Created by Jim Popovitch on 2017-08-29 and last modified on 2018-03-13

Two proposed fixes for DMARC testing in Mailman 2.1

1) Test for dns.resolver.NoNameservers exception when querying the _dmarc.domain.tld RR. This typically means that there is a DNSSEC validation failure for that RR (i.e bogus RRSIG). If the Mailman server is running a DNSSEC validating resolver, the Mailman server will NOT see the _dmarc RR, whereas a subscriber not using a validating resolver would see the _dmarc RR. This potential inconsistency means we should munge the post to prevent potential problems as DNSSEC validation is becoming more popular.

2) Any addition errors in querying the _dmarc.domain.tld RR should result in the post being munged. The potential for inconsistencies is mitigated by munging posts from sites with DNSSEC inconsistencies.

These 2 conditions will be logged by Mailman.

Get this branch:
bzr branch lp:~jimpop/mailman/dmarc-dnssec-validation-fix
Only Jim Popovitch can upload to this branch. If you are Jim Popovitch please log in for upload directions.

Branch merges

Related bugs

Related blueprints

Branch information

Jim Popovitch
GNU Mailman

Recent revisions

1723. By Jim Popovitch on 2017-08-29

Improved DMARC testing for domains with DNSSEC validation problems

1722. By Mark Sapiro on 2017-08-02

The Russian translation has been updated by Sergey Matveev.

1721. By Mark Sapiro on 2017-07-31

Show case preserved emails in the roster.

1720. By Mark Sapiro on 2017-07-21

Changed wrapper environment cleaning from blacklist to whitelist.

1719. By Mark Sapiro on 2017-06-24

Added screen reader labels to some admindb radio buttons.

1718. By Mark Sapiro on 2017-06-21

Added text for screen readers only to checkboxes on admin Membership List.

1717. By Mark Sapiro on 2017-06-10

I18n changes for last commits.

1716. By Mark Sapiro on 2017-06-09

Display date of held subscriptions and keep newest.

1715. By Mark Sapiro on 2017-06-08

Reverted another getfirst in the multi-value CGI defence.

1714. By Mark Sapiro on 2017-06-06

Ensure aliases.db and virtual-mailman.db are world readable and owned
by the Mailman user.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
This branch contains Public information 
Everyone can see this information.