Re: [dmarc-ietf] Tree walk nits
Douglas Foster <dougfoster.emailstandards@gmail.com> Thu, 23 June 2022 05:52 UTC
Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BC56C15D49A for <dmarc@ietfa.amsl.com>; Wed, 22 Jun 2022 22:52:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s7adJ5RLoHPe for <dmarc@ietfa.amsl.com>; Wed, 22 Jun 2022 22:52:35 -0700 (PDT)
Received: from mail-ot1-x32d.google.com (mail-ot1-x32d.google.com [IPv6:2607:f8b0:4864:20::32d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B622C15D498 for <dmarc@ietf.org>; Wed, 22 Jun 2022 22:52:35 -0700 (PDT)
Received: by mail-ot1-x32d.google.com with SMTP id l24-20020a0568301d7800b0060c1ebc6438so14702242oti.9 for <dmarc@ietf.org>; Wed, 22 Jun 2022 22:52:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=MGBglvWCCaUh7LLsjftSRmkPmnlco7Uhj4bB0fuaDKM=; b=LjVh73v5d1mmANxd1dxcSgssYPqkMFLAil49xFLF7+lLwQhHWknrHKMmQ8OzsHho2a GmnRA8NMrXX7yZcEwGmOdWRDpHNbMijSLZCoj/36w6TdNQTH8sOJjOvfYAoFDgA2N6vP TwCoUgWpJAKlPR8NthAp8O8aCE5VuFPo/Or9Xq4zyOISvuF8aC/zrrnQnQFrWJhsDLdA Dvm4FA0EHTotwovtUOL7dpMj+CdKjkbfhS6ItLKDAOx1Y0f52EKlobB6Hr0srKlWTiDA ckOM6CeJpsrkGw4bVrbWWBxXVEoVmRXUh8uvpNcpuGDyBZViCiljq3uWTIEvQl/23M9A O+wA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=MGBglvWCCaUh7LLsjftSRmkPmnlco7Uhj4bB0fuaDKM=; b=tshvs/10JtN0hW1Gh2yhiI+Ffob19KWccm3mpSo8UxXWceI+JOovRrMQGfP65+Aa02 rZXcCpIZgluloSQC+7WEbkAY18/h6yZJ4PwtUalAdDFfNJAzGvVsX3acMQ6Wnbf0MlE8 4ySRXCluLaJxhNX2fCDgD6+GavcxhsOQoXggT0yNpLAzPq6B5tN5HXCAsXMMVvNm1ije q278sCYy0dluBB7ZievZtcGPFj7BfZ3actamN7cqfTQFSBwcrxR8cCBgjdFV3BPaJCV2 lIUC498UT5m9lIPCFtD08gs//iyMCaxBEafXmfiIWcNyBGgETPdCKQznrmXLAwQkxhEH TxEA==
X-Gm-Message-State: AJIora8kpsnH5K+sfz2WAMoXmjCRFppJdP6fiBSWlFIK+jJ+W1KKZups H70icza45ppvH68i8DgotwLxDiqhca76Y8MhgST6NnYV
X-Google-Smtp-Source: AGRyM1vTVDIxr/+xVnoc6ReRX+1Yu9iRzsqTDDtzxbWIWyIYEIO8dTuFSLIRmvc4FQ70GRfdhUJ5Bj5ileqdxS87m+w=
X-Received: by 2002:a05:6830:4409:b0:60c:5578:99a6 with SMTP id q9-20020a056830440900b0060c557899a6mr3135227otv.268.1655963553996; Wed, 22 Jun 2022 22:52:33 -0700 (PDT)
MIME-Version: 1.0
References: <20220622021157.D8F1043F6098@ary.qy> <BC685D7B-0C51-4DBF-9A1B-653F25D66B90@kitterman.com>
In-Reply-To: <BC685D7B-0C51-4DBF-9A1B-653F25D66B90@kitterman.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Thu, 23 Jun 2022 01:52:24 -0400
Message-ID: <CAH48ZfwAL_BdBLMEmHj2Q6+U=Zni+_-BS9hQXCB1v6zsCM4Acg@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000065a27805e2170f74"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/mv0SkIFiGfowsIKq6Y5QPoZxMCs>
Subject: Re: [dmarc-ietf] Tree walk nits
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jun 2022 05:52:39 -0000
Clarity: The two types of tree walks have different starting conditions, different ending conditions, and different processing tasks at each iteration. So I think clarity will be improved by describing them separately. Efficiency: The purpose of the secondary tree walk is to confirm alignment, by demonstrating that the organization subtree contains no organization boundaries between the SPF/DKIM domain and the previously-located organizational domain. This is a rare event, as a percentage of all messages. My wild estimate is that an evaluator will perform a million alignment walks to detect one non-aligned identifier. This seems like an unfortunate inefficiency. The inefficiency is avoidable if we allow the domain owner to use the organizational domain policy to tell us that the subtree has no sub-organizations. We already trust the opposite -- if an organization subtree has a private registry, the domain owner will ensure that the boundary is explicitly tagged with psd tokens. Consequently, there is no difference in risk to believe a domain owner if he asserts that there are no sub-organizations lurking in his tree. We just need to provide him with a token to communicate this information. DF On Tue, Jun 21, 2022 at 10:26 PM Scott Kitterman <sklist@kitterman.com> wrote: > > > On June 22, 2022 2:11:56 AM UTC, John Levine <johnl@taugh.com> wrote: > >It appears that Scott Kitterman <sklist@kitterman.com> said: > >>As written, I think it produces the correct result. > > > >I now think it's close but not quite. > > > >>As written you take the domain with a (non-PSD) DMARC record with the > fewest > >>labels, .... > > > >How about this? > > > >a NXDOMAIN (or psd=y, doesn't matter) > >b.a blah > >c.b.a psd=y > >d.c.b.a blah > >e.d.c.b.a NXDOMAIN > > > >The org or policy domain for e.d.c.b.a is d.c.b.a, but the one with > >the fewest labels is b.a. This is why we walk up rather than down. > > > >This shouldn't be hard to fix but I'm trying to figure out the least > >confusing way of saying it. > > Not confusing is indeed the tricky part. I think what's wanted is > shortest that's longer than the longest PSD. > > Scott K > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc >
- [dmarc-ietf] Tree walk nits John R Levine
- Re: [dmarc-ietf] Tree walk nits Scott Kitterman
- Re: [dmarc-ietf] Tree walk nits John Levine
- Re: [dmarc-ietf] Tree walk nits Scott Kitterman
- Re: [dmarc-ietf] Tree walk nits John Levine
- Re: [dmarc-ietf] Tree walk nits Scott Kitterman
- Re: [dmarc-ietf] Tree walk nits John Levine
- Re: [dmarc-ietf] Tree walk nits Scott Kitterman
- Re: [dmarc-ietf] Tree walk nits Douglas Foster