Re: [dmarc-ietf] 4.6 Reverse Tree Walk problems

Fri, 11 Feb 2022 08:59:41 -0800 

On Fri 11/Feb/2022 09:29:07 +0100 Douglas Foster wrote:
Using the reverse tree walk for alignment can become disastrous if a PSD publishes a policy record without the PSD=Y flag.  Worse yet, organizations would be powerless to defend against its harm.   To prent this harm, the alignment tree walk needs to proceed in the upward direction only. Additionally, we should implement an “org=y” term, so that organizations can indicate that the tree walk should not continue upward.   This allows an organization to protect itself against a misconfigured PSD policy. 



I think it is already clear to the WG that the tree walk is screwed up.  The 
I-D says:

                                    The target of the search is a valid
   DMARC record that contains a psd tag with a value of 'y'.  Once such
   a record has been found, the Organizational Domain is the target
   domain that would be queried in the next step in this reverse tree
   walk.


The target can be non-existent.  A PSD can publish a policy record without 
psd=y, or it can publish no policy record at all (which is the usual case).




An upward tree walk also allows us to handle “lease” relationships, where the 
parent domain and the subdomain are independent entities.   The parent entity 
can indicate an alignment boundary below with the psd=y flag, and the client 
entity can indicate an alignment boundary above with the org=y flag.




Agreed.  Note that synchronization is not necessary; that is, one flag is 
enough.  In addition, the walk toward the root can stop on org=y.  No need to 
verify parent's psd=y.  We can trust independence claims.



Still, the tree walk is experimental, because it is possible to find no flags.


A solid spec should specify both methods, tree walk and PSL lookup, as 
alternative or complementary to each other.  When everything is done well, the 
methods agree.  Otherwise, some DMARC records and/or some PSL entries need a fix.



It is not cute to abandon the PSL because it's weak.  By launching a parallel 
method we can strengthen both DMARC and PSL.  A win-win.



Best
Ale
--






_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc






















					Reply via email to