On Mon 21/Oct/2024 17:51:00 +0200 Todd Herr wrote:
Issue is here -
https://github.com/ietf-wg-dmarc/draft-ietf-dmarc-dmarcbis/issues/156
That's the DNS tree walk definition. What happens when the first identifier
looked up in step 2 has psd=y? The current text says to continue walking to
the next parent. However, what if the parent domain is in turn a PSD?
I report Daniel-t's comments on Github:
-----
Our scenario is a PSD, which is a child of a PSD. Our immediate parent doesn't
yet publish a DMARC policy however hopefully will in the not too distant future
though, I can't guarantee that they will implement psd=y when they do. There
are about 250 PSDs in the publicsuffix.org list which will be in a similar
situation to ourselves.
If we (a PSD) publish psd=n, we'd override all of our sub-domains DMARC
policies (all controlled by separate organisations) until they update their own
to include psd=n. This would be a nightmare scenario for us.
If we dont publish psd at all, we'll still override the sub-domain policies
(shortest number of tags) until they add psd=n. Again a bad outcome.
Our only option with the new discovery process is psd=y, as this will cause the
existing sub-domain policies to be respected as is, while providing a policy
for our top level domain and the children which dont have a policy for themselves.
There needs to be a way for legitimate emails coming from a PSD (with psd=y) to
be handled. The easiest way is as proposed by @toddherr above and accept that
when the first query returns psd=y it is the organisational domain.
-----
Note that Section 4.10.2 excludes the case that psd=y can be found where the
tree walk started:
2. If a valid DMARC Policy Record, other than the one for the domain
where the tree walk started, contains the "psd" tag set to "y"
("psd=y"), the Organizational Domain is the domain one label
below this one in the DNS hierarchy, and the selection process is
complete.
Best
Ale
--
_______________________________________________
dmarc mailing list -- [email protected]
To unsubscribe send an email to [email protected]
