On Sat, Nov 21, 2020 at 3:12 PM Douglas E. Foster <fosterd= 40bayviewphysicians....@dmarc.ietf.org> wrote:
> - If unregistered domains are tolerated, PSD for DMARC helps address the > problem of a unauthorized domains underneath a public suffix, such as " > example.uk". But what DMARC policy will solve the problem of an invalid > TLD, such as "example.q"? > Why is this a DMARC problem that needs solving? - If unregistered domains are tolerated, then a limited-scope tree walk > becomes unusable. A spammer would be able to fabricate a few levels of > non-existent subdomains, and suddenly PayPal.com becomes a domain tree with > no detectable DMARC policy. > You're going to have to give us an example of what you're imagining here. Presumably fabricating a few levels of non-existent subdomains of paypal.com would look like foo.bar.baz.paypal.com; a simple tree walk then would be to look for records in these places: foo.bar.baz.paypal.com bar.baz.paypal.com baz.paypal.com paypal.com I would expect a policy to be present at least at "paypal.com", so the walk stops there. How is that "unusable"? The PSL mechanism is a heuristic allowing a short-cut from the top one to the bottom one, so there are only two lookups, based on the PSL which provides a hint about where to jump after the first query. But the PSL has aspects of its management that are not desirable, and the tree walk is an alternative. Besides, a scope-limited tree walk conflicts with the requirements of PSD > for DMARC. > Well sure; as I understand it, a tree walk would obviate the need for PSD. An unlimited-scope tree walk has performance risks to both the evaluator > and the DNS infrastructure. > So the theory goes. I believe what John is saying is that he's asked the DNS community, and they no longer think it's a concern, which means we don't need to worry at least about the latter, and the former is probably at least partially resolved by caching. -MSK
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
