John, all, We did some work over the holidays and couple of weeks ago implemented something along these lines. It all seems to be working and we're collecting data about spoofs of non-existent domains and some interesting (apparent) misconfigurations that are nothing to do with DMARC.
We'll report on the results when we've got sufficient data and done the analysis. Thanks again for the pointer! Ta. I. -- Dr Ian Levy Technical Director National Cyber Security Centre Staff Officer : Kate Atkins, [email protected] -----Original Message----- From: John R Levine [mailto:[email protected]] Sent: 22 December 2017 15:39 To: Ian Levy <[email protected]> Cc: Kurt Andersen (b) <[email protected]>; [email protected] Subject: RE: [dmarc-ietf] Preventing abuse of public-suffix-level domains > Thanks for this. I think we'd decided this wouldn't work (along with JISC, > who currently run the authoritative DNS for gov.uk). For the life of me, I > can't remember why though! It's worth reading RFC 4592, a fairly dense description of how DNS wildcards work, to be clear about what names *.gov.uk wil match and what they won't so you know what to expect. People even within the IETF can find them confusing. R's, John > > We'll have another look at it after the holidays. We have every intention of > making delegates responsible for doing something sensible in their namespace > as well. > > Thanks again. > > Ta. > > I. > > -- > Dr Ian Levy > Technical Director > National Cyber Security Centre > > Staff Officer : Kate Atkins, [email protected] > > -----Original Message----- > From: John R Levine [mailto:[email protected]] > Sent: 20 December 2017 17:58 > To: Kurt Andersen (b) <[email protected]> > Cc: Ian Levy <[email protected]>; [email protected] > Subject: Re: [dmarc-ietf] Preventing abuse of public-suffix-level > domains > > On Wed, 20 Dec 2017, Kurt Andersen (b) wrote: >>> I need to be able to emulate in some way the effect of SPF and DMARC >>> records for non-existent first level subdomains under the PSL gov.uk >>> - to stop spoof mail apparently coming from them being delivered. > >> I'm quite sure that you will need to do this via synthetic records >> being returned either by the gov.uk name servers or by having gov.uk >> refer to a general "parked domain" name server (farm) for all of the >> non-existent subdomains ... > > With your current DNS setup, you could add this, no new name servers > needed: > > *.gov.uk. IN TXT "v=spf1 -all" > *.gov.uk. IN TXT "v=DMARC1; p=reject; rua=mailto:<something>; > ruf=mailto:<something>" > > This will cover all undelegated names below gov.uk, e.g. abc.gov.uk and > abc.def.gov.uk. It won't cover names under existing subdomains, e.g. > abc.mod.gov.uk but it's better than nothing. > > Unless the people who host your DNS are willing to let you use customized > stunt servers, which seems unlikely considering who they are, that's about > the best you can do without getting the cooperation of your delegatees. > > Regards, > John Levine, [email protected], Taughannock Networks, Trumansburg NY > Please consider the environment before reading this e-mail. > https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fjl. > ly&data=02%7C01%7Cian.levy%40ncsc.gov.uk%7Cbd63e2124c974606c8a808d547d > 33b16%7C14aa5744ece1474ea2d734f46dda64a1%7C0%7C0%7C636493894920036818& > sdata=iUTep54zAORBtIwqsMU%2BjEg51F%2FhxgAEPX%2BXl9IEfmU%3D&reserved=0 > This information is exempt under the Freedom of Information Act 2000 > (FOIA) and may be exempt under other UK information legislation. Refer > any FOIA queries to [email protected] > > Regards, John Levine, [email protected], Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fjl.ly&data=02%7C01%7Cian.levy%40ncsc.gov.uk%7C6d5ee308376e4b91cd4408d549522859%7C14aa5744ece1474ea2d734f46dda64a1%7C0%7C0%7C636495539574482595&sdata=bAmgktrJccTyMBNd35VYt2EGGn3iPAboKD6ywMNrEQI%3D&reserved=0 This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected] _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
