On Sat, Nov 21, 2020 at 5:02 PM Murray S. Kucherawy <superu...@gmail.com>
wrote:
> On Sat, Nov 21, 2020 at 3:12 PM Douglas E. Foster <fosterd=
> 40bayviewphysicians....@dmarc.ietf.org> wrote:
>
>> - If unregistered domains are tolerated, PSD for DMARC helps address the
>> problem of a unauthorized domains underneath a public suffix, such as "
>> example.uk". But what DMARC policy will solve the problem of an invalid
>> TLD, such as "example.q"?
>>
>
> Why is this a DMARC problem that needs solving?
>
> - If unregistered domains are tolerated, then a limited-scope tree walk
>> becomes unusable. A spammer would be able to fabricate a few levels of
>> non-existent subdomains, and suddenly PayPal.com becomes a domain tree with
>> no detectable DMARC policy.
>>
>
> You're going to have to give us an example of what you're imagining here.
> Presumably fabricating a few levels of non-existent subdomains of
> paypal.com would look like foo.bar.baz.paypal.com; a simple tree walk
> then would be to look for records in these places:
>
> foo.bar.baz.paypal.com
> bar.baz.paypal.com
> baz.paypal.com
> paypal.com
>
> I would expect a policy to be present at least at "paypal.com", so the
> walk stops there. How is that "unusable"?
>
Someone in DNSOP, I think, proposed doing the tree walk in the other
direction. The reason: If you're going to get an NXDOMAIN, it is more
likely to come earlier, and it's dispositive that way. For instance, if
the above sequence is reversed, you would probably get an NXDOMAIN at the
second query ("baz.paypal.com") and then you know you don't need to look
any further.
-MSK
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
