On Sat, Nov 21, 2020 at 5:02 PM Murray S. Kucherawy <superu...@gmail.com> wrote:
> On Sat, Nov 21, 2020 at 3:12 PM Douglas E. Foster <fosterd= > 40bayviewphysicians....@dmarc.ietf.org> wrote: > >> - If unregistered domains are tolerated, PSD for DMARC helps address the >> problem of a unauthorized domains underneath a public suffix, such as " >> example.uk". But what DMARC policy will solve the problem of an invalid >> TLD, such as "example.q"? >> > > Why is this a DMARC problem that needs solving? > > - If unregistered domains are tolerated, then a limited-scope tree walk >> becomes unusable. A spammer would be able to fabricate a few levels of >> non-existent subdomains, and suddenly PayPal.com becomes a domain tree with >> no detectable DMARC policy. >> > > You're going to have to give us an example of what you're imagining here. > Presumably fabricating a few levels of non-existent subdomains of > paypal.com would look like foo.bar.baz.paypal.com; a simple tree walk > then would be to look for records in these places: > > foo.bar.baz.paypal.com > bar.baz.paypal.com > baz.paypal.com > paypal.com > > I would expect a policy to be present at least at "paypal.com", so the > walk stops there. How is that "unusable"? > Someone in DNSOP, I think, proposed doing the tree walk in the other direction. The reason: If you're going to get an NXDOMAIN, it is more likely to come earlier, and it's dispositive that way. For instance, if the above sequence is reversed, you would probably get an NXDOMAIN at the second query ("baz.paypal.com") and then you know you don't need to look any further. -MSK
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc