Last Call Review of draft-ietf-dmarc-dmarcbis-36
review-ietf-dmarc-dmarcbis-36-secdir-lc-farrell-2024-11-27-00
Request | Review of | draft-ietf-dmarc-dmarcbis |
---|---|---|
Requested revision | No specific revision (document currently at 38) | |
Type | Last Call Review | |
Team | Security Area Directorate (secdir) | |
Deadline | 2024-12-04 | |
Requested | 2024-11-20 | |
Authors | Todd Herr , John R. Levine | |
I-D last updated | 2024-11-27 | |
Completed reviews |
Genart Last Call review of -36
by Ines Robles
(diff)
Artart Last Call review of -36 by Scott Hollenbeck (diff) Secdir Last Call review of -36 by Stephen Farrell (diff) Dnsdir Last Call review of -36 by R. (Miek) Gieben (diff) Dnsdir Telechat review of -38 by R. (Miek) Gieben |
|
Assignment | Reviewer | Stephen Farrell |
State | Completed | |
Request | Last Call review on draft-ietf-dmarc-dmarcbis by Security Area Directorate Assigned | |
Posted at | https://mailarchive.ietf.org/arch/msg/secdir/Lo6VFAPPtxvjQs7_REWqlbtW4YY | |
Reviewed revision | 36 (document currently at 38) | |
Result | Has issues | |
Completed | 2024-11-27 |
review-ietf-dmarc-dmarcbis-36-secdir-lc-farrell-2024-11-27-00
I'm not on the dmarc wg list, but have followed this work from a distance. (IOW, feel free to correct me if I'm just wrong:-) I think I see two issues with this draft: (1) Recent papers e.g. [1,2] argue that the centralisation of mail means that SPF is by now less useful than originally. Given it's been 9 years since RFC7489, one would assume it'll be a while before this document gets an update, and it seems possibly unwise to still consider SPF as "good enough" for that time period. Shouldn't this draft at least indicate that SPF alone (without DKIM) is unlikely to remain sufficient for a DMARC pass? [1] https://wangchuhan.cn/publication/ndss24-a/ndss24summer_paper_wang.pdf [2] https://arxiv.org/pdf/2302.07287 (2) The tree-walk calls for querying TLDs for TXT RRs. Was that discussed with DNS operators for TLDs? It seems like moving from the PSL to a tree-walk puts work on non-email DNS operators. Would it be useful to offer some guidance to TLD DNS operators as to e.g. publishing a long-TTL TXT RR that'd reduce the amount of work they get, or is that considered (by them) as trivial? Otherwise the draft seems good, if very very wordy.