ietf-svn-bot
commented
3 years ago @tjw.ietf@gmail.com commented
RFC 8020 support should come from the authoritative servers. Any recursive server will cache what the authoritative server returns.
Closed ietf-svn-bot closed 3 years ago
ietf-svn-bot
commented
3 years ago @tjw.ietf@gmail.com commented
RFC 8020 support should come from the authoritative servers. Any recursive server will cache what the authoritative server returns.
ietf-svn-bot
commented
3 years ago @todd.herr@valimail.com commented
...and the authoritative servers for reachmd.com do in fact return NXDOMAIN for email3.reachmd.com:
$ dig reachmd.com ns
; <<>> DiG 9.10.6 <<>> reachmd.com ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60049
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 9
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;reachmd.com. IN NS
;; ANSWER SECTION:
reachmd.com. 172800 IN NS ns-1228.awsdns-25.org.
reachmd.com. 172800 IN NS ns-1670.awsdns-16.co.uk.
reachmd.com. 172800 IN NS ns-455.awsdns-56.com.
reachmd.com. 172800 IN NS ns-574.awsdns-07.net.
;; ADDITIONAL SECTION:
ns-1228.awsdns-25.org. 20291 IN A 205.251.196.204
ns-1228.awsdns-25.org. 23478 IN AAAA 2600:9000:5304:cc00::1
ns-1670.awsdns-16.co.uk. 20000 IN A 205.251.198.134
ns-1670.awsdns-16.co.uk. 21998 IN AAAA 2600:9000:5306:8600::1
ns-455.awsdns-56.com. 22341 IN A 205.251.193.199
ns-455.awsdns-56.com. 24244 IN AAAA 2600:9000:5301:c700::1
ns-574.awsdns-07.net. 19813 IN A 205.251.194.62
ns-574.awsdns-07.net. 24367 IN AAAA 2600:9000:5302:3e00::1
;; Query time: 50 msec
;; SERVER: 2001:558:feed::1#53(2001:558:feed::1)
;; WHEN: Thu Oct 21 16:32:50 EDT 2021
;; MSG SIZE rcvd: 353
$ dig email3.reachmd.com any @ns-1228.awsdns-25.org
;; Truncated, retrying in TCP mode.
; <<>> DiG 9.10.6 <<>> email3.reachmd.com any @ns-1228.awsdns-25.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1470
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;email3.reachmd.com. IN ANY
;; AUTHORITY SECTION:
reachmd.com. 900 IN SOA ns-574.awsdns-07.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
;; Query time: 29 msec
;; SERVER: 2600:9000:5304:cc00::1#53(2600:9000:5304:cc00::1)
;; WHEN: Thu Oct 21 16:33:07 EDT 2021
;; MSG SIZE rcvd: 128@todd.herr@valimail.com changed status from new to closed
ietf-svn-bot
commented
3 years ago @todd.herr@valimail.com set resolution to wontfix
ietf-svn-bot
commented
3 years ago @todd.herr@valimail.com commented
All that said, I don't think there's anything to do here with regard to DMARC.
The quoted text only references RFC 8020 in order to draw a distinction between the definition found in the DMARC spec and what's found there.
Closing this ticket.
ietf-svn-bot
commented
3 years ago @todd.herr@valimail.com set milestone to Deliverable #3 (changes to DMARC base spec + DMARC Usage Guide
resolution_wontfixtype_enhancement| by dougfoster.emailstandards@gmail.comRegarding this section:
3.8. Non-existent Domains
For DMARC purposes, a non-existent domain is a domain for which there is an NXDOMAIN or NODATA response for A, AAAA, and MX records. This is a broader definition than that in [RFC8020].
It seems worth noting that RFC 8020 is not reliably implemented, so that following RFC 8020 is not really an option.
In fact, I have not been able to find a DNS server which does comply with RFC 8020. My working example is email3.reachmd.com, and its child entry sg.email3.reachmd.com (a CNAME record) I have tested 8.8.8.8, 1.1.1.1, and an authoritative server for reachmd.com, and all return NXDomain. The child record is a CNAME which (depending on the moment) either returns an IP address or "No Data".
Issue migrated from trac:114 at 2022-01-24 16:54:02 +0000