On July 28, 2022 4:03:12 PM UTC, Alessandro Vesely <ves...@tana.it> wrote:
>On Thu 28/Jul/2022 13:23:45 +0200 Scott Kitterman wrote:
>> On Wednesday, July 27, 2022 4:05:27 AM EDT Alessandro Vesely wrote:
>>> On Mon 25/Jul/2022 17:15:34 +0200 Scott Kitterman wrote:
>>>> On Monday, July 25, 2022 9:59:02 AM EDT Alessandro Vesely wrote:
>> ...
>>
>>>> Here's what's currently in Git between the shortcuts and the numbered
>>>> steps
>>>>
>>>> (it's in Markdown, vice final RFC text, but I think it's clear enough):
>>>>> To discover the Organizational Domain for a domain, perform the DNS Tree
>>>>> Walk described in (#dns-tree-walk) as needed for any of the domains in
>>>>> question.
>>>
>>> What are the "domains in question"?
>>>
>>>>> For each Tree Walk that retrieved valid DMARC records, select the
>>>>> Organizational Domain from the domains for which valid DMARC records were
>>>>> retrieved from the longest to the shortest:
>>>> If we change this to:
>>>>> To discover the Organizational Domain for these domains, perform the DNS
>>>>> Tree Walk described in (#dns-tree-walk) as needed for the domains in
>>>>> question. For each Tree Walk that retrieved valid DMARC records, select
>>>>> the Organizational Domain from the domains for which valid DMARC records
>>>>> were retrieved from the longest to the shortest:
>>>> Does that resolve your concern? I changed "for a domain" to "for these
>>>> domains" to address your concern about relaxing requirements. I think
>>>> you're wrong and it makes absolutely no difference, but if you think it's
>>>> better, believe it would do. I do think the two sentences would better be
>>>> in one paragraph as they are not really separate ideas.
>>>
>>> How about moving the reference to the Tree Walk right to the first
>>> sentence at the beginning of the section, for example like so:
>>>
>>>
>>> For Organizational Domain discovery, in general it is necessary to
>>> perform two DNS Tree Walks (#dns-tree-walk)" in order to determine
>>> if any two domains are in alignment. Noteworthy exceptions are
>>> described in (#shortcuts). A DNS Tree Walk to discover an
>>> Organizational Domain can start only at one of the following
>>> locations:
>>>
>>> * The domain in the RFC5322.From header of the message.
>>> * The RFC5321.MailFrom domain if there is an SPF pass result for
>>> the message.
>>> * Any DKIM d= domain if there is a DKIM pass result for the
>>> message for that domain.
>>>
>>> For each Tree Walk that retrieved valid DMARC records, select the
>>> Organizational Domain from the domains for which valid DMARC
>>> records were retrieved from the longest to the shortest:
>>>
>>> 1 ...
>>
>> Let's focus on this part, as I think it's most important.
>>
>> In general, I think that's reasonable, but I think it needs work yet. How
>> about this (and I'm fine with moving the note to the end):
>>
>>> For Organizational Domain discovery, it will be necessary to perform one or
>>> more DNS Tree Walks (#dns-tree-walk) to determine if any two domains are in
>>> alignment. This means that a DNS Tree Walk to discover an Organizational
>>> Domain will start at one of the following locations:
>
>
>We are trying to stuff two sentences in one. It is not clear if we're
>discovering the org domain or establishing alignment.
>
>
>>> * The domain in the RFC5322.From header of the message.
>>> * The RFC5321.MailFrom domain if there is an SPF pass result for the
>>> message.
>>> * Any DKIM d= domain if there is a DKIM pass result for the message for
>>> that domain.
>>
>>> To determine the Organizational Domain for any of these domains, perform the
>>> DNS Tree Walk as needed the selected domain.
>
>
>Splitting the first sentence, this becomes one of its parts.
>
>
>>> For each Tree Walk that
>>> retrieved valid DMARC records, select the Organizational Domain from the
>>> domains for which valid DMARC records were retrieved from the longest to the
>>> shortest:
>
>
>Could that be shortened? Each step requires a DMARC record, so the domains
>w/o record don't play.
>
>Here's another wording. I repeat the numbered steps but only change the
>paragraph after them:
>
>
> To discover the Organizational Domain of a domain, it is necessary to
> analyze the DNS Tree Walk (#dns-tree-walk)" which starts from it. That may
> be necessary in order to establish alignment between two domains. This
> means that the starting domain is one of the following:
>
> * The domain in the RFC5322.From header of the message.
> * The RFC5321.MailFrom domain if there is an SPF pass result for
> the message.
> * Any DKIM d= domain if there is a DKIM pass result for the
> message for that domain.
>
> For a Tree Walk that retrieved a valid DMARC record, select the
> Organizational Domain from its domains, from the longest toward the
> shortest:
>
> 1. If a valid DMARC record contains the psd= tag set to 'n' (psd=n),
> this is the Organizational Domain and the selection process is
> complete.
>
> 2. If a valid DMARC record, other than the one for the domain where
> the tree walk started, contains the psd= tag set to 'y' (psd=y),
> the Organizational Domain is the domain one label below this one
> in the DNS hierarchy, and the selection process is complete.
>
> 3. Otherwise select the record for the domain with the fewest number
> of labels. This is the Organizational Domain and the selection
> process is complete.
>
> If this process does not determine the Organizational Domain, then
> the Organizational Domain is the starting domain.
>
>
>The last paragraph is a puzzle. If a tree walk retrieved a DMARC record, then
>there must exist a domain with a record with the fewest number of labels. It
>is not needed any more. Let's replace it with:
>
>
> For Tree Walks that retrieved no DMARC record, the Organizational Domain is
> undefined. No alignment can be established in such cases.
>
No. That's incorrect. We have discussed this exact point multiple times in
the last several weeks. I conclude that I'm incapable of communicating this
adequately and will leave it to someone else.
Scott K
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc