On Wednesday, April 17, 2024 9:42:23 AM EDT Todd Herr wrote: > On Wed, Apr 17, 2024 at 1:06 AM Scott Kitterman <[email protected]> > > wrote: > > I am confused. > > > > Under the current (7489) rules a record for _dmarc.c.d.e.f.tld won't be > > found > > either in this case. Why do we need to support something that is > > currently > > unsupported? > > > > We picked n=5 to allow the current org level record to be detected by the > > tree > > walk. It's true that the tree walk provides some additional flexibility > > for > > subordinate organizations within what we would call a DMARC org domain > > based > > on RFC 7489, but that was by no means anything we ever described as a > > feature > > or a goal. > > I don't share your understanding here. I interpret some of the text of > https://github.com/ietf-wg-dmarc/draft-ietf-dmarc-dmarcbis/issues/79, "Do > away with the PSL and Org Domain entirely; just walk the tree" to at least > imply that the tree walk was designed to provide this flexibility, to wit: > > When DMARC was first developed, there was concern about DNS load and > needing to minimize DNS lookups. Operational expertise now shows that this > is no longer cause for concern. > > Short circuiting a tree walk has led to many issues, like a reliance on the > PSL, complicated algorithms for Org Domain discovery, many types of domains > (PSDs, per https://tools.ietf.org/wg/dmarc/draft-ietf-dmarc-psd/) being > unable to utilize DMARC even though they wish to, and larger organizations > (such as universities and governments) that are comprised of > sub-organizations that use subdomains having material problems getting > everything authenticated. > > All these issues disappear, and DMARC becomes a lot simpler conceptually, > if DMARC simply walks the DNS hierarchy for the exact sending domain down > to the TLD until it finds a DMARC record, and stops. > > It's the second paragraph, specifically the "and larger organizations..." > bits to which I'm referring here. > > > Even if some organizations have very deep DNS trees, the fact that some > > entity > > uses a.b.c.d.e.f.tld doesn't affect DMARC. The record for the top level > > of > > their organization will still be found. > > > > In any case, any domain, at any depth in the tree can publish their own > > DMARC > > record if they need some special thing. The value of N does not affect > > that at > > all. > > Fair enough. You're correct that a DMARC policy can be published for any > specific domain used as the RFC5322.From domain, so perhaps a bit of text > in the Tree Walk section describing the really deep use case and > the solution for it might be a compromise.
I'm fine with 5 (which we have an explanation for why 5) and additional explanation. I think the explanation should probably go in domain owner actions, since that's where I would focus my attention if I was trying to figure things out. Scott K _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
