On November 3, 2021 9:58:34 AM UTC, Alessandro Vesely <[email protected]> wrote:
>On Wed 03/Nov/2021 04:04:38 +0100 Scott Kitterman wrote:
>> On November 3, 2021 2:09:04 AM UTC, John Levine <[email protected]> wrote:
>>>It appears that Scott Kitterman <[email protected]> said:
>>>
>>>> 4. Common parent domain not marked PSD. We could add a new tag to the
>>>> DMARC
>>>> records for PSDs to indicate it's a PSD, so it's record shouldn't be used
>>>> for
>>>> alignment. Getting this added to the literal handful of PSD records that
>>>> exist and specifying it should be used going forward is doable. To
>>>> implement
>>>> this approach should produce identical (modulo PSL errors and omissions)
>>>> results to the RFC 7489 approach. It seems like we've decided to trust
>>>> that
>>>> ICANN and ccTLD operators will effectively manage publication of PSL
>>>> records
>>>> for policy discovery, so this leverages that trust to simplify alignment
>>>> while
>>>> maintaining backward compatibility.
>>>
>>> This is a much better worked out version of my DNS tree climbing proposal.
>>> I like it too.
>>>
>>> PS: Just out of nosiness, what PSD records exist now?
>>
>> Thanks. As far as I know, .gov, .mil, .gov.uk, and .police.uk.
>
>
>Hm... but PSDs don't seem to gain any extras by letting receivers know they're
>a PSD, do they?
snip
Recall from the policy discovery discussion that PSDs are regulated by ICANN or
their ccTLD operators. They aren't free to publish whatever and whenever they
want. Trusting them to manage which PSDs should publish records also implies
that the records are appropriate. As an example, RFC 9091 suggests aggregate
reports are okay at the PSD level, but failure reports are not. This would be
another thing we'd have to document in security considerations to help them get
it right.
Scott K
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
