On Tue, Jul 12, 2022 at 1:30 PM Douglas Foster < [email protected]> wrote:
> What problem does this tree walk solve? Can anyone explain how this tree > walk improves on RFC7489 evaluation results? > > RFC 7489 acknowledged that its methods for discovering the organizational domain had shortcomings. https://datatracker.ietf.org/doc/html/rfc7489#section-3.2, which described the method for determining the organizational domain, one reliant on the PSL, included the sentence: The process of determining a suffix is currently a heuristic one. No list is guaranteed to be accurate or current. https://datatracker.ietf.org/doc/html/rfc7489#appendix-A.6, titled Organizational Domain Discovery Issues, reads in part: The DNS does not provide a method by which the "domain of record", or the domain that was actually registered with a domain registrar, can be determined given an arbitrary domain name. Suggestions have been made that attempt to glean such information from SOA or NS resource records, but these too are not fully reliable, as the partitioning of the DNS is not always done at administrative boundaries. When seeking domain-specific policy based on an arbitrary domain name, one could "climb the tree", dropping labels off the left end of the name until the root is reached or a policy is discovered, but then one could craft a name that has a large number of nonsense labels; this would cause a Mail Receiver to attempt a large number of queries in search of a policy record. Sending many such messages constitutes an amplified denial-of-service attack. The tree walk, therefore, addresses the shortcomings acknowledged in RFC 7489 and does so in a manner that addresses the denial-of-service attack possibility by limiting the DNS queries to no more than five, regardless of the name length. -- *Todd Herr * | Technical Director, Standards and Ecosystem *e:* [email protected] *m:* 703.220.4153 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
