I am concerned that the Tree Walk will have poorer performance and poorer reliability than implementations based on RFC 7489
The boundary between organizational domains and their registries is very stable, which is why it is highly suitable for a static reference like a locally-implemented PSL. Database lookups are fast and reliable. The Tree Walk calls for the organizational domain to be recomputed on every message, for every identifier of interest. This means that the volume of DNS queries will increase, although the percentage increase will be highly dependent upon the optimizations built into a Tree Walk implementation. Overall, any Tree Walk implementation is expected to be a net increase in workload to both the evaluation server and the DNS environment. These extra DNS queries also hurt reliability. A walk result is uncertain if any query along the path produces a timeout error. When a path result becomes uncertain, the overall DMARC result may become uncertain. This risk exists in PSL implementations, since the evaluator still needs to retrieve DMARC policy, SPF policy, and DKIM keys, but the Tree Walk is at greater risk because it performs so many more DNS queries, and these extra queries will be adding to any congestion that may be causing timeout results. The magnitude of this concern depends on the frequency of DNS Timeout problems. Upon reviewing my DMARC aggregate reports and my own data, I was surprised that both sources indicate TempError results occur at a much higher rate than my expectations. One way to minimize this problem risk is to store error-free results in a cache structure outside of DNS. The already-existing PSL database provides a starting point for this cache. Once a cache is available, the Tree Walk process can be moved offline, and used as a tool for validating and updating the PSL, while continuing to use the fast and reliable PSL database for real-time queries. This addresses both the performance problem and the consistency problem. For those who don’t implement something similar, I expect them to be frustrated when they discover that the extra overhead required by the Tree Walk is coupled with reduced consistency of computed DMARC results. Doug
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc