On Sat, Jan 22, 2022 at 6:52 AM Alessandro Vesely <[email protected]> wrote:
<SNIP> > > No, the concept of Organizational Domain is foundational to DMARC. We > cannot > overthrow it to spare an extra lookup. When we talked about tree walk we > knew > that additional lookups might well have come out. > > To specify that a.b.example.com and c.example.com are not aligned is > wrong. > While this may be your personal opinion, it is not a fact. I have previously pointed out that there are organizations that lease/rent or otherwise provide subdomains as part of their commercial offerings. Your assertion is akin to claiming that tenants in an apartment building are family relatives simply because they have the same landlord. We can identify a relationship between a.b.example.com and example.com. We can also identify a relationship between c.example.com and example.com. In both of these cases someone with control over example.com created the DNS records that brought the subdomains into existence. We cannot identify a meaningful relationship between a.b.example.com and c.example.com because we have no way of knowing whether such a relationship exists or if they are independent actors. If we were to accept your argument in favor of this approach it opens up a very large attack surface.Attacker finds sites (think blog hosting websites for example) where multiple independent parties use subdomains. This would be a great approach for targeted attacks against NGOs, Journalists, etc. Michael Hammer
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
