I am concerned that the Tree Walk will have poorer performance and poorer
reliability than implementations based on RFC 7489

The boundary between organizational domains and their registries is very
stable, which is why it is highly suitable for a static reference like a
locally-implemented PSL.   Database lookups are fast and reliable.

The Tree Walk calls for the organizational domain to be recomputed on every
message, for every identifier of interest.  This means that the volume of
DNS queries will increase, although the percentage increase will be highly
dependent upon the optimizations built into a Tree Walk implementation.
 Overall, any Tree Walk implementation is expected to be a net increase in
workload to both the evaluation server and the DNS environment.

These extra DNS queries also hurt reliability.   A walk result is uncertain
if any query along the path produces a timeout error.   When a path result
becomes uncertain, the overall DMARC result may become uncertain.  This
risk exists in PSL implementations, since the evaluator still needs to
retrieve DMARC policy, SPF policy, and DKIM keys, but the Tree Walk is at
greater risk because it performs so many more DNS queries, and these extra
queries will be adding to any congestion that may be causing timeout
results.

The magnitude of this concern depends on the frequency of DNS Timeout
problems.   Upon reviewing my DMARC aggregate reports and my own data, I
was surprised that both sources indicate TempError results occur at a much
higher rate than my expectations.

One way to minimize this problem risk is to store error-free results in a
cache structure outside of DNS.  The already-existing PSL database provides
a starting point for this cache.   Once a cache is available, the Tree Walk
process can be moved offline, and used as a tool for validating and
updating the PSL, while continuing to use the fast and reliable PSL
database for real-time queries.  This addresses both the performance
problem and the consistency problem.

For those who don’t implement something similar, I expect them to be
frustrated when they discover that the extra overhead required by the Tree
Walk is coupled with reduced consistency of computed DMARC results.


Doug
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Reply via email to