On Mon 29/Aug/2022 19:54:31 +0200 Todd Herr wrote:
On Mon, Aug 29, 2022 at 1:29 PM Alessandro Vesely <[email protected]> wrote:
My understanding is that psd=y is ignored when it is the first step in
a tree walk. That way you can have From: [email protected]
authenticated by d=example.com, or helo=mailout.example.com on a
bounce.>>
I'm curious as to why this is your understanding, because this is how the
psd tag and its value of y are currently described in section 5.2, DMARC
URIs:
psd:
A flag indicating whether the domain is a PSD. (plain-text; OPTIONAL;
default is 'u'). Possible values are:
y:
PSOs include this tag with a value of 'y' to indicate that the domain is a
PSD. If a record containing this tag with a value of 'y' is found during
policy discovery, this information will be used to determine the
Organizational Domain and policy domain applicable to the message in
question.
<https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-17.html#section-5.3-4.12.1>
Perhaps this can be amended by s/will be used/can be used/?
Meanwhile, the tree walk is described in section 4.6 in this way:
<https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-17.html#section-4.6-5>
1.
Query the DNS for a DMARC TXT record at the DNS domain matching the one
found in the domain(s) described above. A possibly empty set of records is
returned.ΒΆ
<https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-17.html#section-4.6-6.1.1>
2.
Records that do not start with a "v=" tag that identifies the current
version of DMARC are discarded. If multiple DMARC records are returned,
they are all discarded. If a single record remains and it contains a
"psd=n" tag, stop.
<https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-17.html#section-4.6-6.2.1>
3.
Determine the target for additional queries (if needed; see the
note in Section
4.8
<https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-17.html#organizational-domain-discovery>),
using steps 4 through 8 below.
<https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-17.html#section-4.6-6.3.1>
4.
Break the subject DNS domain name into a set of "n" ordered labels.
Number these labels from right to left; e.g., for "a.mail.example.com",
"com" would be label 1, "example" would be label 2, "mail" would be label
3, and so forth.
<https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-17.html#section-4.6-6.4.1>
5.
Count the number of labels found in the subject DNS domain. Let that
number be "x". If x < 5, remove the left-most (highest-numbered) label from
the subject domain. If x >= 5, remove the left-most (highest-numbered)
labels from the subject domain until 4 labels remain. The resulting DNS
domain name is the new target for subsequent lookups.
<https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-17.html#section-4.6-6.5.1>
6.
Query the DNS for a DMARC TXT record at the DNS domain matching this new
target in place of the RFC5322.From domain in the message. A possibly empty
set of records is returned.
<https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-17.html#section-4.6-6.6.1>
7.
Records that do not start with a "v=" tag that identifies the current
version of DMARC are discarded. If multiple DMARC records are returned for
a single target, they are all discarded. If a single record remains and it
contains a "psd=n" or "psd=y" tag, stop.
<https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-17.html#section-4.6-6.7.1>
Note that this step won't be taken, because psd.example.com has a psd=y tag,
but example com doesn't.
8.
Determine the target for additional queries by removing a single label
from the target domain as described in step 5 and repeating steps 6 and 7
until the process stops or there are no more labels remaining.
Step 2 seems to contain an implicit assumption that the first record
queried for will never contain "psd=y", but perhaps it should have as its
final sentence the same wording as step 7, i.e., "If a single record
remains and it contains a 'psd=n' or 'psd=y' tag, stop"?
If step 2 had the same requirements, it could have well been inside the loop.
The next section is even more explicit:
If a valid DMARC record, other than the one for the domain where the tree
walk started, contains the psd= tag set to 'y' (psd=y), the Organizational
Domain is the domain one label below this one in the DNS hierarchy, and
the selection process is complete.
https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-17.html#section-4.8
Thus the org domain is example.com.
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
