> > > DMARC for PSD is based on the rule that the PSD is one segment above the > organization domain, and the organization domain is assumed to be known > with confidence from the PSL.
> When we switch directions, we cannot as easily assume that the > organization domain is one segment below PSD=Y. For this to be true, > PSDs MUST populate their DMARC records from the lowest-level leaf nodes > up. For example, if "c.b.a" is a PSD, and "z.b.a" is an organization, > then "c.b.a" must be flagged before "b.a" is flagged. If "b.a" is > flagged first, then "c.b.a" will be treated as an organization domain, > incorrectly, because "c.b.a" is below the flagged "b.a" record. The > requirement to work bottom-up is contrary to the way that I expect people > to address a problem like this. In some cases tagging all of the leaf > nodes may be especially problematic, such as when the PSL record says that > "*.something" is a PSD, except for "www.something". If we provide an org=y flag as Ale suggests, the problem can be mitigated if organizations choose to document the top of their alignment structure using the org flag. But this mitigation cannot help the situation where the PSD policy is being applied because an organization does not have a policy of its own. > An overarching problem is that the PSD structure is not latent in the current DNS, waiting for us to draw it out. We have to make assumptions that the DNS will contain data that can support our objectives, and that organizations will choose to migrate their configuration to match our assumptions. For example, we want to assume that every DMARC-using domain will have an existing policy record at the organization level. This is probably typical, but it is certainly not required by the design of RFC 7489. Overall, I doubt that we can replace the PSL without moving to DMARCv2, and I don't think we have a standards-worthy document unless the PSL is replaced. Doug (aka gloomy Eeyore today) > . >
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
