Re: [dmarc-ietf] Using CNAME records to DMARC templates causes issues
In article you write: >As for those few folks who have seen DNS issues around using CNAMEs, I really >want to >hear from you off list. Tracking down esoteric DNS error operational behavior >is >something I am slightly obsessive about. "I'm from the DNS, and I'm here to >help" Yup. I am thinking back to the 1990s when qmail put in a hack that used ANY queries to cirumvent a CNAME big in some version of bind, and it took us a decade to get rid of it. CNAMEs work fine, and if they appear not to, your DNS library is 99.9% likely to be the problem. -- Regards, John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] Using CNAME records to DMARC templates causes issues
I have to overly agree with Murray here. Where there should be discussions around using CNAMEs for DMARC records would be in a DMARC best practice document. I spent some time yesterday digging through all the DKIM RFCs, and there is no place where there are discussions about using CNAMEs (Except in passing in RFC5016). And the use of using CNAMEs for DKIM TXT records is not just widely used, but is consider a best practice by M3AAWG: https://www.m3aawg.org/sites/default/files/m3aawg-dkim-key-rotation-bp-2019-03.pdf As for those few folks who have seen DNS issues around using CNAMEs, I really want to hear from you off list. Tracking down esoteric DNS error operational behavior is something I am slightly obsessive about. "I'm from the DNS, and I'm here to help" thanks tim On Wed, Mar 3, 2021 at 12:28 PM Murray S. Kucherawy wrote: > On Tue, Mar 2, 2021 at 3:51 AM Douglas Foster < > dougfoster.emailstanda...@gmail.com> wrote: > >> Because CNAME usage was not mentioned in the previous DMARC document, >> existing implementations may not have tested this configuration. For the >> policy publishing organization, this increases the possibility that some >> recipients may treat the mail as not protected by DMARC. As with any >> deployment issue, the publishing organization has no reliable way to know >> if the deployment of DMARC implementations with full CNAME support is >> "essentially complete". This uncertainty may be acceptable for some >> organizations, but may be an obstacle for others, depending on their >> motivations for implementing DMARC. >> >> On the implementation side, the use of CNAME will introduce the >> possibility of referral errors, which may or may not require mentioning in >> the DMARC specification, since such issues have probably been addressed in >> core DNS documents. The issues that come to mind are: >> CNAME referrals to non-existent names >> Nested CNAME referrals (what depth is allowed?) >> CNAME referrals that produce loops or excessive nesting depth. >> > > I don't understand why we need to say anything special about CNAMEs here. > They are processed by the resolver as they would be for any other > application. > > If there's a bug in opendmarc, that's a different question that has > nothing to do with the output of the working group. > > -MSK > ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] Using CNAME records to DMARC templates causes issues
On Tue, Mar 2, 2021 at 3:51 AM Douglas Foster < dougfoster.emailstanda...@gmail.com> wrote: > Because CNAME usage was not mentioned in the previous DMARC document, > existing implementations may not have tested this configuration. For the > policy publishing organization, this increases the possibility that some > recipients may treat the mail as not protected by DMARC. As with any > deployment issue, the publishing organization has no reliable way to know > if the deployment of DMARC implementations with full CNAME support is > "essentially complete". This uncertainty may be acceptable for some > organizations, but may be an obstacle for others, depending on their > motivations for implementing DMARC. > > On the implementation side, the use of CNAME will introduce the > possibility of referral errors, which may or may not require mentioning in > the DMARC specification, since such issues have probably been addressed in > core DNS documents. The issues that come to mind are: > CNAME referrals to non-existent names > Nested CNAME referrals (what depth is allowed?) > CNAME referrals that produce loops or excessive nesting depth. > I don't understand why we need to say anything special about CNAMEs here. They are processed by the resolver as they would be for any other application. If there's a bug in opendmarc, that's a different question that has nothing to do with the output of the working group. -MSK ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc