Re: [dmarc-ietf] Doing a tree walk rather than PSL lookup

Jesse Thompson <jesse.thompson@wisc.edu> Mon, 23 November 2020 18:53 UTC

Return-Path: <jesse.thompson@wisc.edu>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40AD23A0C46 for <dmarc@ietfa.amsl.com>; Mon, 23 Nov 2020 10:53:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.2
X-Spam-Level:
X-Spam-Status: No, score=-0.2 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wisc.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y2WW_r17GSPB for <dmarc@ietfa.amsl.com>; Mon, 23 Nov 2020 10:53:31 -0800 (PST)
Received: from wmauth3.doit.wisc.edu (wmauth3.doit.wisc.edu [144.92.197.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A65C03A0C3F for <dmarc@ietf.org>; Mon, 23 Nov 2020 10:53:31 -0800 (PST)
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (mail-co1nam11lp2174.outbound.protection.outlook.com [104.47.56.174]) by smtpauth3.wiscmail.wisc.edu (Oracle Communications Messaging Server 8.0.2.4.20190812 64bit (built Aug 12 2019)) with ESMTPS id <0QK900NSKJ03G3L0@smtpauth3.wiscmail.wisc.edu> for dmarc@ietf.org; Mon, 23 Nov 2020 12:50:28 -0600 (CST)
X-Wisc-Env-From-B64: amVzc2UudGhvbXBzb25Ad2lzYy5lZHU=
X-Spam-PmxInfo: Server=avs-3, Version=6.4.7.2805085, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2020.11.23.184217, AntiVirus-Engine: 5.79.0, AntiVirus-Data: 2020.11.19.5790001, SenderIP=[104.47.56.174]
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JCRaL0jvJ5L0H46GUfvg7w3dx3cBBFSPov4mWlxsy3TTLzWRZI1aV4BhEQ4TkZT/sstyI/qgqK6aU/oIRmlXohMLp3oTHxXAgaEBmcrWMWK2+5w4f5XZ/y4ztqPo5Qn6DBRtHy+9K9SjxeNaC6dx6T1urJYElbKyfISFZTdSlg9gXvAKi6LupBsiGvRqzACdtNWXsBcnHiDVVYtugGhEDtclbGMSYoG+r2Szniji989f6nlK18JKaolnZfwrVScLvgmo6XRqA1GYyzaRczN/jXyJWgoTlVmTUHXCUICAsYr67ZLoK4d1oHG695AmfGgNa/n6K2ntXpw4Hg3UWKeMBQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cLzioF8Nteo1KPeNQ02CYVw6DAbGn2f0IB951B4Uwxo=; b=hD0ScLAWYjdFHsYoEtUH9VKFP0GPsaBNj7urgCmYyPKrE2QC27dCO2BWdbluI+Mn0Rn7/Bsxw9lUW7LmCZw5MRBAQMeSrTQtt4bPCfQSTT1OxjbxerF08rujgNpjwMNdIvH2+FwjbzqVrV3BzIlvq1lIsvbDwRF+FOweXGfD41eZEnRFWDuibBtgo9QIwf1YtwX8aLF/hupiSrMj7Mi6VrGSyRA7h3hnskgqvOTRBK986iySKHYsU7zpLglnrmQx2qIxxHJedtgzpCgo/1oegR1BZFi32vkXB/v1iu8p2zuQO0ZNHQioVuY+CHUDrY496U+8dtgaL3m8KSbIAxIBRQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=wisc.edu; dmarc=pass action=none header.from=wisc.edu; dkim=pass header.d=wisc.edu; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wisc.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cLzioF8Nteo1KPeNQ02CYVw6DAbGn2f0IB951B4Uwxo=; b=CUZm5qOthYK0hrLCKVToU9JWg5iUlbzAFn0H649BH6xFRX7MbPh+onB3JCfISvrk2PVvvA0FXopyiV78vYzFR4eEqN1IVkH4jV0pD1/sbBlVuJHoFAYwMz6V/UDgFSOVawZOJ1Wq82Jw+QSBQ4AXIL+QukFF7XiebS5CYrh7C/o=
Received: from CO6PR06MB7059.namprd06.prod.outlook.com (2603:10b6:5:342::18) by MWHPR0601MB3595.namprd06.prod.outlook.com (2603:10b6:301:7b::38) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3589.30; Mon, 23 Nov 2020 18:50:26 +0000
Received: from CO6PR06MB7059.namprd06.prod.outlook.com ([fe80::39b8:8441:c452:a4b5]) by CO6PR06MB7059.namprd06.prod.outlook.com ([fe80::39b8:8441:c452:a4b5%7]) with mapi id 15.20.3589.022; Mon, 23 Nov 2020 18:50:26 +0000
To: dmarc@ietf.org
References: <ed1e3ada-46a5-7489-908d-3935c576062@taugh.com>
From: Jesse Thompson <jesse.thompson@wisc.edu>
Message-id: <9e6bac98-47fa-92e3-8552-7f4839d37e60@wisc.edu>
Date: Mon, 23 Nov 2020 12:50:23 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.4.3
In-reply-to: <ed1e3ada-46a5-7489-908d-3935c576062@taugh.com>
Content-type: text/plain; charset=utf-8
Content-language: en-US
Content-transfer-encoding: 7bit
X-Originating-IP: [146.151.213.183]
X-ClientProxiedBy: CH2PR20CA0022.namprd20.prod.outlook.com (2603:10b6:610:58::32) To CO6PR06MB7059.namprd06.prod.outlook.com (2603:10b6:5:342::18)
MIME-version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [146.151.213.183] (146.151.213.183) by CH2PR20CA0022.namprd20.prod.outlook.com (2603:10b6:610:58::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3589.20 via Frontend Transport; Mon, 23 Nov 2020 18:50:25 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 3a660b18-a4c4-435e-4221-08d88fe0a42e
X-MS-TrafficTypeDiagnostic: MWHPR0601MB3595:
X-Microsoft-Antispam-PRVS: <MWHPR0601MB359500A9588B0C7936952CF1F6FC0@MWHPR0601MB3595.namprd06.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:8273;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: /hQk3aom8MeM4Z209Grl/W7iSAD+op/ZZi3y4zufVuGV/llkWqj4JmXF1eXwkFgLTj5Lr+38vIUkEPJjAED9V11Df9iGdHp3KHJXT++A4EgzjSv697gWZYBnotsrpEXM0AkMX50/R2Iqkr1Ahn0X9RkZl5rEVmq8b27ezCoes6ZcshP/VM97NvuLYKQqB76u5t3EAUk9xZD3dA61IA9rRz67dB8lWoFtXTZRiKncbJfXs1Yd46VgrLE6NRNc2jaF3kmyZ8eMLdBoXZvbnrGr6ZKnqyq5TdOjVsfpCBNYC5N+9ID2m5k2Gemymi0a9RR48GQ5A7rVUs9L7aqBGnFkNs0C+6XfYlxluepXahGwpKIlrZUxEk2sjkdZpCNiErsHC18n4J6CkOvgwtKfP4H/QenUq62grye7rO9uNLx8b6x2YdUUULI9uK2sTUGjNp5yL5CYFzhNH2uUpUiGrSsCdo9hHgNx0dot17MEiNXUBio=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO6PR06MB7059.namprd06.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(39860400002)(136003)(396003)(376002)(346002)(86362001)(36756003)(44832011)(786003)(316002)(966005)(8936002)(66946007)(66476007)(26005)(6916009)(16576012)(478600001)(66556008)(8676002)(956004)(53546011)(6706004)(6486002)(75432002)(31696002)(2616005)(2906002)(83380400001)(31686004)(186003)(16526019)(5660300002)(3940600001)(43740500002); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: =?utf-8?B?b2JoTmtERGpWMXhjWkM1Q29obkdjc0RMQ1ZKVm5XVkFNNk1ubXRuS3dYTExC?= =?utf-8?B?WEE2bm5pRVdFbGVITVgrOW9KeWVxQ0tLM2lWL3NLUUcyRGNoUDhpU3lyekQw?= =?utf-8?B?R2h0c1g2cXBTelBIZnpjU1lyaVZiVks1N3VaTmh0WWRCdnM5UUxWK0ZQL21S?= =?utf-8?B?ZjIwcmlRZ2RLRVd3ZHNVcXZob0xEVk9kOENKZzhqSmF4S2k3WnBSN09ESmEw?= =?utf-8?B?TmpYM1I5enVPa2ZZK1B1c0lKSFdqT2Y5T0kybXdBd0xSTTIvQ1c1SGdGVVZt?= =?utf-8?B?VGFhSnRrbk1HWFFVa3pxa3dUM3ViZmQ4N0lWWFM2cmNnVmJtUSs4VzJVcGZL?= =?utf-8?B?WURCM1I3RUFzQ1hURW1kZ1VMSWczRWt2SDVHckQrdFhFQ1gvQ0Nqa1FVS0Jh?= =?utf-8?B?aVRDd0twenBjVlpadWNpd0FxOWdKMVpVdGVvc2Fud2cveUVTT0IxcExwOEcz?= =?utf-8?B?Mkl3d1ZnZUZnTmNxNjNWNy9BYXgwU0loSHhpaFRGOEZmbnNTbjhxbTNQMmlp?= =?utf-8?B?YUQzS0tWTDAraTZXS09HUlRmWC9OaVRtQ0wzd3E2Ni9CeUdiNGdHZlNFaHJh?= =?utf-8?B?SUorRjBWbkJiWDhGdlJFNS9WSCtrNks3OVVYSlczTlVzcE91TGpWV2J6L2h6?= =?utf-8?B?REhoT05MbENQSXZhN0tETTIwSGk0OU1hTGFyR2dCMlcyUGtxS0o1SDVhWFhW?= =?utf-8?B?aVpOeEhRZ3Q2aXVBMlhoaFNlUTFCRUxtL0xnWklaRG84NEZQYmF1TWU5SUNx?= =?utf-8?B?YlUxd2NCVXhTRWJKWUUwaVkwUlpoVjJaZW5hNTFMTVcvU0lxZzQwSGNtWUh4?= =?utf-8?B?cGlFQXQyK0hKcWRxRFNHa3dmL0xxQjZ4Z3haNUQwTVZaRkJvUzBGVjBJSDJt?= =?utf-8?B?eEFmWDhIQlZuWVdsUk1HeWVIZUtCTmRmQnFEenBVRnlzN0NsQ3M2L3VmMlNV?= =?utf-8?B?RXU1OHNlc0JkNEtzbHZYbUJEQkVHN0xHVktHZlJiVlhXUWNBQ2ZuUmQxYTV1?= =?utf-8?B?L3ZsZnkzNnRDT3BtalVhdDFBc1ptRXA4R2lGMHBzSC9vTklvN0pGcDJxYWMx?= =?utf-8?B?QytQNzd2NkxmMm1BUnhLYnYxSHhyQ3FtQ0x1Z2paNG9kUnd2VDYvcS9iSGNC?= =?utf-8?B?NEJWR0lRVk0xYWcySEE3YXJLc3JCbEZ2Z1R3S3FoWlFmWDJocG0xNW8xYkUy?= =?utf-8?B?cmhOTXV0WStxZ0h2ai92WE5IMzFYQ0dvOTNpNDFTMHVWTWszTit6eXIwNkUw?= =?utf-8?B?cVlRR0E1Z0dIUkJhdGc5TGJqdnpUck5OelQ5cHpRL2pNaXIra0kwanNzSTZ0?= =?utf-8?Q?Gfp1C3a6Du6co/TM18HTWwD/BSOq6+VWp3?=
X-OriginatorOrg: wisc.edu
X-MS-Exchange-CrossTenant-Network-Message-Id: 3a660b18-a4c4-435e-4221-08d88fe0a42e
X-MS-Exchange-CrossTenant-AuthSource: CO6PR06MB7059.namprd06.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Nov 2020 18:50:26.4529 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 2ca68321-0eda-4908-88b2-424a8cb4b0f9
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: rLMchHvFOSbd88JJn9rt+73TYAim5NzFNsTwNiP07QsLlVmYIyMLUEV/DUbS+IDl5Fcfp1nFTsoSDegody1QyA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR0601MB3595
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/9gerbTWgz9NaRZLR_5rLY6mK3C0>
Subject: Re: [dmarc-ietf] Doing a tree walk rather than PSL lookup
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Nov 2020 18:53:33 -0000

On 11/20/20 6:02 PM, John R Levine wrote:
> Here's a draft about how DMARC might do a tree walk rather than look up an organizational domain in the PSL.
> 
> https://datatracker.ietf.org/doc/draft-levine-dmarcwalk/

Would it help if there was a new DMARC policy tag to trigger the tree walk?  It's still the same number of DNS lookups, but changes the order and doesn't happen unless the organization wants it, so (aside from potential abuse) it should minimize the overall DNS lookup overhead.

Look up _dmarc.sales.east.widgets.bigcorp.com - find no policy
Look up _dmarc.bigcorp.com - finds a policy with a tw=1 tag
Look up _dmarc.east.widgets.bigcorp.com - find no policy
Look up _dmarc.widgets.bigcorp.com - finds a valid sp tag

Is it also worth considering changing the direction of the lookups under the assumption that the consistency of/control over the sub-organization's sending practices increases with each branch?  This would potentially reduce the number of DNS lookups.

Look up _dmarc.sales.east.widgets.bigcorp.com - find no policy
Look up _dmarc.bigcorp.com - finds a policy with a valid tw=true tag
Look up _dmarc.widgets.bigcorp.com - finds a valid sp tag and no additional tw=1 tag

Jesse