IETF Logo Mail Archive

Re: [DNSOP] Tell me about tree walks

Tony Finch <dot@dotat.at> Wed, 11 November 2020 21:39 UTC

Return-Path: <dot@dotat.at>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BD243A0FB1 for <dnsop@ietfa.amsl.com>; Wed, 11 Nov 2020 13:39:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o6TpXd7_oBEQ for <dnsop@ietfa.amsl.com>; Wed, 11 Nov 2020 13:39:40 -0800 (PST)
Received: from ppsw-30.csi.cam.ac.uk (ppsw-30.csi.cam.ac.uk [131.111.8.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 933343A0FAF for <dnsop@ietf.org>; Wed, 11 Nov 2020 13:39:40 -0800 (PST)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:52940) by ppsw-30.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.136]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1kcxq6-00081g-e8 (Exim 4.92.3) (return-path <dot@dotat.at>); Wed, 11 Nov 2020 21:39:38 +0000
Date: Wed, 11 Nov 2020 21:39:38 +0000
From: Tony Finch <dot@dotat.at>
To: John Levine <johnl@taugh.com>
cc: dnsop@ietf.org
In-Reply-To: <20201111181423.7B1A9262936D@ary.qy>
Message-ID: <alpine.DEB.2.20.2011112128510.17264@grey.csi.cam.ac.uk>
References: <20201111181423.7B1A9262936D@ary.qy>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/3Voq4bCoDf08WjzPUbnD9QHPNPw>
Subject: Re: [DNSOP] Tell me about tree walks
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Nov 2020 21:39:42 -0000

John Levine <johnl@taugh.com> wrote:
>
> It occurs to me that for DMARC's purposes, walking up the tree would
> work better than the current hack. I know it would sometimes find a
> different answer from what it gets now, which is OK. When this came up
> before, the advice was that DNS tree walks are very bad, so don't do
> them.  Is that still true?

Well, the other Very Prominent example is CAA records, which also involve
walking up the tree to discover policy. It would be nice if things like
CAA and DMARC could agree with each other about how they discover
domain-wide policies.

CAA records are perhaps less of a target for query amplification abuse
than DMARC records :-)

One possible way for DMARC to mitigate it would be to walk *down* instead
of up, and (in the application, not relying on the recursive server) stop
on NXDOMAIN because RFC 8020 tells you this is sensible, otherwise take
the last result you find.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Mull of Galloway to Mull of Kintyre including the Firth of Clyde and North
Channel: Southerly 6 to gale 8, occasionally severe gale 9 at first in North
Channel, veering westerly 4 or 5 for a time. Moderate or rough, becoming
slight or moderate for a time. Rain at first, then fair, occasional rain
later. Moderate or good, occasionally poor.

v2.23.0 | Report a Bug | By Email