On Sat, Jul 30, 2022 at 4:29 AM Alessandro Vesely <[email protected]> wrote:
> On Fri 29/Jul/2022 19:44:28 +0200 John Levine wrote: > > It appears that Alessandro Vesely <[email protected]> said: > >> In general, it is not possible to determine DNS zone cuts by > querying > >> various subdomains. However, DMARC users define DMARC records at > their > >> Organizational Domain, so it is possible to discover them based on > that. > > > > Sorry, but this is just wrong. DMARC and the tree walk have nothing, > and I emphasize > > nothing, to do with zone cuts. > > > I thought a zone cut marked the boundary where an organization > delegates control to another one. In many cases, that would be the > org domain, no? > Assume you have this zone file for "example.com": example.com. IN NS ... IN NS ... _dmarc.marketing IN TXT ... product.marketing IN TXT [SPF record here] Now I send mail using the domain "product.marketing.example.com." It has an SPF record, but no DMARC record. If we do the tree walk up one to " marketing.example.com" and then prepend "_dmarc", we find a record. But note that there are no NS records here, and hence no zone cut. There is, however, a zone cut at "example.com" itself (naturally, since that's where the registration occurs). So this is an example of a DMARC record not coincident with a zone cut, plus a zone cut with no coincident DMARC record. There is, therefore, no guaranteed relationship. You could make the argument that you "usually" find DMARC records at zone cuts, but that's relying on convention or happenstance rather than a standards-quality framework. -MSK
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
