Re: [DNSOP] Tell me about tree walks
John R Levine <johnl@taugh.com> Wed, 11 November 2020 22:07 UTC
Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EAE83A1170 for <dnsop@ietfa.amsl.com>; Wed, 11 Nov 2020 14:07:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b=DTgE6ent; dkim=pass (2048-bit key) header.d=taugh.com header.b=b+BiF2mS
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cW6m7VS5OgZc for <dnsop@ietfa.amsl.com>; Wed, 11 Nov 2020 14:07:33 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 625B63A116F for <dnsop@ietf.org>; Wed, 11 Nov 2020 14:07:33 -0800 (PST)
Received: (qmail 76658 invoked from network); 11 Nov 2020 22:07:32 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=12b70.5fac60a4.k2011; i=johnl-iecc.com@submit.iecc.com; bh=lcxCwTP6Y8UTklwl8YN2MQHwHpk3ADJ0VaA/7+3McfE=; b=DTgE6enteoxBxp+eLUyTnk0hqizds+xFDJVQcdlwCwpbh+0WbqiOXe0LiiougN/JszOB/Nfd7EZyzmTu6nTPd2gqkYA20BgBz9K3q4GEsWrXsP7MjyE0+maktig8FekdmbRohKl98TW03fqlGZrFIgGuIGgUq8qEIOVVDO8y22W12DIW84C4+GSiSz1hDC4fValKiK6rP7RsoN3av1if4QEXPi4RzIh9vLqeFQ/vrQci0dx5/95yrxZ9vjHfaAgsO1q7NhYlxnStN7FH0s+2otuYTzLXel0sPrUNpzdnIy7bh1m7zeM7y4aRHZsOA9RESNJYZtbH/85emDz62SxqGg==
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=12b70.5fac60a4.k2011; olt=johnl-iecc.com@submit.iecc.com; bh=lcxCwTP6Y8UTklwl8YN2MQHwHpk3ADJ0VaA/7+3McfE=; b=b+BiF2mSRVC5+dett4BVzqMdStfe6hcJw+ey8ejYCK0ps+dIU+CA/kMMGGm5kwuWof8R253lUmtFsYMHMD/WkKINAPJwvdnQrN40AFQwcr4okQ+9e99L4r/t8kFMdTDaKpkPdcA8D/u8JVwSOu82pAJ/hHnW/4e0dwFMAYd4ZboRTRWZMmGq2YU9VTV0H95zppiwX5xK5XAyitAwRHq+FHPnJkEtlHWOdDA0qp6FaLoZ9vZyQP+VoBb6vu5zLja1PF+/zC1iKI1Mdxg5gWlDllMd5LVkdvKmzlhk8GNJFtUBefH4GpG+ltQfstora3ZLZUtOSBUb2JL+IeAY22WFbA==
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPSA (TLS1.3 ECDHE-RSA AES-256-GCM AEAD, johnl@iecc.com) via TCP6; 11 Nov 2020 22:07:32 -0000
Date: Wed, 11 Nov 2020 17:07:31 -0500
Message-ID: <bfefe62e-f1dc-b54e-f7d0-5c494bb613ac@taugh.com>
From: John R Levine <johnl@taugh.com>
To: Tony Finch <dot@dotat.at>
Cc: dnsop@ietf.org
In-Reply-To: <alpine.DEB.2.20.2011112128510.17264@grey.csi.cam.ac.uk>
References: <20201111181423.7B1A9262936D@ary.qy> <alpine.DEB.2.20.2011112128510.17264@grey.csi.cam.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/BgaewxNM5XAyzbGIJynFxneiw90>
Subject: Re: [DNSOP] Tell me about tree walks
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Nov 2020 22:07:35 -0000
>> It occurs to me that for DMARC's purposes, walking up the tree would >> work better than the current hack. > CAA records are perhaps less of a target for query amplification abuse > than DMARC records :-) I dunno, seems to me the stakes are higher for CAA but the number of requests per domain are far lower. > One possible way for DMARC to mitigate it would be to walk *down* instead > of up, and (in the application, not relying on the recursive server) stop > on NXDOMAIN because RFC 8020 tells you this is sensible, otherwise take > the last result you find. I wouldn't want to skip the cache. In most settings there's a whole lot of mail from the same place and most of the answers are likely to be cached. Perhaps just note that if you're worried about this, use a cache the does RFC 8020. There's also the practical fact that the amount of real mail from domains with more than 5 or 6 labels rounds to zero and you could limit the tree walk to 10 labels without losing anything. If there's no DMARC record at the name itself, and you walk up 10 labels without finding anything, pretend you found one says to reject everything. People who really REALLY want 37 label names need to put DMARC records every 10 levels. Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly
- [DNSOP] Tell me about tree walks John Levine
- Re: [DNSOP] Tell me about tree walks Tony Finch
- Re: [DNSOP] Tell me about tree walks John R Levine
- Re: [DNSOP] Tell me about tree walks Paul Vixie
- Re: [DNSOP] Tell me about tree walks John R Levine
- Re: [DNSOP] Tell me about tree walks Paul Vixie
- Re: [DNSOP] Tell me about tree walks Tony Finch
- Re: [DNSOP] Tell me about tree walks John R Levine
- Re: [DNSOP] Tell me about tree walks Tony Finch
- Re: [DNSOP] Tell me about tree walks Joe Abley
- Re: [DNSOP] Tell me about tree walks Paul Vixie
- Re: [DNSOP] Tell me about tree walks Paul Vixie
- Re: [DNSOP] Tell me about tree walks John R Levine
- Re: [DNSOP] Tell me about tree walks Brotman, Alex
- Re: [DNSOP] Tell me about tree walks Stephane Bortzmeyer
- Re: [DNSOP] Tell me about tree walks John R Levine
- Re: [DNSOP] Tell me about tree walks Stephane Bortzmeyer