Opened 2 years ago

Last modified 17 months ago

#37 assigned defect

Address ABNF for sub-domain inherited from DKIM

Reported by: seth@… Owned by: johnl@…
Priority: major Milestone: Deliverable #3 (changes to DMARC base spec + DMARC Usage Guide
Component: dmarc-bis Version:
Severity: - Keywords:


From Elizabeth Zwicky:

The question I was looking at was domains which DKIM sign with a domain that ends in . which is good DNS practice but bad email practice. That caused me to look at d= and realize that it was written so as to exclude signing for, for instance, any gTLD.

d= The SDID claiming responsibility for an introduction of a message

into the mail stream (plain-text; REQUIRED). Hence, the SDID
value is used to form the query for the public key. The SDID MUST
correspond to a valid DNS name under which the DKIM key record is
published. The conventions and semantics used by a Signer to
create and use a specific SDID are outside the scope of this
specification, as is any use of those conventions and semantics.
When presented with a signature that does not meet these
requirements, Verifiers MUST consider the signature invalid.

Internationalized domain names MUST be encoded as A-labels, as
described in Section 2.3 of [RFC5890].

sig-d-tag = %x64 [FWS] "=" [FWS] domain-name
domain-name = sub-domain 1*("." sub-domain)

; from [RFC5321] Domain,
; excluding address-literal

5321's sub-domain is

sub-domain = Let-dig [Ldh-str]
Let-dig = ALPHA / DIGIT
Ldh-str = *( ALPHA / DIGIT / "-" ) Let-dig

So, no ending in . (fair), must contain . (problematic).

But! 5321's domain is

Domain = sub-domain *("." sub-domain)

note that * != 1* Presumably the reference used to be to to 2821 which does define Domain as

Domain = (sub-domain 1*("." sub-domain)) / address-literal

and when 5321 obsoleted it the reference was updated without checking to see if it remained true.

Change History (4)

comment:1 Changed 2 years ago by seth@…

  • Component changed from rfc7601bis to dmarc-bis

comment:2 Changed 2 years ago by seth@…

  • Owner draft-ietf-dmarc-rfc7601bis@… deleted
  • Status changed from new to assigned

comment:3 Changed 17 months ago by johnl@…

  • Owner set to johnl@…

comment:4 Changed 17 months ago by johnl@…

I don't understand the problem. It's true, DKIM doesn't let you put a TLD in d= which is arguably a mistake, but it's not something DMARC can fix.

I suppose if you want to send aligned mail from a TLD, sign with a 2LD and allow adkim=r.

Last edited 17 months ago by johnl@… (previous) (diff)
Note: See TracTickets for help on using tickets.