Re: [dmarc-ietf] Performance and reliability concerns
Seth Blank <seth@valimail.com> Wed, 10 April 2024 21:38 UTC
Return-Path: <seth@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D3D0C14F601 for <dmarc@ietfa.amsl.com>; Wed, 10 Apr 2024 14:38:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k_8aOmjF2msJ for <dmarc@ietfa.amsl.com>; Wed, 10 Apr 2024 14:38:54 -0700 (PDT)
Received: from mail-pl1-x62b.google.com (mail-pl1-x62b.google.com [IPv6:2607:f8b0:4864:20::62b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F7E2C14F5FA for <dmarc@ietf.org>; Wed, 10 Apr 2024 14:38:53 -0700 (PDT)
Received: by mail-pl1-x62b.google.com with SMTP id d9443c01a7336-1e2232e30f4so63124555ad.2 for <dmarc@ietf.org>; Wed, 10 Apr 2024 14:38:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; t=1712785133; x=1713389933; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=CVIKjFzCJ49jdcpOFZDg87Y6G6KzYyZk1hnsuHFGwsY=; b=YZhglyTGOo4zYWJSzalvleIHwsh9N9LGZ4xwCBUpc7CVgGrnYMszZd/9Jb9KTNHpWv o8ZSbSvDXrENwXOWIolTmQpYKKCBairG8VuAb0OJmrvposL9+MxRHmVkdpWGO4BonoSG Dy5x8g7MIekIf+XvnwzHztG2L2VtdCdj4xCtRiMI5UVK9fzAurp7J/sThcUPQcw/CzHq DHHgosuu4rFgpf0ceNvFrfSDeYRgFa27sqH+O/L3CNK1cZRVZASIW8jOPtnQhp6fHKPp Eh2NGQOr2dlLdnljerSxgu9dT257F+BU1I/3rkPU4NDg1KJqW/3SG1B3S/DC8xppy09j zW1Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712785133; x=1713389933; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=CVIKjFzCJ49jdcpOFZDg87Y6G6KzYyZk1hnsuHFGwsY=; b=OKlkhn409URgodICjDJECt8+5tLajh3fu3RNxJ1mNWjKKsjCKT2Lq7zGR2InMTsdSW b0e7Y3ZmWrfdvCmiUoqJ6m7Ox3qFxyPxF0Y4cwirCJysD7btt9VKsLSlWHqEE5Ejj7zo P90Jqz9gGq84LgQBCY+EPQP2x+uuClZkQFtOu8hV4WnitE0N9fqVLfxqAZi4geTUDQP7 TMUmXY1W8lUOTkCw9croB2BEZELVdhu++CXLbpJIdNC65Qqfhs5pP3+aqEwj3iVPTARs 3trHaNDd9eE0l936pzZo+pbrw9ZJvdnEGIHkjf0GKKOlI/niglO69UE83Vvr9weuCrkx BxSw==
X-Gm-Message-State: AOJu0YyBCYvPP0igkEC/bICiADHc+fcFKZB2FEWroXQOVqACNyyMo90Q NhX+nptOnIEfz6PfEJd+xLBTITnvAAPs93xMQsIFnMsmskQCz8wXNfRGhVMx+TBhw86sb8CqVGW Ava9Eq6cQDNAPmQSRHoP+bpdel945vqL6LiXVZ/iviSJO7A5c
X-Google-Smtp-Source: AGHT+IHqegvIR+URKf5hGXseFObXVOh2ztAJsduOTzYsUDv4XDrKFe4KOjAJTGpZBbiqjtn93++yA93qNcyqrz0ww/Q=
X-Received: by 2002:a17:902:db11:b0:1e4:d548:81a0 with SMTP id m17-20020a170902db1100b001e4d54881a0mr4750174plx.67.1712785133125; Wed, 10 Apr 2024 14:38:53 -0700 (PDT)
MIME-Version: 1.0
References: <CAH48ZfyvsAMuZ-JFzqMjo1pJ9Ax==Kgi3c7hQ+1TECZCqCpPVg@mail.gmail.com>
In-Reply-To: <CAH48ZfyvsAMuZ-JFzqMjo1pJ9Ax==Kgi3c7hQ+1TECZCqCpPVg@mail.gmail.com>
From: Seth Blank <seth@valimail.com>
Date: Wed, 10 Apr 2024 17:38:41 -0400
Message-ID: <CAOZAAfMV5_A6bN3YHqFBg6p9TZx8bua3MuFO6=d+Lrsd54yz0g@mail.gmail.com>
To: Douglas Foster <dougfoster.emailstandards@gmail.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006fe1eb0615c4dd09"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/1GMCTrObPDNMaallYH6Fu7QG2BE>
Subject: Re: [dmarc-ietf] Performance and reliability concerns
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Apr 2024 21:38:58 -0000
This topic has been well discussed, consensus is clear and properly represented in the document, and WGLC is behind us. This thread is closed. Seth, as Chair On Wed, Apr 10, 2024 at 5:31 PM Douglas Foster < dougfoster.emailstandards@gmail.com> wrote: > I am concerned that the Tree Walk will have poorer performance and poorer > reliability than implementations based on RFC 7489 > > The boundary between organizational domains and their registries is very > stable, which is why it is highly suitable for a static reference like a > locally-implemented PSL. Database lookups are fast and reliable. > > The Tree Walk calls for the organizational domain to be recomputed on > every message, for every identifier of interest. This means that the > volume of DNS queries will increase, although the percentage increase will > be highly dependent upon the optimizations built into a Tree Walk > implementation. Overall, any Tree Walk implementation is expected to be a > net increase in workload to both the evaluation server and the DNS > environment. > > These extra DNS queries also hurt reliability. A walk result is > uncertain if any query along the path produces a timeout error. When a > path result becomes uncertain, the overall DMARC result may become > uncertain. This risk exists in PSL implementations, since the evaluator > still needs to retrieve DMARC policy, SPF policy, and DKIM keys, but the > Tree Walk is at greater risk because it performs so many more DNS queries, > and these extra queries will be adding to any congestion that may be > causing timeout results. > > The magnitude of this concern depends on the frequency of DNS Timeout > problems. Upon reviewing my DMARC aggregate reports and my own data, I > was surprised that both sources indicate TempError results occur at a much > higher rate than my expectations. > > One way to minimize this problem risk is to store error-free results in a > cache structure outside of DNS. The already-existing PSL database provides > a starting point for this cache. Once a cache is available, the Tree Walk > process can be moved offline, and used as a tool for validating and > updating the PSL, while continuing to use the fast and reliable PSL > database for real-time queries. This addresses both the performance > problem and the consistency problem. > > For those who don’t implement something similar, I expect them to be > frustrated when they discover that the extra overhead required by the Tree > Walk is coupled with reduced consistency of computed DMARC results. > > > Doug > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc > -- Seth Blank | Chief Technology Officer Email: seth@valimail.com This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
- [dmarc-ietf] Performance and reliability concerns Douglas Foster
- Re: [dmarc-ietf] Performance and reliability conc… Seth Blank