subject:"\[dmarc\-ietf\] DMARCbis WGLC Issue 136 \- DMARC Records Can Be CNAMEs"

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

2024-03-16 Thread Neil Anuskiewicz

> On Mar 16, 2024, at 9:38 AM, Scott Kitterman  wrote:
> 
> On Saturday, March 16, 2024 4:52:54 AM EDT Tero Kivinen wrote:
>> John Levine writes:
>>> It appears that Todd Herr   said:
 I agree that clarifying it can't hurt, obviously, ...
>>> 
>>> I disagree, it does hurt.
>>> 
>>> If we say you're allowed to use CNAMEs to point to DMARC records,
>>> people are to say uh oh, is there something special here? What about
>>> DKIM records? what about SPF records? how about SPF includes? or SPF
>>> redirects?
>>> 
>>> Really, there is nothing to say here, so let's not say it.
>> 
>> We could add an example Appendix B that uses CNAME, so that would give
>> indication, yes of course you can use CNAMEs, without explicitly
>> adding text that might cause confusion.
> 
> I think we have more important things to spend our time on.
> 
> Scott K
> 

I agree that CNAMES isn’t worth time or effort. From what I’ve seen it’s the 
larger ESP’s do this and they document it and they provide records to copy and 
paste from the auth settings into DNS. Then you go back and click a button and 
it lights up green. The sort of person who’s confused by the CNAME is the same 
person confused by a TXT record. I’m reading DMARCbis 30  now and things are 
looking good to me.

My only quibble is, so far, I’ve not seen a clear,  concise explanation of the 
general purpose domain. It’s not complicated but I think the idea is going to 
be new for a lot of people. Some people might misunderstand in less than useful 
ways as well.

Neil

___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

2024-03-16 Thread Scott Kitterman

On Saturday, March 16, 2024 4:52:54 AM EDT Tero Kivinen wrote:
> John Levine writes:
> > It appears that Todd Herr   said:
> > >I agree that clarifying it can't hurt, obviously, ...
> > 
> > I disagree, it does hurt.
> > 
> > If we say you're allowed to use CNAMEs to point to DMARC records,
> > people are to say uh oh, is there something special here? What about
> > DKIM records? what about SPF records? how about SPF includes? or SPF
> > redirects?
> > 
> > Really, there is nothing to say here, so let's not say it.
> 
> We could add an example Appendix B that uses CNAME, so that would give
> indication, yes of course you can use CNAMEs, without explicitly
> adding text that might cause confusion.

I think we have more important things to spend our time on.

Scott K



___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

2024-03-16 Thread Tero Kivinen

John Levine writes:
> It appears that Todd Herr   said:
> >I agree that clarifying it can't hurt, obviously, ...
> 
> I disagree, it does hurt.
> 
> If we say you're allowed to use CNAMEs to point to DMARC records,
> people are to say uh oh, is there something special here? What about
> DKIM records? what about SPF records? how about SPF includes? or SPF
> redirects?
> 
> Really, there is nothing to say here, so let's not say it.

We could add an example Appendix B that uses CNAME, so that would give
indication, yes of course you can use CNAMEs, without explicitly
adding text that might cause confusion.
-- 
kivi...@iki.fi

___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

2024-03-15 Thread Neil Anuskiewicz



> On Mar 15, 2024, at 9:40 AM, Alessandro Vesely  wrote:
> 
> On Fri 15/Mar/2024 02:34:15 +0100 Murray S. Kucherawy wrote:
>>> On Fri, Mar 15, 2024 at 9:11 AM John Levine  wrote:
>>> It appears that Todd Herr   said:
>>> >I agree that clarifying it can't hurt, obviously, ...
>>> 
>>> I disagree, it does hurt.
>>> 
>>> If we say you're allowed to use CNAMEs to point to DMARC records,
>>> people are to say uh oh, is there something special here? What about
>>> DKIM records? what about SPF records? how about SPF includes? or SPF
>>> redirects?
>>> 
>>> Really, there is nothing to say here, so let's not say it.
>>> 
>> +1, I don't understand what needs to be clarified here.  If I ask for a TXT
>> record at a given name, I expect to get one back (or a non-success code).
>> It really doesn't matter to DMARC whether that process traversed a CNAME
>> record in the process.  (Or if it does matter, I've yet to see a reason
>> why.)
> 
> 
> +1, people who know DNS can derive the possibility to use CNAME on their own. 
> Those who don't are better off not trying it.

It’s mostly ESP’s with large customer bases that ask for CNAMES, providing them 
with scalability, and the ability to rotate keys. It’s the appropriate choice 
in some contexts. Why is this a concern of the WG?

Neil
___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

2024-03-15 Thread Alessandro Vesely


On Fri 15/Mar/2024 02:34:15 +0100 Murray S. Kucherawy wrote:

On Fri, Mar 15, 2024 at 9:11 AM John Levine  wrote:


It appears that Todd Herr   said:
>I agree that clarifying it can't hurt, obviously, ...

I disagree, it does hurt.

If we say you're allowed to use CNAMEs to point to DMARC records,
people are to say uh oh, is there something special here? What about
DKIM records? what about SPF records? how about SPF includes? or SPF
redirects?

Really, there is nothing to say here, so let's not say it.



+1, I don't understand what needs to be clarified here.  If I ask for a TXT
record at a given name, I expect to get one back (or a non-success code).
It really doesn't matter to DMARC whether that process traversed a CNAME
record in the process.  (Or if it does matter, I've yet to see a reason
why.)



+1, people who know DNS can derive the possibility to use CNAME on their own. 
Those who don't are better off not trying it.



Best
Ale
--





___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

2024-03-14 Thread OLIVIER HUREAU

> If we need some real world examples of this, got a few here: 

According to my measurements, 14M domain names out of 280M active domains have 
a CNAME at _dmarc. 
871,245 has a valid DMARC record. Part of them, 7609 are a 1M top popular 
domain (tranco) 

For those without DMARC records (I haven't digged a lot, just on the fly stats) 
it's either an "SPF" CNAME or wildcard TXT records 

Olivier 

De: "Mark Alley"  
À: "dmarc"  
Envoyé: Jeudi 14 Mars 2024 21:28:11 
Objet: Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs 



If we need some real world examples of this, got a few here: 

_dmarc.oit.alabama.gov 

_dmarc.tjx.com 

_dmarc.walmart.com 

_dmarc.novanta.com 
- Mark Alley 
On 3/14/2024 3:18 PM, Todd Herr wrote: 



Colleagues, 

There was a discussion among M3AAWG members on March 13 that centered on the 
question of whether DMARC records can be published in DNS as CNAMEs, e.g., 


BQ_BEGIN



_ [ http://dmarc.example.com/ | dmarc.example.com ] IN CNAME _ [ 
http://dmarc.example.org/ | dmarc.example.org ] 


_ [ http://dmarc.example.org/ | dmarc.example.org ] IN TXT "v=DMARC1; p=reject; 
rua= [ mailto:dmarc-repo...@example.org | mailto:dmarc-repo...@example.org ] ;" 





Section 3.6.2 of RFC 1034 seems to indicate that it is permissible to publish 
DMARC records in this fashion, and describes the following scenario using an 
CNAME record and an A record: 

BQ_BEGIN



For example, suppose a name server was processing a query with for USC- 


ISIC.ARPA, asking for type A information, and had the following resource 


records: 
USC-ISIC.ARPA   IN  CNAME [ http://c.isi.edu/ | C.ISI.EDU ] 
[ http://c.isi.edu/ | C.ISI.EDU ] IN  A   10.0.0.52 


Both of these RRs would be returned in the response to the type A query, 


while a type CNAME or * query should return just the CNAME. 

BQ_END



I recommend adding a paragraph to DMARCbis, section 5.1 DMARC Policy Record at 
the end of that section that reads: 

BQ_BEGIN



Per RFC 1034 section 3.6.2, a DMARC record MAY be published as a CNAME record, 
so long as the corresponding canonical name ultimately resolves to a TXT record 
so as to ensure that queries of type TXT return a DNS RR in the expected 
format. 

BQ_END

Issue 136 has been opened for this. 

-- 


Todd Herr | Technical Director, Standards & Ecosystem 
Email: [ mailto:todd.h...@valimail.com | todd.h...@valimail.com ] 
Phone: 703-220-4153 


This email and all data transmitted with it contains confidential and/or 
proprietary information intended solely for the use of individual(s) authorized 
to receive it. If you are not an intended and authorized recipient you are 
hereby notified of any use, disclosure, copying or distribution of the 
information included in this transmission is prohibited and may be unlawful. 
Please immediately notify the sender by replying to this email and then delete 
it from your system. 

___
dmarc mailing list [ mailto:dmarc@ietf.org | dmarc@ietf.org ] [ 
https://www.ietf.org/mailman/listinfo/dmarc | 
https://www.ietf.org/mailman/listinfo/dmarc ] 

BQ_END

___ 
dmarc mailing list 
dmarc@ietf.org 
https://www.ietf.org/mailman/listinfo/dmarc 
___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

2024-03-14 Thread Murray S. Kucherawy

On Fri, Mar 15, 2024 at 9:11 AM John Levine  wrote:

> It appears that Todd Herr   said:
> >I agree that clarifying it can't hurt, obviously, ...
>
> I disagree, it does hurt.
>
> If we say you're allowed to use CNAMEs to point to DMARC records,
> people are to say uh oh, is there something special here? What about
> DKIM records? what about SPF records? how about SPF includes? or SPF
> redirects?
>
> Really, there is nothing to say here, so let's not say it.
>

+1, I don't understand what needs to be clarified here.  If I ask for a TXT
record at a given name, I expect to get one back (or a non-success code).
It really doesn't matter to DMARC whether that process traversed a CNAME
record in the process.  (Or if it does matter, I've yet to see a reason
why.)

-MSK, p11g
___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

2024-03-14 Thread Mark Alley



On 3/14/2024 6:11 PM, John Levine wrote:

It appears that Todd Herr  said:

I agree that clarifying it can't hurt, obviously, ...

I disagree, it does hurt.

If we say you're allowed to use CNAMEs to point to DMARC records,
people are to say uh oh, is there something special here? What about
DKIM records? what about SPF records? how about SPF includes? or SPF
redirects?


Fair.


Really, there is nothing to say here, so let's not say it.
R's,
John


For some document consumers I still posit the original proposed text may 
be useful for clarity, but to their point (and yours), it's already 
presumed the reader has a working conceptual understanding of DNS; I see 
your point how it could add only more questions.



- Mark Alley


___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

2024-03-14 Thread John Levine

It appears that Todd Herr   said:
>I agree that clarifying it can't hurt, obviously, ...

I disagree, it does hurt.

If we say you're allowed to use CNAMEs to point to DMARC records,
people are to say uh oh, is there something special here? What about
DKIM records? what about SPF records? how about SPF includes? or SPF
redirects?

Really, there is nothing to say here, so let's not say it.

R's,
John

___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

2024-03-14 Thread John Levine

It appears that Todd Herr   said:
>The reasons given were:
>
>   1. https://www.rfc-editor.org/rfc/rfc5863#section-4.1

I am reasonably sure it was referring to DNS crudware that wouldn't
let you put an underscore in the name, or that limited TXT records to
a single 255 byte string, not CNAMEs.

>   2. https://datatracker.ietf.org/doc/html/rfc6376#section-7.5

I don't see that implying anything about CNAMEs.

>   3. Neither RFC 7489 nor DMARCbis contain the phrase "CNAME", so if it's
>   not explicitly mentioned...

I suggest we mark this "no change" and close it. There is a very short
list of RRTYPEs where you're not allowed to use CNAMES, and TXT isn't
on it.

R's,
John

PS: If anyone cares, the list contains NS and MX.  See RFC 2181, sec 10.3

___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

2024-03-14 Thread Tim Wicinski

"Explaining how DNS works is out of scope."

Scott is right.

Also, some folks point use something other than CNAME

$  dig +noall +answer _dmarc.valimail.com ns
_dmarc.valimail.com. 300 IN NS ns.vali.email.

tjw@m2[1098]:  dig +noall +answer _dmarc.valimail.com txt
_dmarc.valimail.com. 595 IN TXT "v=DMARC1; p=reject; rua=mailto:
dmarc_agg@vali.email,mailto:dmarc.repo...@valimail.com;

On Thu, Mar 14, 2024 at 5:12 PM Todd Herr  wrote:

> On Thu, Mar 14, 2024 at 5:05 PM Mark Alley  40tekmarc@dmarc.ietf.org> wrote:
>
>> On 3/14/2024 3:49 PM, Todd Herr wrote:
>>
>> On Thu, Mar 14, 2024 at 4:43 PM Mark Alley > 40tekmarc@dmarc.ietf.org> wrote:
>>
>>> On 3/14/2024 3:38 PM, Todd Herr wrote:
>>>
>>> On Thu, Mar 14, 2024 at 4:34 PM Scott Kitterman 
>>> wrote:
>>>

 I think this is correct.  I think it's obviously enough correct that
 I'm surprised anyone was confused.

 Do we know what the theory was that led people to think otherwise?

 Seems to me we don't really need this, but maybe there's a reason.


>>> The reasons given were:
>>>
>>>1. https://www.rfc-editor.org/rfc/rfc5863#section-4.1
>>>2. https://datatracker.ietf.org/doc/html/rfc6376#section-7.5
>>>3. Neither RFC 7489 nor DMARCbis contain the phrase "CNAME", so if
>>>it's not explicitly mentioned...
>>>
>>> Granted, the first two citations are in regards to DKIM records, not
>>> DMARC records, but those were the reasons given.
>>>
>>> Couldn't hurt to clarify explicitly, I'm for it. Domain owners have been
>>> using CNAMEs with DMARC TXT RRs pretty much since its inception.
>>>
>> I agree that clarifying it can't hurt, obviously, but I was quite
>> surprised to hear that CNAMEs were being published for DMARC records, as
>> I'd never seen one. On the other hand, I've seen *lots* of DKIM public keys
>> published as CNAMEs, which I'm sure just wrecks the person citing DKIM RFCs
>> as a reason that DMARC records can't be CNAMEs.
>>
>>
>> Domain owner use cases with DMARC CNAMEs boils down to really either of 2
>> things:
>>
>>- Single point of policy management for orgs with dozens, hundreds,
>>or thousands of domains to manage DMARC on, and also applicable to RUA/RUF
>>addresses.
>>- Delegation to a third-party for management, similar to DKIM CNAMEs
>>as you noted that are popularly in use by many ESPs for vendor-managed key
>>rotation.
>>
>>
> Yup, I grok the use cases. I just hadn't thought of them prior to this
> discussion.
>
> --
>
> Todd Herr | Technical Director, Standards & Ecosystem
> Email: todd.h...@valimail.com
> Phone: 703-220-4153
>
>
> This email and all data transmitted with it contains confidential and/or
> proprietary information intended solely for the use of individual(s)
> authorized to receive it. If you are not an intended and authorized
> recipient you are hereby notified of any use, disclosure, copying or
> distribution of the information included in this transmission is prohibited
> and may be unlawful. Please immediately notify the sender by replying to
> this email and then delete it from your system.
> ___
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>
___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

2024-03-14 Thread Scott Kitterman



On March 14, 2024 8:38:17 PM UTC, Todd Herr 
 wrote:
>On Thu, Mar 14, 2024 at 4:34 PM Scott Kitterman 
>wrote:
>
>>
>> I think this is correct.  I think it's obviously enough correct that I'm
>> surprised anyone was confused.
>>
>> Do we know what the theory was that led people to think otherwise?
>>
>> Seems to me we don't really need this, but maybe there's a reason.
>>
>>
>The reasons given were:
>
>   1. https://www.rfc-editor.org/rfc/rfc5863#section-4.1
>   2. https://datatracker.ietf.org/doc/html/rfc6376#section-7.5
>   3. Neither RFC 7489 nor DMARCbis contain the phrase "CNAME", so if it's
>   not explicitly mentioned...
>
>Granted, the first two citations are in regards to DKIM records, not DMARC
>records, but those were the reasons given.
>
Thanks.  

CNAMES have been used for DKIM since DKIM has existed.  I don't think any of 
those things say don't use CNAMES.

I think we don't need to say anything.  Explaining how DNS works is out of 
scope.  This kind of thing is a distraction which makes the document more 
complex and confusing.

Scott K

___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

2024-03-14 Thread Todd Herr

On Thu, Mar 14, 2024 at 5:05 PM Mark Alley  wrote:

> On 3/14/2024 3:49 PM, Todd Herr wrote:
>
> On Thu, Mar 14, 2024 at 4:43 PM Mark Alley  40tekmarc@dmarc.ietf.org> wrote:
>
>> On 3/14/2024 3:38 PM, Todd Herr wrote:
>>
>> On Thu, Mar 14, 2024 at 4:34 PM Scott Kitterman 
>> wrote:
>>
>>>
>>> I think this is correct.  I think it's obviously enough correct that I'm
>>> surprised anyone was confused.
>>>
>>> Do we know what the theory was that led people to think otherwise?
>>>
>>> Seems to me we don't really need this, but maybe there's a reason.
>>>
>>>
>> The reasons given were:
>>
>>1. https://www.rfc-editor.org/rfc/rfc5863#section-4.1
>>2. https://datatracker.ietf.org/doc/html/rfc6376#section-7.5
>>3. Neither RFC 7489 nor DMARCbis contain the phrase "CNAME", so if
>>it's not explicitly mentioned...
>>
>> Granted, the first two citations are in regards to DKIM records, not
>> DMARC records, but those were the reasons given.
>>
>> Couldn't hurt to clarify explicitly, I'm for it. Domain owners have been
>> using CNAMEs with DMARC TXT RRs pretty much since its inception.
>>
> I agree that clarifying it can't hurt, obviously, but I was quite
> surprised to hear that CNAMEs were being published for DMARC records, as
> I'd never seen one. On the other hand, I've seen *lots* of DKIM public keys
> published as CNAMEs, which I'm sure just wrecks the person citing DKIM RFCs
> as a reason that DMARC records can't be CNAMEs.
>
>
> Domain owner use cases with DMARC CNAMEs boils down to really either of 2
> things:
>
>- Single point of policy management for orgs with dozens, hundreds, or
>thousands of domains to manage DMARC on, and also applicable to RUA/RUF
>addresses.
>- Delegation to a third-party for management, similar to DKIM CNAMEs
>as you noted that are popularly in use by many ESPs for vendor-managed key
>rotation.
>
>
Yup, I grok the use cases. I just hadn't thought of them prior to this
discussion.

-- 

Todd Herr | Technical Director, Standards & Ecosystem
Email: todd.h...@valimail.com
Phone: 703-220-4153


This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.
___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

2024-03-14 Thread Mark Alley


On 3/14/2024 3:49 PM, Todd Herr wrote:

On Thu, Mar 14, 2024 at 4:43 PM Mark Alley 
 wrote:


On 3/14/2024 3:38 PM, Todd Herr wrote:

On Thu, Mar 14, 2024 at 4:34 PM Scott Kitterman
 wrote:


I think this is correct.  I think it's obviously enough
correct that I'm surprised anyone was confused.

Do we know what the theory was that led people to think
otherwise?

Seems to me we don't really need this, but maybe there's a
reason.


The reasons given were:

 1. https://www.rfc-editor.org/rfc/rfc5863#section-4.1
 2. https://datatracker.ietf.org/doc/html/rfc6376#section-7.5
 3. Neither RFC 7489 nor DMARCbis contain the phrase "CNAME", so
if it's not explicitly mentioned...

Granted, the first two citations are in regards to DKIM records,
not DMARC records, but those were the reasons given.


Couldn't hurt to clarify explicitly, I'm for it. Domain owners
have been using CNAMEs with DMARC TXT RRs pretty much since its
inception.

I agree that clarifying it can't hurt, obviously, but I was quite 
surprised to hear that CNAMEs were being published for DMARC records, 
as I'd never seen one. On the other hand, I've seen *lots* of DKIM 
public keys published as CNAMEs, which I'm sure just wrecks the person 
citing DKIM RFCs as a reason that DMARC records can't be CNAMEs.


Domain owner use cases with DMARC CNAMEs boils down to really either of 
2 things:


 * Single point of policy management for orgs with dozens, hundreds, or
   thousands of domains to manage DMARC on, and also applicable to
   RUA/RUF addresses.
 * Delegation to a third-party for management, similar to DKIM CNAMEs
   as you noted that are popularly in use by many ESPs for
   vendor-managed key rotation.

- Mark Alley
___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

2024-03-14 Thread Tim Wicinski

There are folks who publish NS records at _dmarc.example.com that point to
some super fancy DNS service that return DMARC TXT records.

tim


On Thu, Mar 14, 2024 at 4:19 PM Todd Herr  wrote:

> Colleagues,
>
> There was a discussion among M3AAWG members on March 13 that centered on
> the question of whether DMARC records can be published in DNS as CNAMEs,
> e.g.,
>
> _dmarc.example.com IN CNAME _dmarc.example.org
>
> _dmarc.example.org IN TXT "v=DMARC1; p=reject; rua=
> mailto:dmarc-repo...@example.org ;"
>
> Section 3.6.2 of RFC 1034 seems to indicate that it is permissible to
> publish DMARC records in this fashion, and describes the following scenario
> using an CNAME record and an A record:
>
> For example, suppose a name server was processing a query with for USC-
>
> ISIC.ARPA, asking for type A information, and had the following resource
>
> records:
>
> USC-ISIC.ARPA   IN  CNAME   C.ISI.EDU
>
> C.ISI.EDU   IN  A   10.0.0.52
>
> Both of these RRs would be returned in the response to the type A query,
>
> while a type CNAME or * query should return just the CNAME.
>
> I recommend adding a paragraph to DMARCbis, section 5.1 DMARC Policy
> Record at the end of that section that reads:
>
> Per RFC 1034 section 3.6.2, a DMARC record MAY be published as a CNAME
> record, so long as the corresponding canonical name ultimately resolves to
> a TXT record so as to ensure that queries of type TXT return a DNS RR in
> the expected format.
>
> Issue 136 has been opened for this.
>
> --
>
> Todd Herr | Technical Director, Standards & Ecosystem
> Email: todd.h...@valimail.com
> Phone: 703-220-4153
>
>
> This email and all data transmitted with it contains confidential and/or
> proprietary information intended solely for the use of individual(s)
> authorized to receive it. If you are not an intended and authorized
> recipient you are hereby notified of any use, disclosure, copying or
> distribution of the information included in this transmission is prohibited
> and may be unlawful. Please immediately notify the sender by replying to
> this email and then delete it from your system.
> ___
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>
___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

2024-03-14 Thread Todd Herr

On Thu, Mar 14, 2024 at 4:43 PM Mark Alley  wrote:

> On 3/14/2024 3:38 PM, Todd Herr wrote:
>
> On Thu, Mar 14, 2024 at 4:34 PM Scott Kitterman 
> wrote:
>
>>
>> I think this is correct.  I think it's obviously enough correct that I'm
>> surprised anyone was confused.
>>
>> Do we know what the theory was that led people to think otherwise?
>>
>> Seems to me we don't really need this, but maybe there's a reason.
>>
>>
> The reasons given were:
>
>1. https://www.rfc-editor.org/rfc/rfc5863#section-4.1
>2. https://datatracker.ietf.org/doc/html/rfc6376#section-7.5
>3. Neither RFC 7489 nor DMARCbis contain the phrase "CNAME", so if
>it's not explicitly mentioned...
>
> Granted, the first two citations are in regards to DKIM records, not DMARC
> records, but those were the reasons given.
>
> Couldn't hurt to clarify explicitly, I'm for it. Domain owners have been
> using CNAMEs with DMARC TXT RRs pretty much since its inception.
>
I agree that clarifying it can't hurt, obviously, but I was quite surprised
to hear that CNAMEs were being published for DMARC records, as I'd never
seen one. On the other hand, I've seen *lots* of DKIM public keys published
as CNAMEs, which I'm sure just wrecks the person citing DKIM RFCs as a
reason that DMARC records can't be CNAMEs.

-- 

Todd Herr | Technical Director, Standards & Ecosystem
Email: todd.h...@valimail.com
Phone: 703-220-4153

This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.
___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

2024-03-14 Thread Mark Alley



- Mark Alley

On 3/14/2024 3:38 PM, Todd Herr wrote:
On Thu, Mar 14, 2024 at 4:34 PM Scott Kitterman  
wrote:



I think this is correct.  I think it's obviously enough correct
that I'm surprised anyone was confused.

Do we know what the theory was that led people to think otherwise?

Seems to me we don't really need this, but maybe there's a reason.


The reasons given were:

 1. https://www.rfc-editor.org/rfc/rfc5863#section-4.1
 2. https://datatracker.ietf.org/doc/html/rfc6376#section-7.5
 3. Neither RFC 7489 nor DMARCbis contain the phrase "CNAME", so if
it's not explicitly mentioned...

Granted, the first two citations are in regards to DKIM records, not 
DMARC records, but those were the reasons given.


Couldn't hurt to clarify explicitly, I'm for it. Domain owners have been 
using CNAMEs with DMARC TXT RRs pretty much since its inception.


- Mark Alley
___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

2024-03-14 Thread Todd Herr

On Thu, Mar 14, 2024 at 4:34 PM Scott Kitterman 
wrote:

>
> I think this is correct.  I think it's obviously enough correct that I'm
> surprised anyone was confused.
>
> Do we know what the theory was that led people to think otherwise?
>
> Seems to me we don't really need this, but maybe there's a reason.
>
>
The reasons given were:

   1. https://www.rfc-editor.org/rfc/rfc5863#section-4.1
   2. https://datatracker.ietf.org/doc/html/rfc6376#section-7.5
   3. Neither RFC 7489 nor DMARCbis contain the phrase "CNAME", so if it's
   not explicitly mentioned...

Granted, the first two citations are in regards to DKIM records, not DMARC
records, but those were the reasons given.

-- 

Todd Herr | Technical Director, Standards & Ecosystem
Email: todd.h...@valimail.com
Phone: 703-220-4153

This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.
___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

2024-03-14 Thread Scott Kitterman




On March 14, 2024 8:18:31 PM UTC, Todd Herr 
 wrote:
>Colleagues,
>
>There was a discussion among M3AAWG members on March 13 that centered on
>the question of whether DMARC records can be published in DNS as CNAMEs,
>e.g.,
>
>_dmarc.example.com IN CNAME _dmarc.example.org
>
>_dmarc.example.org IN TXT "v=DMARC1; p=reject; rua=
>mailto:dmarc-repo...@example.org ;"
>
>Section 3.6.2 of RFC 1034 seems to indicate that it is permissible to
>publish DMARC records in this fashion, and describes the following scenario
>using an CNAME record and an A record:
>
>For example, suppose a name server was processing a query with for USC-
>
>ISIC.ARPA, asking for type A information, and had the following resource
>
>records:
>
>USC-ISIC.ARPA   IN  CNAME   C.ISI.EDU
>
>C.ISI.EDU   IN  A   10.0.0.52
>
>Both of these RRs would be returned in the response to the type A query,
>
>while a type CNAME or * query should return just the CNAME.
>
>I recommend adding a paragraph to DMARCbis, section 5.1 DMARC Policy Record
>at the end of that section that reads:
>
>Per RFC 1034 section 3.6.2, a DMARC record MAY be published as a CNAME
>record, so long as the corresponding canonical name ultimately resolves to
>a TXT record so as to ensure that queries of type TXT return a DNS RR in
>the expected format.
>
>Issue 136 has been opened for this.
>

I think this is correct.  I think it's obviously enough correct that I'm 
surprised anyone was confused.

Do we know what the theory was that led people to think otherwise?

Seems to me we don't really need this, but maybe there's a reason.

Scott K

___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

2024-03-14 Thread Mark Alley


If we need some real world examples of this, got a few here:

_dmarc.oit.alabama.gov

_dmarc.tjx.com

_dmarc.walmart.com

_dmarc.novanta.com

- Mark Alley

On 3/14/2024 3:18 PM, Todd Herr wrote:

Colleagues,

There was a discussion among M3AAWG members on March 13 that centered 
on the question of whether DMARC records can be published in DNS as 
CNAMEs, e.g.,


_dmarc.example.com  IN CNAME
_dmarc.example.org 

_dmarc.example.org  IN TXT "v=DMARC1;
p=reject; rua=mailto:dmarc-repo...@example.org
;"

Section 3.6.2 of RFC 1034 seems to indicate that it is permissible to 
publish DMARC records in this fashion, and describes the following 
scenario using an CNAME record and an A record:


For example, suppose a name server was processing a query with for
USC-

ISIC.ARPA, asking for type A information, and had the following
resource

records:

|USC-ISIC.ARPA IN CNAME C.ISI.EDU |

|C.ISI.EDU  IN A 10.0.0.52|

Both of these RRs would be returned in the response to the type A
query,

while a type CNAME or * query should return just the CNAME.

I recommend adding a paragraph to DMARCbis, section 5.1 DMARC Policy 
Record at the end of that section that reads:


Per RFC 1034 section 3.6.2, a DMARC record MAY be published as a
CNAME record, so long as the corresponding canonical name
ultimately resolves to a TXT record so as to ensure that queries
of type TXT return a DNS RR in the expected format.

Issue 136 has been opened for this.

--

Todd Herr | Technical Director, Standards & Ecosystem
Email: todd.h...@valimail.com
Phone: 703-220-4153


This email and all data transmitted with it contains confidential 
and/or proprietary information intended solely for the use of 
individual(s) authorized to receive it. If you are not an intended and 
authorized recipient you are hereby notified of any use, disclosure, 
copying or distribution of the information included in this 
transmission is prohibited and may be unlawful. Please immediately 
notify the sender by replying to this email and then delete it from 
your system.



___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

[dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

2024-03-14 Thread Todd Herr

Colleagues,

There was a discussion among M3AAWG members on March 13 that centered on
the question of whether DMARC records can be published in DNS as CNAMEs,
e.g.,

_dmarc.example.com IN CNAME _dmarc.example.org

_dmarc.example.org IN TXT "v=DMARC1; p=reject; rua=
mailto:dmarc-repo...@example.org ;"

Section 3.6.2 of RFC 1034 seems to indicate that it is permissible to
publish DMARC records in this fashion, and describes the following scenario
using an CNAME record and an A record:

For example, suppose a name server was processing a query with for USC-

ISIC.ARPA, asking for type A information, and had the following resource

records:

USC-ISIC.ARPA   IN  CNAME   C.ISI.EDU

C.ISI.EDU   IN  A   10.0.0.52

Both of these RRs would be returned in the response to the type A query,

while a type CNAME or * query should return just the CNAME.

I recommend adding a paragraph to DMARCbis, section 5.1 DMARC Policy Record
at the end of that section that reads:

Per RFC 1034 section 3.6.2, a DMARC record MAY be published as a CNAME
record, so long as the corresponding canonical name ultimately resolves to
a TXT record so as to ensure that queries of type TXT return a DNS RR in
the expected format.

Issue 136 has been opened for this.

-- 

Todd Herr | Technical Director, Standards & Ecosystem
Email: todd.h...@valimail.com
Phone: 703-220-4153


This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.
___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

[dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

21 matches

Site Navigation

Mail list logo

Footer information