Clarity: The two types of tree walks have different starting conditions, different ending conditions, and different processing tasks at each iteration. So I think clarity will be improved by describing them separately.
Efficiency: The purpose of the secondary tree walk is to confirm alignment, by demonstrating that the organization subtree contains no organization boundaries between the SPF/DKIM domain and the previously-located organizational domain. This is a rare event, as a percentage of all messages. My wild estimate is that an evaluator will perform a million alignment walks to detect one non-aligned identifier. This seems like an unfortunate inefficiency. The inefficiency is avoidable if we allow the domain owner to use the organizational domain policy to tell us that the subtree has no sub-organizations. We already trust the opposite -- if an organization subtree has a private registry, the domain owner will ensure that the boundary is explicitly tagged with psd tokens. Consequently, there is no difference in risk to believe a domain owner if he asserts that there are no sub-organizations lurking in his tree. We just need to provide him with a token to communicate this information. DF On Tue, Jun 21, 2022 at 10:26 PM Scott Kitterman <skl...@kitterman.com> wrote: > > > On June 22, 2022 2:11:56 AM UTC, John Levine <jo...@taugh.com> wrote: > >It appears that Scott Kitterman <skl...@kitterman.com> said: > >>As written, I think it produces the correct result. > > > >I now think it's close but not quite. > > > >>As written you take the domain with a (non-PSD) DMARC record with the > fewest > >>labels, .... > > > >How about this? > > > >a NXDOMAIN (or psd=y, doesn't matter) > >b.a blah > >c.b.a psd=y > >d.c.b.a blah > >e.d.c.b.a NXDOMAIN > > > >The org or policy domain for e.d.c.b.a is d.c.b.a, but the one with > >the fewest labels is b.a. This is why we walk up rather than down. > > > >This shouldn't be hard to fix but I'm trying to figure out the least > >confusing way of saying it. > > Not confusing is indeed the tricky part. I think what's wanted is > shortest that's longer than the longest PSD. > > Scott K > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
