On Wed, Apr 4, 2018 at 11:19 AM, Peter M. Goldstein < [email protected]> wrote:
> Kurt, > > As you note, this issue has been discussed on-list (and off) a few times. > And it definitely seems clear that some sort of modification to the lookup > algorithm would be required to address the issue. > > As part of that discussion, there are a few scenarios that I think should > be considered: > > 1. *A domain which contains two public suffixes* - i.e. abc.gov.uk, which > contains the public suffixes .gov.uk, .uk. In the proposed lookup scheme > we'd be assuming that the manager of the registry for the "last" > organizational domain represented a controlling authority that should be > able to impose DMARC policy on and view data for all subdomains. I'm not > sure whether that's true in all cases, and that would have bearing on your > proposal. > > 2. *A domain which contains three or more public suffixes* - I'm not sure > given the content of the public suffix list today that you can actually > construct one of these. But from what I can see, there's nothing > restricting a future update of the public suffix list that would allow such > a domain. If we update the lookup algorithm, we should at least speak to > this case - even if it's just to say we ignore it. > This is quite easily accomplished, as are scenarios where there are public blocks embedded "down chain" with intervening private domains in between. See the notes from the DBOUND working group if you want to delve into these sorts of things. 3. *New gTLDs* - With the recent expansion of the list of TLDs, many of the > new TLDs are controlled by a single organization. It may make sense to > allow those gTLDs to define a DMARC record on the TLD itself or on some > 'default' domain - both for administrative simplification and to ensure > against abuse. It may be possible to handle this case outside of a lookup > change with wildcarded DNS records, but I know it's something that's come > up in discussions with some of those TLD owners. > > I'd suggest that if we're going to make a modification to the lookup > algorithm that we consider each of these scenarios, and ensure there's > consensus on how they should each be addressed. > > To your specific question, I think it's desirable to address these cases > and it's worth discussing how the lookup algorithm can be modified to do so. > My opinion is that we should strive for simplicity and attempt to craft a proposal which would handle both scenarios 1 & 2 in a single mechanism. It would be even better if we can solve for case #3 with the same solution :-) --Kurt
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
