On Sat 16/Mar/2024 20:13:01 +0100 Scott Kitterman wrote:
On Wednesday, March 6, 2024 6:04:01 AM EDT Alessandro Vesely wrote:
On 05/03/2024 21:47, Scott Kitterman wrote:
On March 5, 2024 8:10:46 PM UTC, Todd Herr
<[email protected]> wrote:
On Tue, Mar 5, 2024 at 1:30 PM Scott Kitterman <[email protected]> wrote:
On March 5, 2024 2:47:47 PM UTC, Todd Herr
<[email protected]> wrote:
On Tue, Mar 5, 2024 at 6:12 AM Alessandro Vesely <[email protected]> wrote:
Section 5.3, in the format description of psd:
n: The DMARC policy record is published for a PSD, but it is the
Organizational Domain for itself and its subdomain. There is
no need to put psd=n in a DMARC record, except in the very
unusual case of a parent PSD publishing a DMARC record
without the requisite psd=y tag.
Perhaps a "not" is missing between "is" and "published"? I'd
just say the domain is not a PSD /and/ it is the
Organizational Domain for itself and its subdomain.
You may be correct in your assertion here; I'll wait for others to
weigh in.
In the meantime, Issue 126 has been opened to track this.
I think it's missing a not, but is overwise fine.
John Levine commented directly on issue 126
<https://github.com/ietf-wg-dmarc/draft-ietf-dmarc-dmarcbis/issues/126>,
indicating that he believes the text should read (emphasis added by me):
n: The DMARC policy record is published for a PSD, but it is NOT the
Organizational Domain for itself and its subdomain. There is
no need to put psd=n in a DMARC record, except in the very
unusual case of a parent PSD publishing a DMARC record without
the requisite psd=y tag.
I think this is the correct place to put the 'not', as it's consistent
with the second sentence here, as well as this text from the following sections:
I thought psd=n means the domain is not a PSD. Why would the text say
the opposite?
4.8 Organizational Domain Discovery - "If a valid DMARC record contains the
psd= tag set to 'n' (psd=n), this is the Organizational Domain, and the
selection process is complete."
This says psd=n means the domain IS the org domain.
11.8 Determination of Organizational Domain for Relaxed Alignment - "If a
PSD domain publishes a DMARC record without the appropriate psd=y tag,
organizational domain owners can add psd=n to their organizational domain's
DMARC record so that the PSD record will not be incorrectly evaluated to be
the organizational domain."
Ditto.
Besides, to say that a record is "published for" may sound as indicating
who are the target readers of such publication. Holding that a domain
owner publishes psd=n in the hope that its PSO will read it and
consequently amend its own record is not a valid interpretation of the
text proposed above...
Shouldn't it be thus:
n: The domain is NOT a PSD, it is the Organizational Domain for
itself and its subdomain. There is no need to put psd=n in a
DMARC record, except in the very unusual case of a parent PSD
publishing a DMARC record without the requisite psd=y tag.
Best
Ale
Yes. I've reviewed the change in the rev 31 draft in Git and the not was
added in the wrong place.
Please update rev 31 and then close the issue again.
Rev. 31 says:
n: The DMARC policy record is published for a domain that is not
a PSD, but it is the Organizational Domain for itself and its
subdomains.
That looks correct to me. Should 126 be closed now?
It doesn't any more say that there is no need to publish psd=n except in an
unusual case where the parent PSD is missing a psd=y. Indeed, even with psd=y
correctly published, it is not clear which is the org domain, unless the domain
immediately below the PSD has a DMARC record. If, instead, the longest domain
with a record is _two_ labels below the PSD, then the org domain depends on
whether the PSD publishes a record or not. To wit: three different domains
would result in the three three cases:
1) No record at PSD,
2) a record at PSD, having psd=y, and
3) a record at PSD, missing psd=y.
If we want (1) and (2) to result in the same org domain, we need to revise the
definition.
That seems to be a different issue than 126, though.
Best
Ale
--
_______________________________________________
dmarc mailing list -- [email protected]
To unsubscribe send an email to [email protected]
