[DNSOP] Tell me about tree walks

John Levine <johnl@taugh.com> Wed, 11 November 2020 18:15 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 38EFE3A1439 for <dnsop@ietfa.amsl.com>; Wed, 11 Nov 2020 10:15:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.85
X-Spam-Status: No, score=-1.85 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b=YhqfcDRj; dkim=pass (2048-bit key) header.d=taugh.com header.b=iDtkDIpL
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 8ChlyId_15My for <dnsop@ietfa.amsl.com>; Wed, 11 Nov 2020 10:15:05 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E12EC3A1184 for <dnsop@ietf.org>; Wed, 11 Nov 2020 10:14:25 -0800 (PST)
Received: (qmail 6930 invoked from network); 11 Nov 2020 18:14:24 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:subject:mime-version:content-type:content-transfer-encoding:cleverness; s=1b10.5fac2a00.k2011; bh=FYTcFu+oUPwu00UKORTe1ojcl9hs4BqdCpyrCAT4HtQ=; b=YhqfcDRjEv1hUQ+9WIo4ytDdg+KYYfRb6oG2cA/xF/M/YMMaaBq8WJuqKd78KF3JupmWucim1s+VFs42duTYrywntypZmtZyP9HxRhIUAL7oh1s370hIwJdxnKy1nj7PsgA2Sn7C/cCxHWHRSlVHP24GUNyjS4vCQVdQpwt/bVSe/DAZJORNnoJuazL4Grtz6Apl/1SwW7Ud7mNJkoi+zEaUVZnBJ/z8cJgsybN4buDQ3sOUfxGitYzFKgt25TblCWyy2qlS4PT7EODnytnlQV6zOOeY16nxSWoBkAC1dMRyQjrL7CHbAMZARG6NpTeTOreHKwNjv8Oz4Nad+SnPfQ==
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:subject:mime-version:content-type:content-transfer-encoding:cleverness; s=1b10.5fac2a00.k2011; bh=FYTcFu+oUPwu00UKORTe1ojcl9hs4BqdCpyrCAT4HtQ=; b=iDtkDIpLViAy4rkSXeh5o9AO4mUKreS+Yhfl8XDuGJacvAaZFUli//h+BG1nnsDooLMJuErQb2Bib6fzIhYnnM0wzGIbzf4p/s7WyhWClDbpjePZ2eMVMfcxEgIdsPFrwNxwUK/9mijyjVXAavtHE5iuh7PamcG4dgCYtRQXLITKr2ZSPhZW2DdkTPDtfQ0YUHM+m7gQr5dUd4NH48XdzKI9Bxjzy07J1f6t45DLNIXf4GkPM1YKSBK6G6Hr0KVwugzvu4762NHxmSqLJy1KJurLNypb00pA6Pw1ux3e4Z2EKIxUuSCuU4FLurrvZE0Znp6bOXEpTTMFrsC3DgREjg==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2 ECDHE-RSA AES-256-GCM AEAD) via TCP6; 11 Nov 2020 18:14:23 -0000
Received: by ary.qy (Postfix, from userid 501) id 7B1A9262936D; Wed, 11 Nov 2020 13:14:23 -0500 (EST)
Date: 11 Nov 2020 13:14:23 -0500
Message-Id: <20201111181423.7B1A9262936D@ary.qy>
From: "John Levine" <johnl@taugh.com>
To: dnsop@ietf.org
Organization: Taughannock Networks
X-Headerized: yes
Cleverness: minimal
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/cyP0iokfDZG0KXDEgdyf9xPvRvA>
Subject: [DNSOP] Tell me about tree walks
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Nov 2020 18:15:11 -0000

Over in the DMARC working group we have this DNS application.

If someone sends you a messsage from, say, bob@sales.east.bigcorp.com.
your mail system looks for a policy record at
_dmarc.sales.east.bigcorp.com. If it doesn't find one, it looks for
one in the "organizational domain", in this case _dmarc.bigcorp.com.

The way we currently find the organizational domain is straight out of
HOSTS.TXT. Everyone in the world periodically downloads a public
suffix list from https://publicsuffix.org/list/public_suffix_list.dat
and the organizational domain is one label below the longest public
suffix of the name. You don't have to tell us this is ridiculous. The
DBOUND WG tried to create a way to put the info in the DNS but failed
for various non-technical reasons.

It occurs to me that for DMARC's purposes, walking up the tree would
work better than the current hack. I know it would sometimes find a
different answer from what it gets now, which is OK. When this came up
before, the advice was that DNS tree walks are very bad, so don't do
them.  Is that still true?

As I understand it, the main problem with tree walks is that a malicious
sender could send long non-existent names and cause floods of queries,
but RFC 8020 lets DNS caches dispose of those cheaply.  We know they're
ugly, but in a situation like this where none of the options are great,
why not?