draft-ietf-dmarc-psd-07.txt   draft-ietf-dmarc-psd-08.txt 
Network Working Group S. Kitterman Network Working Group S. Kitterman
Internet-Draft fTLD Registry Services Internet-Draft fTLD Registry Services
Intended status: Experimental October 14, 2019 Intended status: Experimental March 12, 2020
Expires: April 16, 2020 Expires: September 13, 2020
DMARC (Domain-based Message Authentication, Reporting, and Conformance) DMARC (Domain-based Message Authentication, Reporting, and Conformance)
Extension For PSDs (Public Suffix Domains) Extension For PSDs (Public Suffix Domains)
draft-ietf-dmarc-psd-07 draft-ietf-dmarc-psd-08
Abstract Abstract
DMARC (Domain-based Message Authentication, Reporting, and DMARC (Domain-based Message Authentication, Reporting, and
Conformance) is a scalable mechanism by which a mail-originating Conformance) is a scalable mechanism by which a mail-originating
organization can express domain-level policies and preferences for organization can express domain-level policies and preferences for
message validation, disposition, and reporting, that a mail-receiving message validation, disposition, and reporting, that a mail-receiving
organization can use to improve mail handling. The design of DMARC organization can use to improve mail handling. The design of DMARC
presumes that domain names represent either nodes in the tree below presumes that domain names represent either nodes in the tree below
which registrations occur, or nodes where registrations have which registrations occur, or nodes where registrations have
skipping to change at page 1, line 49 skipping to change at page 1, line 49
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 16, 2020. This Internet-Draft will expire on September 13, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology and Definitions . . . . . . . . . . . . . . . . . 5 2. Terminology and Definitions . . . . . . . . . . . . . . . . . 5
2.1. Conventions Used in This Document . . . . . . . . . . . . 5 2.1. Conventions Used in This Document . . . . . . . . . . . . 5
2.2. Public Suffix Domain (PSD) . . . . . . . . . . . . . . . 5 2.2. Public Suffix Domain (PSD) . . . . . . . . . . . . . . . 5
2.3. Longest PSD . . . . . . . . . . . . . . . . . . . . . . . 5 2.3. Longest PSD . . . . . . . . . . . . . . . . . . . . . . . 5
2.4. Public Suffix Operator (PSO) . . . . . . . . . . . . . . 5 2.4. Organizational Domain . . . . . . . . . . . . . . . . . . 6
2.5. PSO Controlled Domain Names . . . . . . . . . . . . . . . 6 2.5. Public Suffix Operator (PSO) . . . . . . . . . . . . . . 6
2.6. Non-existent Domains . . . . . . . . . . . . . . . . . . 6 2.6. PSO Controlled Domain Names . . . . . . . . . . . . . . . 6
2.7. Non-existent Domains . . . . . . . . . . . . . . . . . . 6
3. PSD DMARC Updates to DMARC Requirements . . . . . . . . . . . 6 3. PSD DMARC Updates to DMARC Requirements . . . . . . . . . . . 6
3.1. General Updates . . . . . . . . . . . . . . . . . . . . . 6 3.1. General Updates . . . . . . . . . . . . . . . . . . . . . 6
3.2. Section 6.3 General Record Format . . . . . . . . . . . . 6 3.2. Section 6.3 General Record Format . . . . . . . . . . . . 6
3.3. Section 6.5. Domain Owner Actions . . . . . . . . . . . 7 3.3. Section 6.5. Domain Owner Actions . . . . . . . . . . . 7
3.4. Section 6.6.1. Extract Author Domain . . . . . . . . . . 7 3.4. Section 6.6.1. Extract Author Domain . . . . . . . . . . 7
3.5. Section 6.6.3. Policy Discovery . . . . . . . . . . . . 7 3.5. Section 6.6.3. Policy Discovery . . . . . . . . . . . . 7
3.6. Section 7. DMARC Feedback . . . . . . . . . . . . . . . 8 3.6. Section 7. DMARC Feedback . . . . . . . . . . . . . . . 8
4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 8 4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 8
4.1. Feedback leakage . . . . . . . . . . . . . . . . . . . . 8 4.1. Feedback leakage . . . . . . . . . . . . . . . . . . . . 8
5. Security Considerations . . . . . . . . . . . . . . . . . . . 9 5. Security Considerations . . . . . . . . . . . . . . . . . . . 9
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
6.1. Subdomain Policy Tag . . . . . . . . . . . . . . . . . . 9 6.1. Subdomain Policy Tag . . . . . . . . . . . . . . . . . . 10
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
7.1. Normative References . . . . . . . . . . . . . . . . . . 10 7.1. Normative References . . . . . . . . . . . . . . . . . . 10
7.2. Informative References . . . . . . . . . . . . . . . . . 10 7.2. Informative References . . . . . . . . . . . . . . . . . 10
Appendix A. The Experiment . . . . . . . . . . . . . . . . . . . 11 Appendix A. The Experiment . . . . . . . . . . . . . . . . . . . 11
A.1. PSD DMARC Privacy Concern Mitigation . . . . . . . . . . 11 A.1. PSD DMARC Privacy Concern Mitigation . . . . . . . . . . 12
A.2. Non-Existent Subdomain Policy . . . . . . . . . . . . . . 12 A.2. Non-Existent Subdomain Policy . . . . . . . . . . . . . . 12
Appendix B. DMARC PSD Registry Examples . . . . . . . . . . . . 12 Appendix B. DMARC PSD Registry Examples . . . . . . . . . . . . 13
B.1. DMARC PSD DNS Query Service . . . . . . . . . . . . . . . 13 B.1. DMARC PSD DNS Query Service . . . . . . . . . . . . . . . 13
B.2. DMARC Public Suffix Domain (PSD) Registry . . . . . . . . 13 B.2. DMARC Public Suffix Domain (PSD) Registry . . . . . . . . 13
B.3. DMARC PSD PSL Extension . . . . . . . . . . . . . . . . . 13 B.3. DMARC PSD PSL Extension . . . . . . . . . . . . . . . . . 14
Appendix C. Implementations . . . . . . . . . . . . . . . . . . 14 Appendix C. Implementations . . . . . . . . . . . . . . . . . . 14
C.1. Authheaders Module . . . . . . . . . . . . . . . . . . . 14 C.1. Authheaders Module . . . . . . . . . . . . . . . . . . . 14
C.2. Zdkimfilter Module . . . . . . . . . . . . . . . . . . . 14 C.2. Zdkimfilter Module . . . . . . . . . . . . . . . . . . . 14
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 14 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 14
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 14 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction 1. Introduction
DMARC [RFC7489] provides a mechanism for publishing organizational DMARC [RFC7489] provides a mechanism for publishing organizational
policy information to email receivers. DMARC allows policy to be policy information to email receivers. DMARC allows policy to be
specified for both individual domains and for organizational domains specified for both individual domains and for organizational domains
and their sub-domains within a single organization. DMARC leverages and their sub-domains within a single organization. DMARC leverages
public suffix lists to determine which domains are organizational public suffix lists to determine which domains are organizational
domains. It presumes that public suffix list listed domains are not domains. It presumes that public suffix list listed domains are not
organizational domains and not subject to DMARC processing; domains organizational domains and not subject to DMARC processing; domains
skipping to change at page 5, line 46 skipping to change at page 6, line 5
".gov.uk". Names at which such registrations occur are called Public ".gov.uk". Names at which such registrations occur are called Public
Suffix Domains (PSDs), and a registration consists of a label Suffix Domains (PSDs), and a registration consists of a label
selected by the registrant to which a desirable PSD is appended. For selected by the registrant to which a desirable PSD is appended. For
example, "ietf.org" is a registered domain name, and ".org" is its example, "ietf.org" is a registered domain name, and ".org" is its
PSD. PSD.
2.3. Longest PSD 2.3. Longest PSD
The longest PSD is the Organizational Domain with one label removed. The longest PSD is the Organizational Domain with one label removed.
2.4. Public Suffix Operator (PSO) 2.4. Organizational Domain
The term Organizational Domains is defined in DMARC [RFC7489]
Section 3.2.
2.5. Public Suffix Operator (PSO)
A Public Suffix Operator manages operations within its PSD. A Public Suffix Operator manages operations within its PSD.
2.5. PSO Controlled Domain Names 2.6. PSO Controlled Domain Names
PSO Controlled Domain Names are names in the DNS that are managed by PSO Controlled Domain Names are names in the DNS that are managed by
a PSO and are not available for use as Organizational Domains (the a PSO and are not available for use as Organizational Domains.
term Organizational Domains is defined in DMARC [RFC7489] Depending on PSD policy, these will have one (e.g., ".com") or more
Section 3.2). Depending on PSD policy, these will have one (e.g., (e.g., ".co.uk") name components.
".com") or more (e.g., ".co.uk") name components.
2.6. Non-existent Domains 2.7. Non-existent Domains
For DMARC purposes, a non-existent domain is a domain for which there For DMARC purposes, a non-existent domain is a domain for which there
is an NXDOMAIN or NODATA response for A, AAAA, and MX records. This is an NXDOMAIN or NODATA response for A, AAAA, and MX records. This
is a broader definition than that in NXDOMAIN [RFC8020]. is a broader definition than that in NXDOMAIN [RFC8020].
3. PSD DMARC Updates to DMARC Requirements 3. PSD DMARC Updates to DMARC Requirements
This document updates DMARC [RFC7489] as follows: This document updates DMARC [RFC7489] as follows:
3.1. General Updates 3.1. General Updates
skipping to change at page 9, line 30 skipping to change at page 9, line 38
DMARC. DMARC.
5. Security Considerations 5. Security Considerations
This document does not change the Security Considerations of This document does not change the Security Considerations of
[RFC7489] and [RFC7960]. [RFC7489] and [RFC7960].
The risks of the issues identified in [RFC7489], Section 12.3, DNS The risks of the issues identified in [RFC7489], Section 12.3, DNS
Security, are amplified by PSD DMARC. In particular, DNS cache Security, are amplified by PSD DMARC. In particular, DNS cache
poisoning (or Name Chaining), see [RFC3833] for details, consequences poisoning (or Name Chaining), see [RFC3833] for details, consequences
are increased because a sucessful attack would potentially have a are increased because a successful attack would potentially have a
much wider scope. much wider scope.
The risks of the issues identified in [RFC7489], Section 12.5, The risks of the issues identified in [RFC7489], Section 12.5,
External Reporting Addresses, are amplified by PSD DMARC. By design, External Reporting Addresses, are amplified by PSD DMARC. By design,
PSD DMARC causes unrequested reporting of feedback to entities PSD DMARC causes unrequested reporting of feedback to entities
external to the Organizational Domain. This is discussed in more external to the Organizational Domain. This is discussed in more
detail in Section 4. detail in Section 4.
6. IANA Considerations 6. IANA Considerations
skipping to change at page 13, line 39 skipping to change at page 13, line 49
+-------------+---------------+ +-------------+---------------+
| PSD | Status | | PSD | Status |
+-------------+---------------+ +-------------+---------------+
| .bank | current | | .bank | current |
+-------------+---------------+ +-------------+---------------+
| .insurance | current | | .insurance | current |
+-------------+---------------+ +-------------+---------------+
| .gov.uk | current | | .gov.uk | current |
+-------------+---------------+ +-------------+---------------+
| .mil | current |
+-------------+---------------+
B.3. DMARC PSD PSL Extension B.3. DMARC PSD PSL Extension
[psddmarc.org] provides a PSL like file to enable to facilitate [psddmarc.org] provides a PSL like file to enable to facilitate
identification of PSD DMARC participants. Contents are functionally identification of PSD DMARC participants. Contents are functionally
identical to the IANA like registry, but presented in a different identical to the IANA like registry, but presented in a different
format. format.
When using this approach, the input domain of the extension lookup is When using this approach, the input domain of the extension lookup is
supposed to be the output domain of the regular PSL lookup, i.e. the supposed to be the output domain of the regular PSL lookup, i.e. the
 End of changes. 16 change blocks. 
21 lines changed or deleted 29 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/