Re: [DNSOP] Tell me about tree walks

John R Levine <johnl@taugh.com> Wed, 11 November 2020 22:07 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EAE83A1170 for <dnsop@ietfa.amsl.com>; Wed, 11 Nov 2020 14:07:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b=DTgE6ent; dkim=pass (2048-bit key) header.d=taugh.com header.b=b+BiF2mS
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cW6m7VS5OgZc for <dnsop@ietfa.amsl.com>; Wed, 11 Nov 2020 14:07:33 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 625B63A116F for <dnsop@ietf.org>; Wed, 11 Nov 2020 14:07:33 -0800 (PST)
Received: (qmail 76658 invoked from network); 11 Nov 2020 22:07:32 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=12b70.5fac60a4.k2011; i=johnl-iecc.com@submit.iecc.com; bh=lcxCwTP6Y8UTklwl8YN2MQHwHpk3ADJ0VaA/7+3McfE=; b=DTgE6enteoxBxp+eLUyTnk0hqizds+xFDJVQcdlwCwpbh+0WbqiOXe0LiiougN/JszOB/Nfd7EZyzmTu6nTPd2gqkYA20BgBz9K3q4GEsWrXsP7MjyE0+maktig8FekdmbRohKl98TW03fqlGZrFIgGuIGgUq8qEIOVVDO8y22W12DIW84C4+GSiSz1hDC4fValKiK6rP7RsoN3av1if4QEXPi4RzIh9vLqeFQ/vrQci0dx5/95yrxZ9vjHfaAgsO1q7NhYlxnStN7FH0s+2otuYTzLXel0sPrUNpzdnIy7bh1m7zeM7y4aRHZsOA9RESNJYZtbH/85emDz62SxqGg==
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=12b70.5fac60a4.k2011; olt=johnl-iecc.com@submit.iecc.com; bh=lcxCwTP6Y8UTklwl8YN2MQHwHpk3ADJ0VaA/7+3McfE=; b=b+BiF2mSRVC5+dett4BVzqMdStfe6hcJw+ey8ejYCK0ps+dIU+CA/kMMGGm5kwuWof8R253lUmtFsYMHMD/WkKINAPJwvdnQrN40AFQwcr4okQ+9e99L4r/t8kFMdTDaKpkPdcA8D/u8JVwSOu82pAJ/hHnW/4e0dwFMAYd4ZboRTRWZMmGq2YU9VTV0H95zppiwX5xK5XAyitAwRHq+FHPnJkEtlHWOdDA0qp6FaLoZ9vZyQP+VoBb6vu5zLja1PF+/zC1iKI1Mdxg5gWlDllMd5LVkdvKmzlhk8GNJFtUBefH4GpG+ltQfstora3ZLZUtOSBUb2JL+IeAY22WFbA==
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPSA (TLS1.3 ECDHE-RSA AES-256-GCM AEAD, johnl@iecc.com) via TCP6; 11 Nov 2020 22:07:32 -0000
Date: Wed, 11 Nov 2020 17:07:31 -0500
Message-ID: <bfefe62e-f1dc-b54e-f7d0-5c494bb613ac@taugh.com>
From: John R Levine <johnl@taugh.com>
To: Tony Finch <dot@dotat.at>
Cc: dnsop@ietf.org
In-Reply-To: <alpine.DEB.2.20.2011112128510.17264@grey.csi.cam.ac.uk>
References: <20201111181423.7B1A9262936D@ary.qy> <alpine.DEB.2.20.2011112128510.17264@grey.csi.cam.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/BgaewxNM5XAyzbGIJynFxneiw90>
Subject: Re: [DNSOP] Tell me about tree walks
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Nov 2020 22:07:35 -0000

>> It occurs to me that for DMARC's purposes, walking up the tree would
>> work better than the current hack.

> CAA records are perhaps less of a target for query amplification abuse
> than DMARC records :-)

I dunno, seems to me the stakes are higher for CAA but the number of 
requests per domain are far lower.

> One possible way for DMARC to mitigate it would be to walk *down* instead
> of up, and (in the application, not relying on the recursive server) stop
> on NXDOMAIN because RFC 8020 tells you this is sensible, otherwise take
> the last result you find.

I wouldn't want to skip the cache.  In most settings there's a whole lot 
of mail from the same place and most of the answers are likely to be 
cached.  Perhaps just note that if you're worried about this, use a cache 
the does RFC 8020.

There's also the practical fact that the amount of real mail from domains 
with more than 5 or 6 labels rounds to zero and you could limit the tree 
walk to 10 labels without losing anything.  If there's no DMARC record at 
the name itself, and you walk up 10 labels without finding anything, 
pretend you found one says to reject everything.  People who really REALLY 
want 37 label names need to put DMARC records every 10 levels.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly