I fully support replacing the PSL with organization boundary information provided by domain owners and registrars, as that data becomes available. We have good theoretical reason to conclude that domain owners and registrars have the best knowledge about boundaries, and appropriate incentives to report it correctly. This appeared to be the original proposal, but we have diverged from that starting point.
The mechanisms for communicating boundary information are what we are developing, so the current DNS does not contain any such information. Missing data means that the replacement of the PSL with DNS information could take a long time, which is undesirable. The current discussion attempts to circumvent that long rollout with a shortcut. It replaces the PSL immediately, using a heuristic and a small amount of new information from registrars. By itself, the heuristic creates a known vulnerability – false PASS results caused by undetected organization consolidation. To work around the problem, the WG will ensure that key registrars publish essential boundary information prior to publication. Instead of replacing information with better information, we are replacing one type of expert opinion, the PSL, with a different type of expert opinion, a WG assertion that the DNS will contain sufficient new information to make the new heuristic reliable, as of publication date. My problem with this approach is that the published RFC needs to last 30 years or so. What mechanism will ensure that the DNS remains compatible with the heuristic for the 10,000 days after publication? The WG spin up a volunteer committee to monitor the Internet and publish information evaluators need to assess risk, but that is not going to happen. We would be replicating most of the problems of the existing PSL, and we do not have a plan in place to make it happen. As an evaluator, I find a shortcut based on a heuristic to be unacceptable, because it is inherently unsustainable. When the publication-date assumption ceases to be valid, my recipients become vulnerable. We need to replace imperfect PSL information with more reliable information, provided by the domain owners and registrars, and provided using tokens that eliminate questions about whether critical data is still missing. My previous question about Evaluator motivation was a setup for this topic. If a problem is perceived as acute, alternatives do not have to be optimal to be acceptable. But since the problem appears to be important but not urgent, we should proceed to a more reliable solution which is devoid of guesswork. To ensure that the transition does not last forever, we need to publish the new algorithm and the new tokens, insist that evaluators use the new tokens when they are available, and put a sunset data on the old algorithm. The sunset provision says that after a specific date, DMARC policies which lack DMARCbis tokens SHOULD be evaluated using strict alignment. Strict alignment is always safe.
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
