I did add the new (4), but omitted the "final" step proposed. I'm a little unsure if that's necessary?
-- Alex Brotman Sr. Engineer, Anti-Abuse & Messaging Policy Comcast > -----Original Message----- > From: Daniel K. <[email protected]> > Sent: Thursday, November 28, 2024 12:12 PM > To: Alessandro Vesely <[email protected]>; [email protected] > Subject: [dmarc-ietf] Re: String too long verifying remote rua=, was Artart > last call > review of draft-ietf-dmarc-aggregate-reporting-23 > > On 11/27/24 18:18, Alessandro Vesely wrote: > > On Wed 27/Nov/2024 02:41:03 +0100 Martin Thomson via Datatracker wrote: > >> > >> [...] > >> > >> S3 defines a validation process that involves querying DNS at > >> "<provider > >> name>._report._dmarc.<target name>". This will fail when this string > >> name>is too > >> long, which is pretty easy to manage for an attacker. That's an > >> unrecoverable error, but the procedure says nothing about that error. > >> Does that make certain reporting architectures impossible for some > >> providers? > > > > > > The only change is adding a consideration that domains whose name > > length is near to the maximum domain name length limit cannot use > > external services, however short the name of the external provider. > > They must create an ad-hoc mailbox that forwards to the external service. > > I think he means that the verification process does not explicitly say > anything > about the possibility that the length of the constructed domain name of the > third > party; > > author domain "._report._dmarc." report receiver domain > > may exceed the DNS max length limit for a domain name, and what to do in that > case. > > Obviously the current step 4 will fail because of the too long name, but > maybe we > can be explicit about this possibility and the workaround. > > Add a new step 4, and renumber the later steps? > > 4. If the length of the constructed name exceed DNS limits, > a positive determination of the external reporting > relationship cannot be made; stop. > > > And also add a final paragraph to the end of the same section, maybe something > like this: > > If the Author Domain is so long that external verification > fails in step 4, above, you will not be able to use the > third party Report Receiver. As a workaround, you can set > up a local mailbox that forwards to the third party Report > Receiver. > > > Daniel K. > > _______________________________________________ > dmarc mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ dmarc mailing list -- [email protected] To unsubscribe send an email to [email protected]
