> while _dmarc.gov.uk returns a valid record. The > latter is a Nominet, already solved problem, AFAICS.
I can speak authoritatively about this. What we’ve got is an evil, hacky kludge that has some weird side effects (since we respond to *any* non existent sub domain, not just DMARC and SPF related ones). It’s just about passable as an interim, but we believe we need a better, targeted solution along the lines of Scott’s draft. Ta. I. — Dr Ian Levy Technical Director National Cyber Security Centre [email protected] ________________________________ From: dmarc <[email protected]> on behalf of Alessandro Vesely <[email protected]> Sent: Monday, November 11, 2019 5:50:30 PM To: [email protected] <[email protected]> Subject: Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd On Mon 11/Nov/2019 16:46:17 +0100 Kurt Andersen (b) wrote: > > I don't think that it is fair to say that anyone who refers to the org domain > concept as cited in the DMARC spec is necessarily invoking the PSL. Agreed. The PSL just happens to be the only valid tool to do that. For various reasons, large organizations administer many apparently unrelated domains. For example, _dmarc.youtube.com has a rua mailto ending in @google.com. We cannot infer an OD from that, but I think the concept is clear. > I do have a problem with the conflation of the org domain with a > super-organizational "realm" (?) that may impose conditions upon organizations > that fall within their jurisdictional purview. My main concerns are with the > potential usurpation of the org domain's policy declaration rights. "Moving" > the org domain up one level disenfranchises the organizations and that is the > wrong thing to do IMO. The I-D definitions are clear enough. Section 2.5, in particular, prevents the conflation neatly. > As to the proposed "let's run this as an experiment pending DMARCbis", I don't > see how that satisfies Dave's concern about creating new work for receivers in > order to help a small set of domain (realm) owners. I'm not opposed to it, but > I just don't see how this solves the issue. Isn't that an ICANN problem? For the time being, dig _dmarc.bank txt returns an empty NOERROR response, while _dmarc.gov.uk returns a valid record. The latter is a Nominet, already solved problem, AFAICS. Best Ale -- _______________________________________________ dmarc mailing list [email protected] https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fdmarc&data=02%7C01%7Cian.levy%40ncsc.gov..uk%7C63443737a62a47a65f1008d766cfae3a%7C14aa5744ece1474ea2d734f46dda64a1%7C0%7C0%7C637090914473667320&sdata=cOeg7QPSBP0Fzldb8a0RE3ZqsIrBmVG%2B4B2HOrCopaQ%3D&reserved=0 This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]. All material is UK Crown Copyright ©
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
