Re: [dmarc-ietf] Ruminating the tree walk
Scott Kitterman <sklist@kitterman.com> Mon, 04 April 2022 13:15 UTC
Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 194163A07FE
for <dmarc@ietfa.amsl.com>; Mon, 4 Apr 2022 06:15:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.11
X-Spam-Level:
X-Spam-Status: No, score=-2.11 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001,
T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001]
autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral
reason="invalid (unsupported algorithm ed25519-sha256)"
header.d=kitterman.com header.b=K9EQTgaU; dkim=pass (2048-bit key)
header.d=kitterman.com header.b=hyoVphmW
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id ZyF5j-hg3ZqV for <dmarc@ietfa.amsl.com>;
Mon, 4 Apr 2022 06:15:03 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com
[64.20.48.66])
(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 9AEA23A07FB
for <dmarc@ietf.org>; Mon, 4 Apr 2022 06:15:03 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com
[64.20.48.66])
by interserver.kitterman.com (Postfix) with ESMTPS id 96961F8027E
for <dmarc@ietf.org>; Mon, 4 Apr 2022 09:15:02 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com;
i=@kitterman.com; q=dns/txt; s=201903e; t=1649078102; h=from : to :
subject : date : message-id : in-reply-to : references : mime-version
: content-transfer-encoding : content-type : from;
bh=JSQELC8dJobrzXkQPE2ep2KlqXFK/VKo7pA+t9zqHeM=;
b=K9EQTgaU7lPd+WcrpGY9hO0z6T2Yp0zwDth7iAuvyQma4Dft+lYQDAnzf3Aj4VTCpo4Sm
yhjr2LLv1CKzAgZBw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com;
i=@kitterman.com; q=dns/txt; s=201903r; t=1649078102; h=from : to :
subject : date : message-id : in-reply-to : references : mime-version
: content-transfer-encoding : content-type : from;
bh=JSQELC8dJobrzXkQPE2ep2KlqXFK/VKo7pA+t9zqHeM=;
b=hyoVphmWd9fCTL297tJrXTmeoR/pgOw/1W9Wa/s9BsLbS0L0DSK1ysARCYqVh6eRXm2H0
fDxCGEt1tq4yfDeJi4PMhlzzw10ImRrTDlo6srWP6jmBh5vb61znDgjCilu4RHuJf8dotUq
oOrQaiSY++PTRsfDW0YU4sOrYss4cgARGA44vPesGdMQMIAtz0d0nTtCGcEhmgk6zlBXtSS
Z2D5WkP3vrrnNS/1abBm+Ur83hDZ6nzZOugerkXjrJ4pjGWgSKYveVGK0w3Xpf5Pe33OVdl
WnA3zF6b2KeevDU0og6LI6x29udxXtfeOxsa9H/EwgK5UwFNyl3JbZM3IhGg==
Received: from zini-1880.localnet (static-72-81-252-22.bltmmd.fios.verizon.net
[72.81.252.22])
by interserver.kitterman.com (Postfix) with ESMTP id 7ECDBF801B7
for <dmarc@ietf.org>; Mon, 4 Apr 2022 09:15:02 -0400 (EDT)
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
Date: Mon, 04 Apr 2022 09:15:02 -0400
Message-ID: <13744287.yqqRsHam3j@zini-1880>
In-Reply-To: <CAH48ZfzeL6K0X9pg9QpyZ+dy96ceC9vKc_bYMbZkcZCyHJfAFg@mail.gmail.com>
References: <164789584226.30456.9564261134406099481@ietfa.amsl.com>
<CALaySJ+x57TPsxPQXV5sVBz_wF4QYzX2ip0pGqfYyF7bwoPvEQ@mail.gmail.com>
<CAH48ZfzeL6K0X9pg9QpyZ+dy96ceC9vKc_bYMbZkcZCyHJfAFg@mail.gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/TZhrm2lJrbZis0t3YKJ5oNoj_f0>
Subject: Re: [dmarc-ietf] Ruminating the tree walk
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting,
and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>,
<mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>,
<mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Apr 2022 13:15:09 -0000
It doesn't matter what order you do the queries in. You still have to do them all. Scott K On Sunday, April 3, 2022 10:03:18 PM EDT Douglas Foster wrote: > The problem remains that the tree walk only provides a reliable result if > it has complete information about private registries, and we have no way of > knowing if the tree walk provides that information. Because these > processes are voluntary opt-in mechanisms, we cannot assume that all > private registries will publish the appropriate indicators. > > To solve the problem, we need an indicator from the organization. that it > either (a) contains no private registries, (b) contains private registries > and the registration point is tagged with an indicator, or (c) contains > private registries but tagging is incomplete or not usable. For (c), the > organization boundary cannot be determined reliably so only strict > alignment can be used (or the PSL could be consulted.) This > private-registry status indicator would need to be on the PSD-registered > organization domain policy. The most efficient way to find a > PSD-registered organization policy is top down, as Scott originally > proposed. > > Doug > > On Sun, Apr 3, 2022 at 9:11 AM Barry Leiba <barryleiba@computer.org> wrote: > > An alternative here is a pointer to one or two open-source implementations > > that readers can refer to if they want to. That keeps the document tight > > while providing access to implementation examples. > > > > Barry > > > > On Sun, Apr 3, 2022 at 7:27 AM Alessandro Vesely <vesely@tana.it> wrote: > >> On Sun 03/Apr/2022 01:35:16 +0200 Scott Kitterman wrote: > >> > On Wednesday, March 23, 2022 6:59:08 AM EDT Alessandro Vesely wrote: > >> >> Hm... > >> >> > >> >> On Wed 23/Mar/2022 03:08:35 +0100 Douglas Foster wrote: > >> >>> During my ruminations last night, I gained some clarity around that > >> >>> question and wanted to highlight those conclusions. They simplify > >> >>> the > >> >>> alignment search significantly: > >> >>> > >> >>> - If the common substring is shorter than the Organizational Domain, > >> > >> then > >> > >> >>> the names are not aligned and the candidate domain can be ignored. > >> >>> > >> >>> - Otherwise, if any candidate domain is a parent of (or equal to) the > >> > >> FROM > >> > >> >>> domain, then and we have alignment and DMARC PASS. The secondary > >> >>> tree > >> >>> walk is not needed and no further evaluation is required. > >> >>> > >> >>> - If several candidate names are child domains of the FROM address, > >> > >> then > >> > >> >>> only the shortest string needs to be evaluated with a secondary tree > >> >>> walk. If it is aligned, further evaluation is not required. If it > >> >>> is > >> >>> not aligned because of an organizational boundary, all other child > >> >>> domains are also excluded. > >> >> > >> >> That and the deeper-than-5 optimization Doug posted on a separate > >> > >> message. > >> > >> >> I know the document is already longish. However, collecting these > >> >> observations in an appendix may be helpful for developers, and maybe > >> > >> also > >> > >> >> for general understanding of the intricacies involved in the tree > >> >> walk, > >> >> including proper usage of the psd= flag. > >> > > >> > I think we do need to add some additional clarity, which I plan to > >> > >> draft, but > >> > >> > let's not go overboard. We are trying to describe a protocol, not a > >> > implementation specification. So far, in my experience, the extra code > >> > required to address short cuts like this is not justified by the > >> > >> improved > >> > >> > 'efficiency'. I don't think these need to be in the document. > >> > >> I agree that the efficiency is determined more by having a dedicated > >> caching > >> resolver than by the algorithm. And the importance of setting up DNS > >> will > >> never be stressed enough. > >> > >> I was thinking rather to a walk through the tree walk (no pun intended), > >> to be > >> read by domain owners and programmers alike, to help understanding what's > >> good, > >> what's bad, what's normal and what's exceptional. > >> > >> Having such an appendix permits the actual algorithm to be stated in a > >> concise, > >> formal expression. The last description, for example, uses two steps, 2 > >> and 7, > >> to advise to discard non-DMARC records. Step 8 repeats the directive > >> already > >> given in step 3. That language is neither formal nor friendly. > >> > >> > >> Best > >> Ale > >> -- > >> > >> > >> > >> _______________________________________________ > >> dmarc mailing list > >> dmarc@ietf.org > >> https://www.ietf.org/mailman/listinfo/dmarc > > > > _______________________________________________ > > dmarc mailing list > > dmarc@ietf.org > > https://www.ietf.org/mailman/listinfo/dmarc
- [dmarc-ietf] I-D Action: draft-ietf-dmarc-dmarcbi… internet-drafts
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Douglas Foster
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Scott Kitterman
- [dmarc-ietf] 5.5.4. Publish a DMARC Policy for th… Alessandro Vesely
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Douglas Foster
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Scott Kitterman
- Re: [dmarc-ietf] 5.5.4. Publish a DMARC Policy fo… Scott Kitterman
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Douglas Foster
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Douglas Foster
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Douglas Foster
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Douglas Foster
- [dmarc-ietf] Ruminating the tree walk Alessandro Vesely
- Re: [dmarc-ietf] Ruminating the tree walk Douglas Foster
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Scott Kitterman
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Scott Kitterman
- Re: [dmarc-ietf] Ruminating the tree walk Scott Kitterman
- Re: [dmarc-ietf] 5.5.4. Publish a DMARC Policy fo… Scott Kitterman
- Re: [dmarc-ietf] 5.5.4. Publish a DMARC Policy fo… John Levine
- Re: [dmarc-ietf] 5.5.4. Publish a DMARC Policy fo… Alessandro Vesely
- Re: [dmarc-ietf] Ruminating the tree walk Alessandro Vesely
- Re: [dmarc-ietf] 5.5.4. Publish a DMARC Policy fo… Douglas Foster
- Re: [dmarc-ietf] Ruminating the tree walk Barry Leiba
- Re: [dmarc-ietf] 5.5.4. Publish a DMARC Policy fo… John R Levine
- Re: [dmarc-ietf] Ruminating the tree walk Douglas Foster
- Re: [dmarc-ietf] 5.5.4. Publish a DMARC Policy fo… Alessandro Vesely
- Re: [dmarc-ietf] 5.5.4. Publish a DMARC Policy fo… Douglas Foster
- Re: [dmarc-ietf] 5.5.4. Publish a DMARC Policy fo… Scott Kitterman
- Re: [dmarc-ietf] Ruminating the tree walk Scott Kitterman
- Re: [dmarc-ietf] 5.5.4. Publish a DMARC Policy fo… Scott Kitterman
- Re: [dmarc-ietf] 5.5.4. Publish a DMARC Policy fo… Todd Herr
- Re: [dmarc-ietf] 5.5.4. Publish a DMARC Policy fo… John R Levine
- Re: [dmarc-ietf] 5.5.4. Publish a DMARC Policy fo… Alessandro Vesely
- Re: [dmarc-ietf] 5.5.4. Publish a DMARC Policy fo… John R Levine
- Re: [dmarc-ietf] 5.5.4. Publish a DMARC Policy fo… John Levine
- Re: [dmarc-ietf] 5.5.4. Publish a DMARC Policy fo… Alessandro Vesely
- Re: [dmarc-ietf] 5.5.4. Publish a DMARC Policy fo… Alessandro Vesely
- Re: [dmarc-ietf] 5.5.4. Publish a DMARC Policy fo… John R Levine
- Re: [dmarc-ietf] 5.5.4. Publish a DMARC Policy fo… Scott Kitterman
- Re: [dmarc-ietf] 5.5.4. Publish a DMARC Policy fo… Scott Kitterman
- Re: [dmarc-ietf] 5.5.4. Publish a DMARC Policy fo… Scott Kitterman
- Re: [dmarc-ietf] 5.5.4. Publish a DMARC Policy fo… Scott Kitterman
- Re: [dmarc-ietf] 5.5.4. Publish a DMARC Policy fo… John Levine
- Re: [dmarc-ietf] PSD vs org, 5.5.4. Publish a DMA… John R Levine
- Re: [dmarc-ietf] PSD vs org, 5.5.4. Publish a DMA… Scott Kitterman
- Re: [dmarc-ietf] 5.5.4. Publish a DMARC Policy fo… Alessandro Vesely
- Re: [dmarc-ietf] PSD vs org, 5.5.4. Publish a DMA… Alessandro Vesely
- Re: [dmarc-ietf] PSD vs org, 5.5.4. Publish a DMA… John Levine