John Levine <[email protected]> wrote: > > It occurs to me that for DMARC's purposes, walking up the tree would > work better than the current hack. I know it would sometimes find a > different answer from what it gets now, which is OK. When this came up > before, the advice was that DNS tree walks are very bad, so don't do > them. Is that still true?
Well, the other Very Prominent example is CAA records, which also involve walking up the tree to discover policy. It would be nice if things like CAA and DMARC could agree with each other about how they discover domain-wide policies. CAA records are perhaps less of a target for query amplification abuse than DMARC records :-) One possible way for DMARC to mitigate it would be to walk *down* instead of up, and (in the application, not relying on the recursive server) stop on NXDOMAIN because RFC 8020 tells you this is sensible, otherwise take the last result you find. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Mull of Galloway to Mull of Kintyre including the Firth of Clyde and North Channel: Southerly 6 to gale 8, occasionally severe gale 9 at first in North Channel, veering westerly 4 or 5 for a time. Moderate or rough, becoming slight or moderate for a time. Rain at first, then fair, occasional rain later. Moderate or good, occasionally poor. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
