On Wed, Feb 16, 2022 at 6:52 PM John Levine <[email protected]> wrote: > It appears that Todd Herr <[email protected]> said: > >The process for a DNS Tree Walk will always start at the point in the DNS > >hierarchy that matches the domain in the RFC5322.From header of the > >message, and [will always end no later than the Public Suffix Domain that > >terminates the RFC5322.From domain. ] > > I expect that in about 98% of cases, the tree walk will not find a PSD > record, so > that's not true. > > I'd just combine the sentences to "and ends five labels above the From > domain > if no DMARC records have been found." > > In the interests of precision, since many domains won't have five labels, would you support the following?
"and ends no more than five labels above the From domain if no DMARC records have been found." > > > 5. > > > > Count the number of labels found in the subject DNS domain. Let that > > number be "x". If x < 5, remove the left-most (highest-numbered) label > from > > the subject domain. If x >= 5, remove the left-most (highest-numbered) > > labels from the subject domain until 4 labels remain. The resulting DNS > > domain name is the new target for subsequent lookups. > > < > https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-05.html#section-4.5-4.5.1 > > > > This says that if the name is more than six labels deep, you immediately > jump to the five > label super-parent to start the tree walk. What I originally intended was > to walk five > labels and then stop, e.g. > > h.g.f.e.d.c.b.a > g.f.e.d.c.b.a > f.e.d.c.b.a > e.d.c.b.a > d.c.b.a > > I don't feel strongly either way and since there are close to zero valid > domain names with more than six labels, it makes little practical > difference, but we > need to be sure we agree which one we mean. > Step 5 here first appeared in dmarcbis-04, and was proposed by Mr. Kitterman here - https://mailarchive.ietf.org/arch/msg/dmarc/iOuQzCPlD99dxqt8_q-9C1gl24o/ - but yes, let's come to agreement on which method we want. > > >For determining the Organizational Domain used for determining relaxed > >alignment, the same process is followed, except in the reverse order. > > I don't see the point. The domain this process just found is the org > domain, and walking down can > be misleading, e.g. consider www.abc.uk.com. > This is not what I understood the purpose of the tree walk to be. My understanding was that it was meant to find the DMARC policy that's applicable to the message, not to identify the Org Domain for the RFC5322.From domain. As I understood it, the tree walk was designed to allow for a situation such as: - RFC5322.From domain = a.b.example.com - _dmarc.a.b.example.com = NXDOMAIN - _dmarc.b.example.com = properly formatted DMARC TXT record - _dmarc.example.com = properly formatted DMARC TXT record, one that's perhaps different than _dmarc.b.example.com RFC 7489 doesn't allow for discovery of _dmarc.b.example.com, but the tree walk would, and example.com would still be the Org Domain. I allow that I could be very wrong here. -- *Todd Herr * | Technical Director, Standards and Ecosystem *e:* [email protected] *m:* 703.220.4153 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
