On Sat 30/Mar/2024 17:56:53 +0100 Jim Fenton wrote:
On 30 Mar 2024, at 7:43, Alessandro Vesely wrote:
On Sat 30/Mar/2024 04:09:10 +0100 Jim Fenton wrote:
I’m concerned that some (admittedly rare) public suffixes with multiple
components are not well served by this algorithm, such as pvt.k12.ma.us.
Is there something peculiar with this domain? Please expand.
It’s an example that appears on https://publicsuffix.org that I cited because
it has many components. I’m not sure there is really a problem with this,
though.
No, problems may happen with more than 5 labels. A psd=y tag at
1.2.3.4.5.example won't be found if starting the tree walk from a subdomain.
What happens if a domain that is not a public suffix publishes psd=y, either
accidentally or maliciously?
The interesting point of the Tree Walk is that it allows any domain to self
appoint itself as PSO or org domain, without going through PSL bureaucracy.
By publishing psd=y, a domain cannot use relaxed alignment, and may prevent
some receivers from issuing failure reports. By not publishing psd=y, a PSO
does a disservice to its independent subdomains, forcing them to publish psd=n.
I didn’t follow all of the DMARC discussion about the tree walk, so I don’t
understand the psd tag fully. I understand what the algorithm does with it, but
it would be nice if the document described what happens if a PSO fails to
publish psd=y or if a non-PSO publishes psd=y. Does the tree walk fail in some
way (e.g., fails to find a policy it should) or does it just cause additional
DNS lookups?
If someone publishes psd=y, then it /is/ a PSO by definition, at least for
DMARC purposes. It may have no (independent) subdomains, so you may say it's
not a real PSO, but this doesn't badly affect the tree walk.
At first glance, it seems that a domain that is under a public suffix that
doesn’t publish psd=y might be vulnerable to subdomain-exhaustion attacks
(a.b.c.d.e.f.g.h.i.j.k.l.example.org if .org doesn’t publish one). It doesn’t
seem like a PSO has a particular incentive to publish a record, and there are
many public suffixes that would need to be covered.
.org won't have to publish psd=y. That is for some TLDs like .bank, who
exercise some kind of control over their affiliates.
The choice of the tag name, psd, is intentionally obscure in an attempt to
avoid a record update rush. The tree walk should work well without much DNS
change.
Best
Ale
--
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
