Re: [dmarc-ietf] Description of 'n' value for the 'psd' tag AND/OR Clarify the Tree Walk
On Tuesday, April 16, 2024 5:17:44 PM EDT Todd Herr wrote:
> Colleagues,
>
> DMARCbis currently describes the value of 'n' for the 'psd' tag in a policy
> record as follows:
>
> The DMARC policy record is published for a PSD, but it is not the
> Organizational Domain for itself and its subdomain. There is no need to put
> psd=n in a DMARC record, except in the very unusual case of a parent PSD
> publishing a DMARC record without the requisite psd=y tag.
> I don't think this is entirely accurate, especially the second sentence
> ("no need ... except in the very unusual case"), and here's why. Either
> that, or the description of the Tree Walk needs to be changed.
>
> The Tree Walk is intended for both DMARC Policy discovery and
> Organizational Domain discovery, and section 4.7 (DMARC Policy Discovery)
> says the policy to be applied will be the DMARC record found at one of
> these three locations:
>
>- The RFC5322.From domain
>- The Organizational Domain of the RFC5322.From domain
>- The Public Suffix Domain of the RFC5322.From domain
>
> Meanwhile, section 4.8, Organizational Domain Discovery, gives the
> following three options for where the Organizational Domain is:
>
>1. DMARC record with psd=n
>2. The domain one level below the domain with a DMARC record with the
>tag psd=y
>3. The record for the domain with the fewest number of labels.
>
> The Tree Walk, as described in section 4.6, defines two explicit places to
> stop, both of which rely on discovery of a DMARC policy record with a psd
> tag defined:
>
>- Step 2, if the DMARC record has psd=n
>- Step 7, if the DMARC record has psd=n or psd=y
>
> There is no other stopping place described, and no instructions to collect
> DMARC policy records that don't have the psd tag defined during the walk,
> and while Organizational Domain Discovery speaks of records retrieved
> during the Tree Walk, there are no instructions in the Tree Walk steps
> themselves in section 4.6 to put all the DMARC records with no psd tag in a
> basket somewhere for later usage.
>
> So the questions I have are...
>
>1. Should the description of the 'n' value for the 'psd' tag be updated
>to discuss its usage in a decentralized control model (e.g., seven label
>RFC5322.From with DMARC policy published at a five label name to allow
> for "local" control, with said policy being different from the policy
> published at the "traditional" org domain leve)?
>2. Should the description of the Tree Walk in section 4.6 be updated, to
>mention that valid DMARC records with no explicit psd tag might be found
>during the walk, and these should be preserved for later comparison to
>determine the organizational domain?
>
> I look forward to the discussion.
Since this is a protocol specification and not a programming specification, I
don't think we need to be so proscriptive about storing results. My answer to
question 2 is no, I don't think we should change it.
I am ambivalent about question 1. Personally, I think it's fine as is, but if
people think it's unclear, we should probably come up with something better.
Scott K
___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] Description of 'n' value for the 'psd' tag AND/OR Clarify the Tree Walk
On Wednesday, April 17, 2024 11:41:34 AM EDT Alessandro Vesely wrote:
> On Tue 16/Apr/2024 23:17:44 +0200 Todd Herr wrote:
> > Colleagues,
> >
> > DMARCbis currently describes the value of 'n' for the 'psd' tag in a
> > policy
> >
> > record as follows:
> > The DMARC policy record is published for a PSD, but it is not the
> > Organizational Domain for itself and its subdomain. There is no need
> > to put
> > psd=n in a DMARC record, except in the very unusual case of a parent
> > PSD
> > publishing a DMARC record without the requisite psd=y tag.
> >
> > I don't think this is entirely accurate, especially the second sentence
> > ("no need ... except in the very unusual case"), and here's why. Either
> > that, or the description of the Tree Walk needs to be changed.
>
> The correct text would be something like so:
>
> The DMARC policy record is published for a domain which is the
> Organizational Domain for itself and its subdomains (up to one which
> in turn publishes a psd= tag with value not u.) There is no need to
> put "psd=n" in a DMARC record, except in the very unusual case of a
> parent PSD publishing a DMARC record without the requisite psd=y tag.
> (A parent PSD not publishing any DMARC record is fine.)
>
> Note that intermediate records are discarded.
I think something like this is fine.
___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] Description of 'n' value for the 'psd' tag AND/OR Clarify the Tree Walk
On Apr 17, 2024, at 6:33 AM, Todd Herr wrote:On Wed, Apr 17, 2024 at 1:18 AM Neil Anuskiewicz 40marmot-tech@dmarc.ietf.org> wrote:On Apr 16, 2024, at 2:18 PM, Todd Herr 40valimail@dmarc.ietf.org> wrote:Colleagues,DMARCbis currently describes the value of 'n' for the 'psd' tag in a policy record as follows:The DMARC policy record is published for a PSD, but it is not the Organizational Domain for itself and its subdomain. There is no need to put psd=n in a DMARC record, except in the very unusual case of a parent PSD publishing a DMARC record without the requisite psd=y tag.I don't think this is entirely accurate, especially the second sentence ("no need ... except in the very unusual case"), and here's why. Either that, or the description of the Tree Walk needs to be changed.The Tree Walk is intended for both DMARC Policy discovery and Organizational Domain discovery, and section 4.7 (DMARC Policy Discovery) says the policy to be applied will be the DMARC record found at one of these three locations:The RFC5322.From domainThe Organizational Domain of the RFC5322.From domainThe Public Suffix Domain of the RFC5322.From domainMeanwhile, section 4.8, Organizational Domain Discovery, gives the following three options for where the Organizational Domain is:DMARC record with psd=nThe domain one level below the domain with a DMARC record with the tag psd=yThe record for the domain with the fewest number of labels.The Tree Walk, as described in section 4.6, defines two explicit places to stop, both of which rely on discovery of a DMARC policy record with a psd tag defined.One of your concerns is that without a PSD tag, but I think the default is PSD=n. Does,that address that concern or did I misunderstand the concern?The default for the psd tag is 'u', not 'n'.See https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-30.html#name-general-record-formatThank you and I’m not sure why I was thinking n. I guess I figured if it’s not a PSD which should publish an explicit y. My logic just looking at the tree walk makes no sense.___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] Description of 'n' value for the 'psd' tag AND/OR Clarify the Tree Walk
On Tue 16/Apr/2024 23:17:44 +0200 Todd Herr wrote:
Colleagues,
DMARCbis currently describes the value of 'n' for the 'psd' tag in a policy
record as follows:
The DMARC policy record is published for a PSD, but it is not the
Organizational Domain for itself and its subdomain. There is no need to put
psd=n in a DMARC record, except in the very unusual case of a parent PSD
publishing a DMARC record without the requisite psd=y tag.
I don't think this is entirely accurate, especially the second sentence ("no
need ... except in the very unusual case"), and here's why. Either that, or the
description of the Tree Walk needs to be changed.
The correct text would be something like so:
The DMARC policy record is published for a domain which is the
Organizational Domain for itself and its subdomains (up to one which
in turn publishes a psd= tag with value not u.) There is no need to
put "psd=n" in a DMARC record, except in the very unusual case of a
parent PSD publishing a DMARC record without the requisite psd=y tag.
(A parent PSD not publishing any DMARC record is fine.)
Note that intermediate records are discarded.
Best
Ale
--
___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] Description of 'n' value for the 'psd' tag AND/OR Clarify the Tree Walk
On Wed, Apr 17, 2024 at 1:18 AM Neil Anuskiewicz wrote:
>
>
> On Apr 16, 2024, at 2:18 PM, Todd Herr 40valimail@dmarc.ietf.org> wrote:
>
>
> Colleagues,
>
> DMARCbis currently describes the value of 'n' for the 'psd' tag in a
> policy record as follows:
>
> The DMARC policy record is published for a PSD, but it is not the
> Organizational Domain for itself and its subdomain. There is no need to put
> psd=n in a DMARC record, except in the very unusual case of a parent PSD
> publishing a DMARC record without the requisite psd=y tag.
> I don't think this is entirely accurate, especially the second sentence
> ("no need ... except in the very unusual case"), and here's why. Either
> that, or the description of the Tree Walk needs to be changed.
>
> The Tree Walk is intended for both DMARC Policy discovery and
> Organizational Domain discovery, and section 4.7 (DMARC Policy Discovery)
> says the policy to be applied will be the DMARC record found at one of
> these three locations:
>
>- The RFC5322.From domain
>- The Organizational Domain of the RFC5322.From domain
>- The Public Suffix Domain of the RFC5322.From domain
>
> Meanwhile, section 4.8, Organizational Domain Discovery, gives the
> following three options for where the Organizational Domain is:
>
>1. DMARC record with psd=n
>2. The domain one level below the domain with a DMARC record with the
>tag psd=y
>3. The record for the domain with the fewest number of labels.
>
> The Tree Walk, as described in section 4.6, defines two explicit places to
> stop, both of which rely on discovery of a DMARC policy record with a psd
> tag defined.
>
>
> One of your concerns is that without a PSD tag, but I think the default is
> PSD=n. Does,that address that concern or did I misunderstand the concern?
>
>
The default for the psd tag is 'u', not 'n'.
See
https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-30.html#name-general-record-format
--
Todd Herr | Technical Director, Standards & Ecosystem
Email: todd.h...@valimail.com
Phone: 703-220-4153
This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.
___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] Description of 'n' value for the 'psd' tag AND/OR Clarify the Tree Walk
> On Apr 16, 2024, at 2:18 PM, Todd Herr
> wrote:
>
>
> Colleagues,
>
> DMARCbis currently describes the value of 'n' for the 'psd' tag in a policy
> record as follows:
>
> The DMARC policy record is published for a PSD, but it is not the
> Organizational Domain for itself and its subdomain. There is no need to put
> psd=n in a DMARC record, except in the very unusual case of a parent PSD
> publishing a DMARC record without the requisite psd=y tag.
>
> I don't think this is entirely accurate, especially the second sentence ("no
> need ... except in the very unusual case"), and here's why. Either that, or
> the description of the Tree Walk needs to be changed.
>
> The Tree Walk is intended for both DMARC Policy discovery and Organizational
> Domain discovery, and section 4.7 (DMARC Policy Discovery) says the policy to
> be applied will be the DMARC record found at one of these three locations:
> The RFC5322.From domain
> The Organizational Domain of the RFC5322.From domain
> The Public Suffix Domain of the RFC5322.From domain
> Meanwhile, section 4.8, Organizational Domain Discovery, gives the following
> three options for where the Organizational Domain is:
> DMARC record with psd=n
> The domain one level below the domain with a DMARC record with the tag psd=y
> The record for the domain with the fewest number of labels.
> The Tree Walk, as described in section 4.6, defines two explicit places to
> stop, both of which rely on discovery of a DMARC policy record with a psd tag
> defined.
One of your concerns is that without a PSD tag, but I think the default is
PSD=n. Does,that address that concern or did I misunderstand the concern?
N___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
[dmarc-ietf] Description of 'n' value for the 'psd' tag AND/OR Clarify the Tree Walk
Colleagues,
DMARCbis currently describes the value of 'n' for the 'psd' tag in a policy
record as follows:
The DMARC policy record is published for a PSD, but it is not the
Organizational Domain for itself and its subdomain. There is no need to put
psd=n in a DMARC record, except in the very unusual case of a parent PSD
publishing a DMARC record without the requisite psd=y tag.
I don't think this is entirely accurate, especially the second sentence
("no need ... except in the very unusual case"), and here's why. Either
that, or the description of the Tree Walk needs to be changed.
The Tree Walk is intended for both DMARC Policy discovery and
Organizational Domain discovery, and section 4.7 (DMARC Policy Discovery)
says the policy to be applied will be the DMARC record found at one of
these three locations:
- The RFC5322.From domain
- The Organizational Domain of the RFC5322.From domain
- The Public Suffix Domain of the RFC5322.From domain
Meanwhile, section 4.8, Organizational Domain Discovery, gives the
following three options for where the Organizational Domain is:
1. DMARC record with psd=n
2. The domain one level below the domain with a DMARC record with the
tag psd=y
3. The record for the domain with the fewest number of labels.
The Tree Walk, as described in section 4.6, defines two explicit places to
stop, both of which rely on discovery of a DMARC policy record with a psd
tag defined:
- Step 2, if the DMARC record has psd=n
- Step 7, if the DMARC record has psd=n or psd=y
There is no other stopping place described, and no instructions to collect
DMARC policy records that don't have the psd tag defined during the walk,
and while Organizational Domain Discovery speaks of records retrieved
during the Tree Walk, there are no instructions in the Tree Walk steps
themselves in section 4.6 to put all the DMARC records with no psd tag in a
basket somewhere for later usage.
So the questions I have are...
1. Should the description of the 'n' value for the 'psd' tag be updated
to discuss its usage in a decentralized control model (e.g., seven label
RFC5322.From with DMARC policy published at a five label name to allow for
"local" control, with said policy being different from the policy published
at the "traditional" org domain leve)?
2. Should the description of the Tree Walk in section 4.6 be updated, to
mention that valid DMARC records with no explicit psd tag might be found
during the walk, and these should be preserved for later comparison to
determine the organizational domain?
I look forward to the discussion.
--
Todd Herr | Technical Director, Standards & Ecosystem
Email: todd.h...@valimail.com
Phone: 703-220-4153
This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.
___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
