It occurs to me that for DMARC's purposes, walking up the tree would work better than the current hack.
CAA records are perhaps less of a target for query amplification abuse than DMARC records :-)
I dunno, seems to me the stakes are higher for CAA but the number of requests per domain are far lower.
One possible way for DMARC to mitigate it would be to walk *down* instead of up, and (in the application, not relying on the recursive server) stop on NXDOMAIN because RFC 8020 tells you this is sensible, otherwise take the last result you find.
I wouldn't want to skip the cache. In most settings there's a whole lot of mail from the same place and most of the answers are likely to be cached. Perhaps just note that if you're worried about this, use a cache the does RFC 8020.
There's also the practical fact that the amount of real mail from domains with more than 5 or 6 labels rounds to zero and you could limit the tree walk to 10 labels without losing anything. If there's no DMARC record at the name itself, and you walk up 10 labels without finding anything, pretend you found one says to reject everything. People who really REALLY want 37 label names need to put DMARC records every 10 levels.
Regards, John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
