 5
segments. With those assumptions, multiple layers are difficult to
assemble. The current design assumes that all private registration
boundaries will be explicitly tagged. As long as that assumption holds, I
think the design works properly, even with additional private registry
layers.
DF
On Thu, Jun 30, 2022 at 2:30 AM Murray S. Kucherawy <superu...@gmail.com>
wrote:
> On Wed, Jun 29, 2022 at 7:18 AM Douglas Foster <
> dougfoster.emailstanda...@gmail.com> wrote:
>
>> Based on our psl information, a private registry will be at DNS segment 3
>> or 4. If the PSO registration is at DNS segment 2, the private registry
>> could be either one or two segments thick.
>>
>
> What is a "DNS segment"?
>
> -MSK
>
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
