Opened 15 months ago

Closed 10 months ago

Last modified 10 months ago

#114 closed enhancement (wontfix)

RFC 8020 implementation is lacking

Reported by: dougfoster.emailstandards@… Owned by:
Priority: minor Milestone: Deliverable #3 (changes to DMARC base spec + DMARC Usage Guide
Component: dmarc-bis Version:
Severity: - Keywords:
Cc:

Description

Regarding this section:

3.8. Non-existent Domains

For DMARC purposes, a non-existent domain is a domain for which there
is an NXDOMAIN or NODATA response for A, AAAA, and MX records. This
is a broader definition than that in [RFC8020].

It seems worth noting that RFC 8020 is not reliably implemented, so that following RFC 8020 is not really an option.

In fact, I have not been able to find a DNS server which does comply with RFC 8020. My working example is email3.reachmd.com, and its child entry sg.email3.reachmd.com (a CNAME record) I have tested 8.8.8.8, 1.1.1.1, and an authoritative server for reachmd.com, and all return NXDomain. The child record is a CNAME which (depending on the moment) either returns an IP address or "No Data".

Change History (4)

comment:1 Changed 15 months ago by tjw.ietf@…

RFC 8020 support should come from the authoritative servers. Any recursive server will cache what the authoritative server returns.

comment:2 Changed 10 months ago by todd.herr@…

...and the authoritative servers for reachmd.com do in fact return NXDOMAIN for email3.reachmd.com:

$ dig reachmd.com ns

; <<>> DiG 9.10.6 <<>> reachmd.com ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60049
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 9

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;reachmd.com.			IN	NS

;; ANSWER SECTION:
reachmd.com.		172800	IN	NS	ns-1228.awsdns-25.org.
reachmd.com.		172800	IN	NS	ns-1670.awsdns-16.co.uk.
reachmd.com.		172800	IN	NS	ns-455.awsdns-56.com.
reachmd.com.		172800	IN	NS	ns-574.awsdns-07.net.

;; ADDITIONAL SECTION:
ns-1228.awsdns-25.org.	20291	IN	A	205.251.196.204
ns-1228.awsdns-25.org.	23478	IN	AAAA	2600:9000:5304:cc00::1
ns-1670.awsdns-16.co.uk. 20000	IN	A	205.251.198.134
ns-1670.awsdns-16.co.uk. 21998	IN	AAAA	2600:9000:5306:8600::1
ns-455.awsdns-56.com.	22341	IN	A	205.251.193.199
ns-455.awsdns-56.com.	24244	IN	AAAA	2600:9000:5301:c700::1
ns-574.awsdns-07.net.	19813	IN	A	205.251.194.62
ns-574.awsdns-07.net.	24367	IN	AAAA	2600:9000:5302:3e00::1

;; Query time: 50 msec
;; SERVER: 2001:558:feed::1#53(2001:558:feed::1)
;; WHEN: Thu Oct 21 16:32:50 EDT 2021
;; MSG SIZE  rcvd: 353

$ dig email3.reachmd.com any @ns-1228.awsdns-25.org
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.10.6 <<>> email3.reachmd.com any @ns-1228.awsdns-25.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1470
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;email3.reachmd.com.		IN	ANY

;; AUTHORITY SECTION:
reachmd.com.		900	IN	SOA	ns-574.awsdns-07.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

;; Query time: 29 msec
;; SERVER: 2600:9000:5304:cc00::1#53(2600:9000:5304:cc00::1)
;; WHEN: Thu Oct 21 16:33:07 EDT 2021
;; MSG SIZE  rcvd: 128

comment:3 Changed 10 months ago by todd.herr@…

  • Resolution set to wontfix
  • Status changed from new to closed

All that said, I don't think there's anything to do here with regard to DMARC.

The quoted text only references RFC 8020 in order to draw a distinction between the definition found in the DMARC spec and what's found there.

Closing this ticket.

comment:4 Changed 10 months ago by todd.herr@…

  • Milestone set to Deliverable #3 (changes to DMARC base spec + DMARC Usage Guide
Note: See TracTickets for help on using tickets.