Sorry if it was already discussed, Few notes:
1. Current draft does not allow to control STS policy for subdomains. It means every subdomain which can be used as a recipient's domain must have it's own policy.mta-sts A-record and _mta_sts TXT record. There are situations where this is practically impossible, e.g. wildcard domains. For example, I want MX to accept mail for *.example.com and support STS. Having policy.mta-sts.*.example.com can be problematic if *.example.com already exists as e.g. CNAME. In addition, it can lead to overhead in reporting, because every subdomain generates it's own report as a separate message. The proposal is, to include additional field, e.g. "s" with possible "y" and "n" values into _mta_sts record sts-subdomains-flag = "y" / "n" sts-subdomains = "s" *WSP "=" *WSP sts-subdomains-flag and "subdomains": boolean (true or false) - apply policy to subdomains. into STS policy JSON. and extend policy search procedure to request / use cached policy from parent domains (e.g. example.com) if no _mta_sts exists in subdomain (eg sub.example.com). If nearest parent domain with pubished _mta_sts policy has s=y in the TXT record and "subdomains":true in the policy - use this policy for subdomain and aggregate reporting into parent domain's report. 2. Standard should specify recommended time for negative policy response caching for existing domains, overwise it can lead to overload for DNS/Web infrastructure. 3. Because caching is used, security considerations should mention cache exhausion attacks by sending messages to a huge number of different subdomains with STS policies published with recommendations to limit records number / cache size per organizational domain (an example of such limitation can be taken from e.g. RFC 6265 or W3C HTML 5 local storage specification). 4. Because policy is requested via https from predefined location, ".well-known" URI (RFC 5785) should be used and registered via IANA instead of "current", e.g. "/.well-known/mta-sts", so IANA considerations section is required. Using of non-standard locations like /current makes it harder to maintain / monitor / provide security for web resources. Using of "policy.mta-sts" hostname prefix is questionable. P.S. sorry for off-list CC'ing, it looks like list is not DMARC friendly. -- Vladimir Dubrovin @Mail.Ru _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
