Re: [DNSOP] Tell me about tree walks

John R Levine <johnl@taugh.com> Sun, 22 November 2020 15:57 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E9973A1853 for <dnsop@ietfa.amsl.com>; Sun, 22 Nov 2020 07:57:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b=JZe4s/Hu; dkim=pass (2048-bit key) header.d=taugh.com header.b=fnBUVlMV
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 82XGUzdY_ahy for <dnsop@ietfa.amsl.com>; Sun, 22 Nov 2020 07:57:01 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 462D63A1851 for <dnsop@ietf.org>; Sun, 22 Nov 2020 07:57:00 -0800 (PST)
Received: (qmail 83118 invoked from network); 22 Nov 2020 15:56:59 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=144a5.5fba8a4b.k2011; i=johnl-iecc.com@submit.iecc.com; bh=0f3Q2tIytZzAiArLdXWSBqzd3aecAHmz62brXNxDm/s=; b=JZe4s/Hu7Fv696ltPLHqM/8h1VphFaCUvDp9Y8LExw5vscCdnOhOYRh31UXxLHBDp5EIlIV31dINdaMkw5T4FftCYWQDxbXNm9uEx6O6D2NrmMLtVTT2bPTdunNRy+FydL9nmFy09Frl62C5mgT0qlvZU1ZICmoh3ZnztE90WIr3zQqigTlCMQzDJL4fk92mrAJqDMNqe4R+7oHNmCH/qMBoJGRgGC6ce17Qyq1hNaVHHc8B6FPuC7uRwspujp4RxpUCQjsOh8yY7GoZmWBQmrDS+yDn+LS58Bm/37IKVZFo5BS6Qo6phB3hCZaYp1VXBSyzT3cHbfmPa29vzOYllg==
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=144a5.5fba8a4b.k2011; olt=johnl-iecc.com@submit.iecc.com; bh=0f3Q2tIytZzAiArLdXWSBqzd3aecAHmz62brXNxDm/s=; b=fnBUVlMV1ywmCRo0dTN8Hp4FuC382elMRmJc+UZbiza0YdJxtsRZyH17EUWUHgD9+M0WgqR06Ff1leFbfUOdwQoZOMOfD6CIfQZOveK6LjhjeooX7TMwcCfCbIJ6OesnMNlrFO742V+6RSOR/1ydXsozc82hfyXBC72NeYxbjzp+7ulXG5k3npTAb7MAbeESRrBjs+wMeHiDD2tqDJ+G3l90NavE2qEq3dL7ck3ifNLuI7n7cDsaWMk+CvKU/6iWvVYH4JXwqtZ28FlPgEsu8V0FBqf4vq5Xt/i3SBb1Lob/QUqUu4m8UxNyaJuAcv1ufXQqBhqwY5Y9eCUfjy4DJw==
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPSA (TLS1.3 ECDHE-RSA AES-256-GCM AEAD, johnl@iecc.com) via TCP6; 22 Nov 2020 15:56:58 -0000
Date: 22 Nov 2020 10:56:58 -0500
Message-ID: <d9718754-1af6-205c-ca4b-76da2c644a0@taugh.com>
From: "John R Levine" <johnl@taugh.com>
To: "Stephane Bortzmeyer" <bortzmeyer@nic.fr>
Cc: dnsop@ietf.org
In-Reply-To: <20201122074125.GA31567@nic.fr>
References: <20201111181423.7B1A9262936D@ary.qy> <alpine.DEB.2.20.2011112128510.17264@grey.csi.cam.ac.uk> <20201122074125.GA31567@nic.fr>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/6YrbViEZeey-o_eFuvYm62f8AfA>
Subject: Re: [DNSOP] Tell me about tree walks
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Nov 2020 15:57:03 -0000

On Sun, 22 Nov 2020, Stephane Bortzmeyer wrote:
> IMHO, the CAA algorithm is bad because it crosses administrative
> boundaries. RFC 8659 at least excludes the root but it still allows,
> for instance, AFNIC to put a CAA record in .fr which will apply to all
> .fr domains which do not have an explicit CAA. It seems bad.

I don't see why, since it only acts as a default.  Any registrant that 
cares which CA they use can publish their own CAA.  If the registrants 
object, that's between them and Afnic.

Over in DMARC land we have a proposal called PSD which specifically sets 
a default policy for the whole TLD, since .BANK and .INSURANCE want to do 
that for their registrants.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly