On 11/27/24 18:18, Alessandro Vesely wrote:
> On Wed 27/Nov/2024 02:41:03 +0100 Martin Thomson via Datatracker wrote:
>>
>> [...]
>>
>> S3 defines a validation process that involves querying DNS at "<provider
>> name>._report._dmarc.<target name>". This will fail when this string is too
>> long, which is pretty easy to manage for an attacker. That's an
>> unrecoverable
>> error, but the procedure says nothing about that error. Does that make
>> certain
>> reporting architectures impossible for some providers?
>
>
> The only change is adding a consideration that domains whose name length is
> near to the maximum domain name length limit cannot use external services,
> however short the name of the external provider. They must create an ad-hoc
> mailbox that forwards to the external service.
I think he means that the verification process does not explicitly say
anything about the possibility that the length of the constructed domain
name of the third party;
author domain "._report._dmarc." report receiver domain
may exceed the DNS max length limit for a domain name, and what to do in
that case.
Obviously the current step 4 will fail because of the too long name, but
maybe we can be explicit about this possibility and the workaround.
Add a new step 4, and renumber the later steps?
4. If the length of the constructed name exceed DNS limits,
a positive determination of the external reporting
relationship cannot be made; stop.
And also add a final paragraph to the end of the same section, maybe
something like this:
If the Author Domain is so long that external verification
fails in step 4, above, you will not be able to use the
third party Report Receiver. As a workaround, you can set
up a local mailbox that forwards to the third party Report
Receiver.
Daniel K.
_______________________________________________
dmarc mailing list -- [email protected]
To unsubscribe send an email to [email protected]
