On Wed, Jul 17, 2019 at 7:35 PM Scott Kitterman <skl...@kitterman.com> wrote:
> > On July 17, 2019 8:14:54 PM UTC, "Kurt Andersen (b)" <kb...@drkurt.com> > > wrote: > > >Firstly, I'm a little concerned with the sentence which says 'Note that > > >"np" will be ignored for DMARC records published on subdomains of > > >Organizational Domains and PSDs due to the effect of the DMARC policy > > >discovery mechanism described in DMARC [RFC7489] Section 6.6.3.' I > > >don't > > >think that is an accurate portrayal. When DMARC evaluation libraries > > >are > > >updated to do both PSD lookups and handle the np tag, I would expect > > >the > > >presence of np tags below the PSD level would be processed exactly the > > >way > > >that any other tag in a DMARC record is processed. np will only be > > >ignored > > >(per the terms of the DMARC spec) when it is an "unrecognized" tag. I > > >realized that this text is sort of picked up from the current > > >description > > >of "sp", but the inclusion of "and PSDs" makes it inaccurate. You can't > > >publish an np record on a non-existent Org domain or any subdomain > > >thereof > > At first, I thought Kurt was right, but after further thought, I don't > think > so. > > To review the 'sp' definition that I took this from: > > Imagine sub.sub.example.com where example.com is the org domain. If > sub.sub.example.com has no DMARC record, then the next lookup is for a > DMARC > record at the org domain (example.com). If sub.example.com has a DMARC > record > with an 'sp' tag, it's never retrieved. > > The same thing would apply to 'np' when used in a non--PSD context. No > different. > > Keeping in mind that our definition of non-existent is a domain that has > none > of A, AAAA, or MX. It could have other types. It could also have > subdomains > called "_dmarc" that have TXT records. Non-existent domains (in our > context) > can have DMARC records, so I think the description is correct, but > narrowly > focused. > Most MTAs will also follow CNAMEs. Should they be included (along with other things like DNAME records) within the scope of existence? I'm a little concerned that we are making a special definition of "non-existence" which differs from the standard DNS concepts of NODATA and NXDOMAIN without having a correspondingly special name. > Modifying the example I used above slightly: > > Imagine sub2.sub1.org.example where example has a PSD DMARC record with > 'np', > org.example has no DMARC record, sub1.org.example also has a DMARC record > with > 'np', and sub2.sub1.org.example has no DMARC record. In this case, the > policy > lookup is for sub2.sub1.org.example (exact domain), org.example (org > domain), > and then example (PSD). Just as with 'sp' and regular DMARC, 'np' (or > 'sp') > in non-org subdomains of PSDs don't get discovered. > I was considering the case of a domain such as subX.sub1.org.pub2.pub1.example: * subX (and sub1) domains would only have direct lookup DMARC records applied if they exist and would fall back to org * org would be direct unless it doesn't have a record in which case if fall back to LPD (pub2's record) * pub2, pub1, and example would only have direct lookups since they are already above the PSL line <-- this is where my concern with the "and PSDs" phrase resides I'm not sure how well this maps to what we describe. I'm also concerned that a wildcard null MX record at the org level would end up having all subdomains "exist", but the policy that should be applied would be the more restrictive "np" policy, not the (possibly) more permissive "sp" policy. --Kurt
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
