draft-ietf-dmarc-psd-06.txt   draft-ietf-dmarc-psd-07.txt 
Network Working Group S. Kitterman Network Working Group S. Kitterman
Internet-Draft fTLD Registry Services Internet-Draft fTLD Registry Services
Intended status: Experimental August 10, 2019 Intended status: Experimental October 14, 2019
Expires: February 11, 2020 Expires: April 16, 2020
DMARC (Domain-based Message Authentication, Reporting, and Conformance) DMARC (Domain-based Message Authentication, Reporting, and Conformance)
Extension For PSDs (Public Suffix Domains) Extension For PSDs (Public Suffix Domains)
draft-ietf-dmarc-psd-06 draft-ietf-dmarc-psd-07
Abstract Abstract
DMARC (Domain-based Message Authentication, Reporting, and DMARC (Domain-based Message Authentication, Reporting, and
Conformance) is a scalable mechanism by which a mail-originating Conformance) is a scalable mechanism by which a mail-originating
organization can express domain-level policies and preferences for organization can express domain-level policies and preferences for
message validation, disposition, and reporting, that a mail-receiving message validation, disposition, and reporting, that a mail-receiving
organization can use to improve mail handling. The design of DMARC organization can use to improve mail handling. The design of DMARC
presumes that domain names represent either nodes in the tree below presumes that domain names represent either nodes in the tree below
which registrations occur, or nodes where registrations have which registrations occur, or nodes where registrations have
skipping to change at page 1, line 49 skipping to change at page 1, line 49
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 11, 2020. This Internet-Draft will expire on April 16, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 51 skipping to change at page 2, line 51
6.1. Subdomain Policy Tag . . . . . . . . . . . . . . . . . . 9 6.1. Subdomain Policy Tag . . . . . . . . . . . . . . . . . . 9
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
7.1. Normative References . . . . . . . . . . . . . . . . . . 10 7.1. Normative References . . . . . . . . . . . . . . . . . . 10
7.2. Informative References . . . . . . . . . . . . . . . . . 10 7.2. Informative References . . . . . . . . . . . . . . . . . 10
Appendix A. The Experiment . . . . . . . . . . . . . . . . . . . 11 Appendix A. The Experiment . . . . . . . . . . . . . . . . . . . 11
A.1. PSD DMARC Privacy Concern Mitigation . . . . . . . . . . 11 A.1. PSD DMARC Privacy Concern Mitigation . . . . . . . . . . 11
A.2. Non-Existent Subdomain Policy . . . . . . . . . . . . . . 12 A.2. Non-Existent Subdomain Policy . . . . . . . . . . . . . . 12
Appendix B. DMARC PSD Registry Examples . . . . . . . . . . . . 12 Appendix B. DMARC PSD Registry Examples . . . . . . . . . . . . 12
B.1. DMARC PSD DNS Query Service . . . . . . . . . . . . . . . 13 B.1. DMARC PSD DNS Query Service . . . . . . . . . . . . . . . 13
B.2. DMARC Public Suffix Domain (PSD) Registry . . . . . . . . 13 B.2. DMARC Public Suffix Domain (PSD) Registry . . . . . . . . 13
Appendix C. Implementation . . . . . . . . . . . . . . . . . . . 13 B.3. DMARC PSD PSL Extension . . . . . . . . . . . . . . . . . 13
C.1. Authheaders Module . . . . . . . . . . . . . . . . . . . 13 Appendix C. Implementations . . . . . . . . . . . . . . . . . . 14
C.1. Authheaders Module . . . . . . . . . . . . . . . . . . . 14
C.2. Zdkimfilter Module . . . . . . . . . . . . . . . . . . . 14
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 14 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 14
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 14 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 14
1. Introduction 1. Introduction
DMARC [RFC7489] provides a mechanism for publishing organizational DMARC [RFC7489] provides a mechanism for publishing organizational
policy information to email receivers. DMARC allows policy to be policy information to email receivers. DMARC allows policy to be
specified for both individual domains and for organizational domains specified for both individual domains and for organizational domains
and their sub-domains within a single organization. DMARC leverages and their sub-domains within a single organization. DMARC leverages
public suffix lists to determine which domains are organizational public suffix lists to determine which domains are organizational
skipping to change at page 5, line 43 skipping to change at page 5, line 44
tree at which to register domain names "owned" by independent tree at which to register domain names "owned" by independent
organizations. Real-world examples are ".com", ".org", ".us", and organizations. Real-world examples are ".com", ".org", ".us", and
".gov.uk". Names at which such registrations occur are called Public ".gov.uk". Names at which such registrations occur are called Public
Suffix Domains (PSDs), and a registration consists of a label Suffix Domains (PSDs), and a registration consists of a label
selected by the registrant to which a desirable PSD is appended. For selected by the registrant to which a desirable PSD is appended. For
example, "ietf.org" is a registered domain name, and ".org" is its example, "ietf.org" is a registered domain name, and ".org" is its
PSD. PSD.
2.3. Longest PSD 2.3. Longest PSD
The longest PSD is the PSD matching more labels in the domain name The longest PSD is the Organizational Domain with one label removed.
under evaluation than any other public suffix list entry.
2.4. Public Suffix Operator (PSO) 2.4. Public Suffix Operator (PSO)
A Public Suffix Operator manages operations within its PSD. A Public Suffix Operator manages operations within its PSD.
2.5. PSO Controlled Domain Names 2.5. PSO Controlled Domain Names
PSO Controlled Domain Names are names in the DNS that are managed by PSO Controlled Domain Names are names in the DNS that are managed by
a PSO and are not available for use as Organizational Domains (the a PSO and are not available for use as Organizational Domains (the
term Organizational Domains is defined in DMARC [RFC7489] term Organizational Domains is defined in DMARC [RFC7489]
skipping to change at page 13, line 40 skipping to change at page 13, line 40
+-------------+---------------+ +-------------+---------------+
| PSD | Status | | PSD | Status |
+-------------+---------------+ +-------------+---------------+
| .bank | current | | .bank | current |
+-------------+---------------+ +-------------+---------------+
| .insurance | current | | .insurance | current |
+-------------+---------------+ +-------------+---------------+
| .gov.uk | current | | .gov.uk | current |
+-------------+---------------+ +-------------+---------------+
Appendix C. Implementation B.3. DMARC PSD PSL Extension
There is one known implementation of PSD DMARC available for testing. [psddmarc.org] provides a PSL like file to enable to facilitate
identification of PSD DMARC participants. Contents are functionally
identical to the IANA like registry, but presented in a different
format.
When using this approach, the input domain of the extension lookup is
supposed to be the output domain of the regular PSL lookup, i.e. the
organizational domain. This alternative data approach is potentially
useful since DMARC implementations already need to be able to parse
the data format, so it should be easier to implement.
Appendix C. Implementations
There are two known implementations of PSD DMARC available for
testing.
C.1. Authheaders Module C.1. Authheaders Module
The authheaders Python module and command line tool is available for The authheaders Python module and command line tool is available for
download or installation from Pypi (Python Packaging Index). download or installation from Pypi (Python Packaging Index).
It supports both use of the DNS based query service and download of It supports both use of the DNS based query service and download of
the CSV registry file from [psddmarc.org]. the CSV registry file from [psddmarc.org].
C.2. Zdkimfilter Module
The zdkimfilter module is a separately available add-on to Courier-
MTA.
Mostly used for DKIM signing, it can be configured to also verify,
apply DMARC policies, and send aggregate reports. For PSD DMARC it
uses the PSL extension list approach, which is available from from
[psddmarc.org]
Acknowledgements Acknowledgements
Thanks to the following individuals for their contributions (both Thanks to the following individuals for their contributions (both
public and private) to improving this document. Special shout out to public and private) to improving this document. Special shout out to
Dave Crocker for naming the beast. Dave Crocker for naming the beast.
Kurt Andersen, Seth Blank, Dave Crocker, Heather Diaz, Tim Draegen, Kurt Andersen, Seth Blank, Dave Crocker, Heather Diaz, Tim Draegen,
Zeke Hendrickson, Andrew Kennedy, John Levine, Dr Ian Levy, Craig Zeke Hendrickson, Andrew Kennedy, John Levine, Dr Ian Levy, Craig
Schwartz, Alessandro Vesely, and Tim Wicinski Schwartz, Alessandro Vesely, and Tim Wicinski
 End of changes. 8 change blocks. 
11 lines changed or deleted 35 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/