>> We can’t just use a wildcard CNAME record > As you surmise, that won't work.
>> DNAME would be the most obvious way to do this, but it’d need a wildcard >> DNAME and they’re ‘frowned upon’ ☺. > Indeed they are, because they don't work either. Glad we agree that the two obvious potential solutions won't work. > Honestly, you need to figure out how to get the attention of of the people to > whom you have delegated subdomains and have them fix their DNS. I realize > this is not easy. Well, it's not easy but we have their attention and we have work in progress to (try to) get hold of the public sector DNS. But unwinding 20-odd years of 'inventiveness' takes time. And doesn't fix the problem I've raised. > I have often surmised that rather than delegating subdomain zones, you're > much better off one big zone with a provisioning system that lets people mess > with the records in their subtree. There's a reasonable chance that's what we're looking to build at the moment. > Then it's still your provisioning system so if they get things wrong, or you > want to help them set up records like SPF or DMARC that they haven't gotten > around do doing themselves, you can just do it. You can't 'just do [DMARC and SPF]' for people - at least in the environment I'm talking about. Public sector departments and agencies have important work to do and we can't risk arbitrarily breaking their email by setting policies for them without their knowledge. The estate is massively diverse - some of it very out of date - and the ways email is implemented and the uses it's put to are 'interesting' to say the least. Also, I don't think it fixes the problem, which I'll try to restate again to make it clearer. I need to be able to emulate in some way the effect of SPF and DMARC records for non-existent first level subdomains under the PSL gov.uk - to stop spoof mail apparently coming from them being delivered. This is an active problem that criminals are abusing. They send mail from (for example) the non-existent subdomain ianlevy.gov.uk and there's currently no sensible way to stop that using DMARC et al. I accept absolutely that this is but one part of a wider defensive strategy, but not every receiver does lots of work to classify bad email for their customers and even when they do it's not perfect. We believe a good number of users still receive these emails and many act upon them because they look plausible. If we are to make a real dent in email abuse, I believe we'll need to have a way to combat this. It's not just the UK that's going down the route of trying to combat email abuse at scale (as part of a wider email security push) - you've all seen the DHS BOD (which will run into exactly the same problem in a few months on .gov), the push from Global Cyber Alliance and there's a bunch of other countries talking to us about pushing DMARC in the same way. I'd really like to work towards a solution for this problem and we can sort out the next level down in due course. I believe that if we're to make a long term dent in email abuse, this is one of the things we'll need to find a way to fix - I think there are others, but this is a big one. Currently, we're playing whack-a-mole with the criminals. If we can't fix this, I can't see how we can make end users' lives better in the long term. So, we'd really welcome any and all ideas on how to tackle this - we're happy to experiment on ourselves to see what works and publish so others don’t have to go through the same pain. Ta. I. -- Dr Ian Levy Technical Director National Cyber Security Centre Staff Officer : Kate Atkins, [email protected] -----Original Message----- From: John Levine [mailto:[email protected]] Sent: 19 December 2017 17:16 To: [email protected] Cc: Ian Levy <[email protected]> Subject: Re: [dmarc-ietf] Preventing abuse of public-suffix-level domains > We can’t just >use a wildcard CNAME record because there doesn’t seem to be any way to >generate the necessary second level subdomain that we need (the >_dmarc.baddomain.gov.uk). As you surmise, that won't work. For one thing _dmarc.*.gov.uk isn't a wildcard, and for another, *.gov.uk only matches names that don't already exist and don't have an existing parent. So if, for example, mod.gov.uk exists, *.mod.gov.uk won't match. This is not considered to be a bug. > DNAME would be the most obvious way to do this, but it’d need a >wildcard DNAME and they’re ‘frowned upon’ ☺. Indeed they are, because they don't work either. You cannot have any DNS records or any NS delegations below a DNAME. In practice DNAMEs are not very useful. > Before we start thinking about doing something kludgy (probably >looking for failed lookups for TXT records in logs and adding the >subdomain to the zone, which sucks), does anyone have any ideas that we could >try? I can’t believe this is the first time this has been encountered! Honestly, you need to figure out how to get the attention of of the people to whom you have delegated subdomains and have them fix their DNS. I realize this is not easy. I have often surmised that rather than delegating subdomain zones, you're much better off one big zone with a provisioning system that lets people mess with the records in their subtree. Then it's still your provisioning system so if they get things wrong, or you want to help them set up records like SPF or DMARC that they haven't gotten around do doing themselves, you can just do it. R's, John -- Regards, John Levine, [email protected], Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected] _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
