On 5/4/2014 3:32 PM, Michael Richardson wrote:
Uhm, there is a limit on how big a TXT record can be.
As far as I can see, I have to list all the mailing lists into asl=
If it fits your "Small scale" needs, ok. But the complete solution is
with both ASL and/or the ATPS proposal.
ASL is a "smaller scale" solution using a "asl=" tag list of domains
fitting as much as you can into a 512 byte TXT record without forcing
a UDP->TCP fallback query switch.
For larger scale need, the ATPS method is to have one TXT record per
authorized 3rd party signer domain. Is that OK? Can that be improved?
This would be the suggested DMARC compliant receiver's Check Signing
Practice (CSP) procedure for DMARC with the extended ASL, ATPS support:
1) Obtain the 5322.From header AUTHOR-DOMAIN and perform a
DNS TXT query for "_dmarc.AUTHOR-DOMAIN" to obtain a
policy record.
If no DMARC record is found (NXDOMAIN),
return result DMARC=NONE
2) Obtain the 5322.DKIM-Signature header SIGNER-DOMAIN and
compare with the AUTHOR-DOMAIN.
If the two domains are the same,
return DMARC=PASS (authorized 1st party signer).
otherwise continue with third party authorization checking.
3) If the DMARC record "asl=" tag is present, check the
SIGNER-DOMAIN within the "asl=" list of domains.
If SIGNER-DOMAIN is found in the "asl=" list,
return DMARC=PASS (authorized 3rd party signer).
4) If an atps=y tag is present, perform the steps as outlined
in ATPS (RFC6541) which is to lookup the TXT record existence
for:
base32(sha1(SIGNER-DOMAIN))._atps.AUTHOR-DOMAIN
If the TXT record exist,
return DMARC=PASS (authorized 3rd party signer)
6) return DMARC=FAIL (unauthorized signer).
--
HLS
_______________________________________________
ietf-822 mailing list
ietf-822(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-822