Using the reverse tree walk for alignment can become disastrous if a PSD publishes a policy record without the PSD=Y flag. Worse yet, organizations would be powerless to defend against its harm. To prent this harm, the alignment tree walk needs to proceed in the upward direction only. Additionally, we should implement an “org=y” term, so that organizations can indicate that the tree walk should not continue upward. This allows an organization to protect itself against a misconfigured PSD policy.
An upward tree walk also allows us to handle “lease” relationships, where the parent domain and the subdomain are independent entities. The parent entity can indicate an alignment boundary below with the psd=y flag, and the client entity can indicate an alignment boundary above with the org=y flag. I still favor ruling that any alignment also requires a parent-child relationship, but these changes will mitigate the risk of continuing to allow sibling relationships for authentication.
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
