Greetings. When dmarcbis-04 was published, there was discussion on the list that the text specific to tree walk and organizational domain was wildly off the mark.
Based on that discussion, I made another stab at the text and released it in dmarcbis-05, which has engendered further comment that the text isn't right. So let's work on it. In this message, I'll show the current text for section 4.5 <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-05.html#name-dns-tree-walk>, currently titled "DNS Tree Walk". I'll post a separate message for the reverse tree walk, which will focus on section 4.6 <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-05.html#name-determining-the-organizatio>, which is currently titled "Determining the Organizational Domain". My goal here is to have something to put in one or more new revs prior to IETF 113 so that there can perhaps be further discussion of the topics during that meeting. Thank you. Current text of section 4.5 follows. ------------------------------------------- cut here ---------------------------------------------- 4.5. <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-05.html#section-4.5>DNS Tree Walk <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-05.html#name-dns-tree-walk> While the DMARC protocol defines a method for communicating information through the publishing of records in DNS, it is not necessarily true that a DMARC policy record for a given domain will be found in DNS at the same level as the name label for the domain in question. Instead, some domains will inherit their DNS policy records from parent domains one level or more above them in the DNS hierarchy, and these records can only be discovered through a technique described here, one known colloquially as a "DNS Tree Walk". <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-05.html#section-4.5-1> The process for a DNS Tree Walk will always start at the point in the DNS hierarchy that matches the domain in the RFC5322.From header of the message, and will always end no later than the Public Suffix Domain that terminates the RFC5322.From domain. To prevent possible abuse of the DNS, a shortcut is built into the process so that RFC5322.From domains that have more than five labels do not result in more than five DNS queries. <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-05.html#section-4.5-2> The generic steps for a DNS Tree Walk are as follows: <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-05.html#section-4.5-3> 1. Query the DNS for a DMARC TXT record at the DNS domain matching the one found in the RFC5322.From domain in the message. A possibly empty set of records is returned. <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-05.html#section-4.5-4.1.1> 2. Records that do not start with a "v=" tag that identifies the current version of DMARC are discarded. <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-05.html#section-4.5-4.2.1> 3. If the set is now empty, or the set contains one valid DMARC record that does not contain the information sought, then determine the target for additional queries, using steps 4 through 8 below. 4. Break the subject DNS domain name into a set of "n" ordered labels. Number these labels from right to left; e.g., for "a.mail.example.com", "com" would be label 1, "example" would be label 2, "mail.example.com" would be label 3, and so forth. <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-05.html#section-4.5-4.4.1> 5. Count the number of labels found in the subject DNS domain. Let that number be "x". If x < 5, remove the left-most (highest-numbered) label from the subject domain. If x >= 5, remove the left-most (highest-numbered) labels from the subject domain until 4 labels remain. The resulting DNS domain name is the new target for subsequent lookups. <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-05.html#section-4.5-4.5.1> 6. Query the DNS for a DMARC TXT record at the DNS domain matching this new target in place of the RFC5322.From domain in the message. A possibly empty set of records is returned. <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-05.html#section-4.5-4.6.1> 7. Records that do not start with a "v=" tag that identifies the current version of DMARC are discarded. <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-05.html#section-4.5-4.7.1> 8. If the set is now empty, or the set contains one valid DMARC record that does not contain the information sought, then determine the target for additional queries by removing a single label from the target domain as described in step 5 and repeating steps 6 and 7 until there are no more labels remaining or a valid DMARC record containing the information sought has been retrieved. <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-05.html#section-4.5-4.8.1> For determining the Organizational Domain used for determining relaxed alignment, the same process is followed, except in the reverse order. See Section 4.6 <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-05.html#determining-the-organizational-domain> for further details. <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-05.html#section-4.5-5> To illustrate, for a message with the arbitrary RFC5322.From domain of " a.b.c.d.e.mail.example.com", a full DNS Tree Walk would require the following five queries, in order to locate the policy domain: <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-05.html#section-4.5-6> - _dmarc.a.b.c.d.e.mail.example.com <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-05.html#section-4.5-7.1> - _dmarc.e.mail.example.com <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-05.html#section-4.5-7.2> - _dmarc.mail.example.com <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-05.html#section-4.5-7.3> - _dmarc.example.com <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-05.html#section-4.5-7.4> - _dmarc.com <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-05.html#section-4.5-7.5> ------------------------------------------- cut here ---------------------------------------------- -- *Todd Herr * | Technical Director, Standards and Ecosystem *e:* [email protected] *m:* 703.220.4153 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
