►
From YouTube: IETF109-DMARC-20201118-0500
Description
DMARC meeting session at IETF109
2020/11/18 0500
https://datatracker.ietf.org/meeting/109/proceedings/
A
Again,
good
morning,
good
afternoon,
good
evening
to
everybody
joining
us,
so
this
is
the
mark
session.
A
So
I
assume
people
have
already
seen
note.
Well,
if
you
haven't
seen
it,
please
have
a
look
and
read
relevant.
A
So
we're
using
meteco
if
you're
hearing
this
you're,
probably
in
the
right
place,
so
this
session
is
being
recorded.
We
have
a
jab
room
which
is
mirrored
to
the
chat
in
mit
echo.
So
if
you
appear
in
either
one
it
should
should
appear
there,
we
have
no
taking.
A
Yes,
but
if
tim
anything
please
go
to
godamd
and
help
him
out.
A
Right,
so
this
is
our
gender.
A
We
basically
have
just
split
the
main
demark,
this
document
into
three
parts,
so
this
is
fairly
new,
we'll
basically
discuss
a
set
of
topics
for
relevant
for
each
part
in
case
of
gmark
base.
There
actually
three
topics
we'll
talk
about
pct,
possibly
breaking
out
the
main
organizational
domain
definition
and
policy
discovery.
A
Point,
I
suspect
we
probably
wouldn't
use
two
hours
for
this
session,
but
we'll
use
as
much
of
it
as.
B
C
Yeah
hi
hi-
this
is
jim
fenton.
I
was
just
looking
at
the
issue
tracker
and
you
know
we've
got
an
awful
lot
of
open
issues
and
I
guess
one
of
the
things
that
I
was
wondering
was
that
you
know.
Is
there
a
plan
to
do
some
sort
of
a
an
issue
scrub
at
some
point.
A
Yes,
absolutely
we
sure
chair
should
get
on
top
of
things
and
if
we
have
a
resolution
for
any
specific
issue,
we
need
to
declare
it
absolutely.
A
Yeah,
just
a
very
quick
working
group
status.
I
already
said
there
are
three
documents
we
have,
which
are
the
main
focus
of
the
working
group
at
the
moment,
but
because
the
documents
were
all
published
so
recently
for
this
session,
there
is
really
no
expectation
that
people
read
them.
A
So,
let's
get
started
with
the
first
issue
on
the
list,
so
it
relates
to
the
base
document
and
the
question
is:
should
we
keep
or
should
we
deprecate
the
pct
tag
so
on
the
screen
is
the
definition
of
it:
it's
a
percentage
of
messages
from
domains,
owner
mail
stream
and,
as
pointed
out
on
the
next
flight.
A
A
A
But
when
people
implement,
they
think
it's
percentage
of
failing
mail,
which
are
two
very
different
things,
and
on
top
of
this
there
are
implementation
issues
and
then,
of
course,
there
are
interesting
border
cases
like
pct,
0
and.
A
What's
what's
the
meaning
of
things
like
p
p,
equal
quarantine,
visibility,
zero?
Does
it
mean
p
equal
none?
What
exactly
does
it
mean
and
do
actually
people
implement
the
edge
cases
correctly.
D
Yeah
regarding
the
the
perverse
incentive
of
p
equal
quarantine
percent
equals
zero.
I
don't
know
if
it's
true
any
longer,
but
there
was
a
time
when,
if
one
get
wanted
to
get
correct
reports
out
of
google,
especially
mail,
that
was
transiting
any
sort
of
google
groups,
one
had
to
have
the
p
equal
quarantine
percent
equals
zero
as
a
substitute
for
p
equal
none.
In
order
to
get
those
reports
again,
they
may
have
fixed
this.
D
This
was
several
years
ago
when
this,
when
this
was
true,
but
that
was
the
reason
I
think
for
the
perverse
incentive
in
the
first
place
in
general,
I'm
in
favor
of
getting
rid
of
the
percent
tag,
for
the
reason
stated
that
it's
just
probably
not
implemented
correctly,
but
we'll
need
to
make
sure
that
that
won't
have
any
impact
on
on
any
reports
coming
out
of
google.
First.
A
E
E
I
work
for
agari,
where
I
help
large
organizations
implement
dmarc
quarantine
and
reject
all
the
time,
and
particularly,
we
see
this
a
lot
with
google
groups,
but
also
with
a
couple
of
mailing
list.
Platforms
like
groups.io
and
listserv
by
elsoft
will
munch
headers
for
domains
using
a
quarantine
or
reject
tag,
but
not
using
a
p
equals
none
or
I
guess,
presumably,
no.
A
So
do
you
think
it's
something
that
we
can
clarify
by
additional
text
one
way
or
the
other
so
like
it's
sort
of
like
a
special
case?
Pct
equals
zero,
and
even
if
we
take
pct
equal
zero
epct
out,
we
can
still
add
text
explaining
that.
E
Yes,
we
could
do
something
like
allowing
this,
but
not
other
other
pct
equals
or
allowing
some
other
setting
that
accomplishes
a
similar
goal
would
be
fine.
Now
I
have
had
a
couple
of
organizations
that
do
use
percentage
tags
in
the
way
that
it
was
intended
to
be
used
to
roll
it
out
slowly,
but
that's
only
happened
with
a
couple
of
my
customers
and
I
think
they
were
people.
I
could
probably
have
talked
into
doing
this
without
that.
E
One
of
the
biggest
exceptions
to
that
was
one
of
the
largest
email
organizations
that
I've
worked
with,
and
that
was
because
they
were
worried
that
they
would
get
enough
reports
back,
that
their
upper
management
might
notice
and
decide.
Something
was
wrong,
even
though
nothing
was
wrong,
so
they
wanted
to
kind
of
slowly
test
the
waters.
F
Hopefully,
it's
connected
correctly
regarding
the
percentage
tag
anyway
autumn
will
also
mention
it
from
an
implementation
perspective.
From
a
practical
perspective,
I've
only
seen
very
useful
cases
when
moving
from
quarantine
to
reject,
in
the
more
a
more
restrictive
policy
component
in
a
way
to
test
well
or
at
least
have
confidence
in
enforcing
the
policies
even
more.
I
do
recognize
that
in
the
earlier
stages,
it's
confusing
from
impulsing
none
or
perhaps
the
policy
quarantine
quarantine,
but
dropping
it
to
actually
have
a
gradual
control
of
moving
from
quarantine
to
reject.
F
A
C
C
If
I'm
wrong
about
that,
please
let
me
know
the
other
thing
is
I'm
wondering
if
deprecate
is
the
right
term
here,
we're
writing
a
new
standards
track
specification
to
replace
an
informational
thing.
Do
we
need
to
deprecate
anything
shouldn't?
We
we're
not
going
to
do
it?
Don't
we
just
leave
pct
out
because.
A
C
A
Oh
yeah,
I
just
I'm
very
sorry.
I
wasn't
very
clear
on
this.
Obviously
all
of
these
discussions
will
feed
to
the
main
english
discussion,
so
we
cannot
really
make
a
decision
and
declare
consensus
here
both
because
we
don't
have
enough
people
and
because
this
is
not
how
it
does
things
so.
A
Yeah,
so
thank
you
for
the
comments
we'll
bring
them
to
the
mailing
list.
A
A
couple
of
general
question:
one
is
about
extensible
reporting.
What
kind
of
extensibility
we
should
allow?
The
grammar
is
quite
restrictive
at
the
moment.
A
Yeah,
please
discuss
suggestions,
thoughts.
You
have
on
the
topic.
E
E
So,
even
if
something
is
fully
passing
authentication,
they
don't
always
the
people
I'm
talking
to
are
usually
a
security
or
I
t
team
for
a
large
organization,
maybe
a
business,
maybe
a
government
agency
and
a
lot
of
times.
They
have
no
idea
who
the
people
on
the
ground
are,
who
are
actually
sending
these
emails,
and
maybe
they've
got
that
somewhere
in
various
ticketing
systems
somehow.
E
But
they
don't
always
know
what
to
query.
So
when
we
have
selectors
included,
that
is
very
helpful
for
them
to
be
able
to
search
their
records
and
maybe
figure
out
who
put
something
in
dns
because
they're
much
more
likely
to
have
a
dns
record
tracked
to
say:
oh,
we
put
in
a
c
name
or
a
text
record,
so
it
facilitates
tracking.
E
So
I
would
be
happy
to
see
that
in
dmarc
reports
and
in
terms
of
how
we
would
make
that
extensible,
I
would
have
to
go.
Look
at
exactly
what
the
aggregate
reports
look
like
from
gmail.
I
don't
have
one
handy,
but
I
believe
it
just
has
s
equals
and
then
the
selector
in
the
same
list
of
format
like
you,
would
get
in
other
people's
aggregate
reports.
A
A
G
Sorry,
it
wasn't
yes
now
you're
hearing
me.
Yes,
we
did
rfc
8601
recently
to
revise
authentication
results
and
part
of
that
was
to
add
header.s
in
support
of
doing
exactly
what
we're
talking
about
here.
So
I
think
that's
one
that
makes
sense
to
do.
I
thought
it
was
tracked
as
a
as
an
issue
to
do
that
in
particular,
but
so
that's
the
that's
the
most
common
use
case.
I've
heard
in
terms
of
extending
this.
D
Chad,
but
it
is
tracked
as
an
issue
murray.
It's
issue
57
make
decamp
selectors
required
in
dmarc
reports,
so
there
is
already
an
issue
for
this.
I
H
Well:
okay,
it's
not
clear
to
me
what
the
question
is
that
we
are
trying
to
address
here.
Is
it
what
other
things
do
we
want
people
to?
What
are
they?
What
yeah?
What
other
things
might
we
like
to
have
in
reports
or
is
the
question
is
how
do
we
put?
How
do
we
allow
people
to
put
stuff
into
reports
in
a
way
that
won't
won't
break
existing
parsers
and
7489
has
an
xml
grammar
which
is
fine,
and
I
suppose
we
could
put
some
stuff
into
the
grammar.
H
That
says,
add
your
add
your
hacks
here
and
I
guess.
A
You
have
a
right,
I
think
we
want
both
really
okay,
if
there
are
any
specific
things
that
are
commonly
used,
add
them
right
away,
as
well
as
some
text
about
where
to
stuff
your
your
extensions.
H
A
A
The
two
other
obvious
things
that
needs
to
be
done
in
in
this
area
is
full
text
from
arc
reporting
if
that's
becomes
the
way
for
dealing
with
indirect
mail
flows
and
as
well
as
no
such
domain
reporting.
A
H
Go
ahead,
I
guess
what
I
said
in
the
chat.
Is
these
both
seem
reasonable
and
I
would
I
guess
I
would
encourage
whoever
suggested
that
they
want
these
reports
to
send
some
snippets
of
xml.
So
we
can
see
because
we
can
try
and
nail
down
what
it
is
they're
reporting,
because
I
could
imagine
particularly
for
arc
a
range
from
yeah
they
used
arc.
So
here's
the
entire
details
of
of
all
473
bits
of
stuff
in
the
arc
chain.
H
A
Questions
are
for
this,
which
fields
should
and
should
not
be
included.
One
strongman
is
just
a
good
from
from
and
two
is
it
useful
what
else
people
want
or
don't
want
to
see
there
please
come
to
the
mic.
G
Is
the
question
about
the
straw?
Man
is
what
must
be
included?
What
may
be
included,
I
haven't
I'm.
I
haven't
read
the
new
document
yet,
but
does
anybody
know
what
that,
whether
we're
talking
about
a
minimal
set
of
things
that
have
to
be
included
or
a
full
list
of
things
that
might
be
included
or
some
mix
of
those.
A
D
Thanks
todd
yeah,
I
I
don't
see
him
on
the
call,
but
I
know
jesse
thompson
from
the
university
of
wisconsin
has
spoken
in
the
past
about
his
sort
of
straw,
man,
failure
reporting
and
how
it
would
be
super
helpful
for
him
who's
at
a
large
distributed
system
to
figure
out
just
just
where
the
failures
are
coming
from
to
have
that
from
in
the
two.
I
I
don't
like
the
idea
of
the
failure
report
sentence.
D
Failures
occur
that
just
seems
like
a
vector
to
to
be
abused
simply
from
somebody
forging
mail
and
causing
intentional
dmarc
failures,
but
something
stripped
down
with
just
from
and
two
sent
at
a
regular
interval
like
an
aggregate
report
sounds
reasonable.
Assuming
people
would
actually
consume
the.
E
Last
ietf,
I
sent
out
a
message
to
other
folks
on
my
team
who
also
help
people
implement
dmarc
and,
of
course
everybody
loves
the
full
forensic
reports,
but
there
are
some
pieces
that
we
are
less
in
need
of.
E
E
I
think
my
my
team
most
often
that
we
do
use
the
from
address
and
also
the
subject
line,
is
really
important
to
us
now.
The
subject
line,
I
think,
is
one
that
is
up
in
the
air
because
of
concerns
over
private
data,
but
that
is
extraordinarily
helpful.
Again.
The
use
case
I'm
seeing
is
a
domain
with
many
distinct
email
uses
many
distinct
vendors
and
not
a
lot
of
visibility,
otherwise
into
what's
being
sent.
E
E
So
that's
why
we
use
those.
My
team
members
also
find
the
message
id
helpful,
sometimes
because
sometimes
it
provides
insight
into
the
back
end
technology.
Now,
that's
another
question.
I
guess
what
would
be
helpful
for
this
is
if
we
could
find
what
specific
fields
people
are
really
objecting
to,
because
some
of
them
are
going
to
be
a
bigger
deal
than
others,
and
I
think
there's
potential
trade-offs
to
be
made.
Is
the
concern
really
over
possibly
exposing
infrastructure?
E
E
So
I
hope
that's
kind
of
a
helpful
set
of
pieces.
Also,
we
do
like
the
dqm
selector
and
that's,
of
course,
something
we're
suggesting
in
aggregate.
The
links,
of
course,
are
also
very
helpful,
but
again,
I
know
that's
something
that
people
might
be
a
little
bit
less
comfortable
sharing.
F
Yeah
so
partially
comment
regarding
the
destruction
around
the
the
reporting.
So
I
think,
because
the
subject
is
so
pii
heavily
written.
A
lot
of
implementers
actually
didn't
directly
said.
Well
we're
not
going
to
touch
the
subject
until
the
privacy
issues
have
been
resolved.
F
I
definitely
see
real
life
use
cases
for
having
in
a
way
abstracted
report
with
limited
api
information,
but
then
the
the
the
the
headers
regarding
where
the
message
originated
from
mta
wise
would
be
very
interesting
to
have
in
there
do
not
need
the
subject
to
be
honest
from
a
personal
perspective,
but
having
at
least
from
the
the
the
domain
part.
And
then
the
two-domain
part
without
the
local
parties
would
be
fine
from
a
specification
perspective.
B
A
J
J
Essentially,
if
we
re,
if
we
looked
at
all
of
the
urals
that
we
were
sending
from
our
own
mail,
subtracted
those
from
the
failure
reports,
all
that
was
left
was
badness
and
we
actually
use
those
links
from
the
badness
for
shutting
down
the
sites
that
are
hosting
malicious
activity,
abusive
our
name,
etc,
etc.
So
it
is
very
useful
in
getting
rid
of
the
badness.
H
H
Everybody
else
gets
them,
and
what
I
see
is
that
most
of
the
failure
reports
have
the
have
what
appears
to
be
the
full
header
and
one
microsoft
subsidiary,
since
the
whole
thing,
which
is
very
generous
of
them
and
kind
of
startling,
and
but
it
seems
to
me
that
you
know
it's
it's
a
local
policy
decision
of
what
privacy
issues
you
have
you
know,
and
I
think
we
can
come
up
with
a
complicated
spec
of
some
sort,
but
the
reality
is
that
most
people
won't
send
failure
reports
and
the
ones
that
do
will
redact
it
to
make
their
lawyers
happy.
H
A
Yeah,
I
think,
if
we
want
to
encourage
more
failure,
reporting
then
having
some
text
about
what
should
be
included
and
what
you
should
consider
at
minimum.
You
know
and
why
you
you
should
or
should
not
include
various
things,
would
be
useful,
probably
in
the
document.
H
Yeah,
well,
I'm
just
I'm
not
sure
we
are
able.
We
are
in
a
position
to
say
basically
you
know
we're
talking
to
lawyers
here
and
I'm
not
sure,
there's
anything
we
can
say
in
the
standard
that
says:
oh,
it's,
okay
to
send
x,
because
they'll
say
you
know
they
have
their
own.
They
have
their
own
opinions
about
it.
So,
like
I'm
not
opposed
to
doing
this,
I
just
think
I
don't
think
we
should
put
a
whole
lot
of
effort
into
it
because
I
think
in
reality,
people
are
going
to
report.
A
So
so
kurt
in
in
the
chat
was
saying
your
suggestion
sounds
like
a
usage
doc,
not
a
spec.
Well,
the
boundaries
sometimes
sort
of
a
bit
gray
between
these
two
so.
A
So
we
had
a
discussion,
starting
on
the
main
that
started
on
the
mailing
list
about
splitting
out
or
domain
to
different
documents,
so
that
if
we
revise
how
the
where
it
is,
you
know,
is
it
psl
or
is
it
something
else
if
we
change
the
mechanism,
how
this
is
retrieved,
then
we
don't
wouldn't
have
to
revise
the
demark
base
itself.
A
A
A
A
K
L
So
since
I
made
a
proposal
for
a
really
firm
split,
I'm
feeling
obligated
to
at
least
repeat
that
this
is
a
messy,
unpleasant
topic
with
a
bad
history.
It's
a
case
of
making
do
with
what
is
generally
viewed
as
a
not
very
good
or
terrible
solution,
but
it's
the
best
that's
available.
Now
there
are
different
approaches
to
making
it
a
lot
better.
One
of
these
days,
one
of
them,
might
actually
prove
successful
and
and
get
adopted
and
work
better
baking.
L
Anything
into
the
core
dmarc
spec
that
relies
on
anything
in
particular
happening
it
is,
is
just
inherently
risky
having
the
spec
state
what
it
wants
as
a
result,
what's
the
nature
of
the
information
it
wants?
That
makes
sense,
because,
because
dmarc
needs
to
use
that
information,
making
any
statements
about
how
it
gets,
the
information
is
the
problem,
and
I
I
now
don't
remember
who
made
the
suggestion
for
some
compromised
text.
I
can't
remember
whether
it
was
murray
or
barry
or
or
kurt
or
whoever,
but
it
was.
It
was
very
clean.
A
If
people
want
to
volunteer
themselves
on
other
people
for
to
be
editors,
for
this,
please
also
let
shares
now.
You
don't
have
to
do
it
in
a
meeting
if
you,
if
you're,
not
comfortable
but.
L
Well,
my
my
point
was:
some
text
was
offered,
it
was,
I
think,
two
sentences
and
it
seemed
to
me
complete
plenty
sufficient.
The
first
sentence
said
we're
not
specifying
it
and
the
second
sentence
said
by
the
way,
there's
some
existing
practice.
I
I
don't
remember
the
exact
language
now,
but
it
was.
It
was
along
those
lines
and
the
important
part
was
it
wasn't
normative
and
it
wasn't
technical
detail.
A
H
I
just
want
to
make
sure
that
we
agree
that
when
we
split
this
out
into
another
document,
it
is
possible
that
what
we
end
up
specifying
as
as
the
org
domain
will
not
necessarily
be
the
same
domain
that
the
current
process
finds
and
in
particular,
if
we
do
a
t,
if
we
do
a
tree
walk
it
won't,
be
I
mean
I'm
fine
with
that.
I
just
want
to.
If
we're
going
to
do
this,
I
just
want.
I
think
we
need
to
make
sure
that
everybody
understands
that.
G
John's
right,
of
course,
my
thought
would
would
be
that
we
produce
an
org
domain
document
that
just
is
basically
a
transplant
of
the
current
psl
text
from
7489
into
something,
and
that's
the
thing
that
my
proposed
text
referred
to
as
this
is
the
legacy
thing
everybody's
been
using
for
a
while,
but
you
can
use
other
things
as
they
appear
and
then
we
might
immediately
generate
another
one
that
says:
here's
how
you
do
it
with
the
tree
walk.
G
You
could
put
those
two
in
a
common
document
how
you
organize.
That
is
really
not
important.
I
don't
think,
but
I
think
it's
going
to
be
important
to
preserve
what
was
there
but
very
clearly
label
it,
as
this
is
what
we
came
up
with.
Originally,
we
don't
love
it.
It
served
a
purpose
for
a
while
watch
for
better
things
and
then
the
tree
walk
might
be,
might
follow
on
right
immediately
and
that
might
be
the
preferred.
A
I
I
think
what
experience
to
talk
about
the
policy
discovery
first
before
we
worry
about
whether
or
not
an
organizational
demand
is
even
relevant,
because
talking
about
splitting
out
a
subspec
of
how
to
find
an
organizational
domain
when
we
potentially
don't
even
care
about
an
organizational
domain,
because
it's
now
obsolete
seems
like
getting
the
cart
before
the
horse.
F
A
I
All
right
well-
and
I
also
don't
think
that
it
makes
sense
to
have
a
separate
document
that
says
essentially
thanks
for
looking
here
about
finding
an
org
domain,
but
we
don't
care
anymore
because
do
a
tree
walk
instead
and
that
so
I
think
we'd
be
better
served
as
just
an
appendix
and
a
new
document
that
says
historically
here's
how
it's
done.
This
is
the
way
going
forward
and
not
have
a
separate
document
potentially
so
I'm
I'm
on
the
fence
about
a
separate
document
per
se.
A
So
yeah
there,
as
already
pointed
out
on
the
mending
this
this
solve
some
existing
use
cases
like
nested
organizations,
governments,
universities
as
well
as
top-level
domains,
which
are
currently
explicitly
prohibited.
So.
E
E
It
just
happened
to
be
a
sub-domain
of
you,
know,
university.edu
and
university.edu
itself
was
not
interested
in
implementing
dmarc.
So
I
don't
know
how
often
this
use
case
occurs,
but
I
do
see
it
a
lot
with
higher
education
and
government
as
well,
and
that's
where
I
think
folks
would
be
really
happy
to
have
something
like
this.
Now
I
can
see
where
there
could
be
a
lot
of
downsides
to
performing
effectively
an
infinite
tree
walk.
I
mean
how
many
levels
out.
E
A
Yeah,
I
think
that
some
of
the
proposals
were
to
limit
how
many
you
will
do
and
we'll
obviously
need
to
figure
out
what
the
number
is
right.
Thank
you,
john.
H
Yeah
I
went
over
and
asked
our
friends
in
dns
land.
How
much
do
they
hate
tree
walks
because
they
mean
it
used
to
be
a
total,
a
total
killer
and
the
response
I
got
was
like
oh
yeah.
Whatever?
Would
you
rather
surprise
me
and
they
pointed
out
that
the
caa
dns
record
that's
used
for
for
controlling
tls
certificate?
Issuance
has
specified
a
tree
walk
for
seven
years.
It
was
published
in
2013
and
I
can
tell
you
from
experience
arguing
with
with
certificate
authorities
that
they
actually
do
that.
H
H
More
than
maybe
five
levels
down,
you
know,
or
maybe
10
levels
down,
so
you
know
and
everybody
seemed
to
say
yeah.
You
know
it's
like.
Okay,
do
a
tree
walk
and
if
you're
worried
about
it
limited
to
five
levels,
and
then
they
had
a
couple
of
other
little
implement
implementation
tricks.
You
might
do
to
take
advantage
of
the
fact
that
if
your
dns
cache
sees
an
nx
domain
at
a
certain
level,
then
it
can
automatically
tell
you
without
going
back
to
the
authoritative
one,
there's
nothing
below
it.
H
So
I
mean
from
an
implementation
point
of
view.
You
know,
and
if
you
you
know,
I
I
say:
do
a
tree
walk
for.
Do
a
tree,
walk
for
five
levels
until
and
tell
people
if
you
want
to
have
more
than
if
you
want
to
have
stuff
more
than
five
levels,
deep
and
get
dmarc
reports,
then
you
better
put.
You
know
a
dmarc
record
at
least
every
at
least
35
levels,
and
I
think
we're
done
I
mean
and
the
only
the
only
issue
here
is
sort
of
mean.
H
You
know
I
take
autumn's
point
of
view
of
the
universities
that
I
refer
to
as
the
holy
roman
empire
model
of
governance
and
that
they
have
there's
you
know
and
you
basically,
you
cannot
tell
from
the
structure
of
their
dns
tree
who's
in
charge
of
what
and
the
flip
side
is
their
organizations
where
by
golly
you
know
the
regis
their
second
level
domain,
that
they
registered
is
their
domain,
and
that's
where
all
the
reports
should
go.
I
mean
I
don't
know
if
they're
people
who
feel
really
strongly
about
this,
you.
I
H
And
that
would
be
an
argument
for
keeping
something
like
the
current
organizational
domain.
Although
the
counter
counter
argument
is
like
well,
then
woke
up
and
what
you
know
if,
if
that
is
a
problem
for
you,
then
write
a
little
script
that
walks
up
and
down
your
dns
tree.
Looking
for
rogue
dmarc
records
and
fix
them.
A
C
Hi,
so
I
have
to
say
that
I'm
I'm
rather
amused
by
the
idea
of
doing
a
tree
walk
here,
because
we
discussed
it
extensively
when
we
were
doing
adsp
and
the
you
know
it
was
just
like.
Well,
no,
you
can't
possibly
do
a
tree
walk,
it
was,
it
was
considered,
it
was.
It
was
really
toxic
at
the
time,
and
I
have
to
say
I
mean
my
recollection-
is
that
the
objections
to
it
didn't
come
from
the
dns
folks.
It
came
from
the
people
that
are
in
this
meeting.
C
Anyhow,
I
you
know,
I
I
still
think
the
tree
walk
is
a
reasonable
solution.
If
it's
limited,
I
don't
think
it
needs
to
be
very
many
levels.
I
don't
think
it's
going
to
create
a.
C
I
don't
think
it's
going
to
create
a
a
heavy
load,
but
one
thing
that
you
do
want
to
make
sure
that
you
have
is
that
the
the
the
record
that
you
get
to
with
the
tree
walk
needs
to
have
a
flag
in
it
to
indicate
whether
it's
intended
to
apply
to
lower
layers?
Because
otherwise
you
know
you
might
you
might
want
to
have
a
lower
layer
that
doesn't
have
a
policy
or
doesn't
have
a
dmarc
record
and
a
higher
layer
that
does,
and
you
don't
want
to
essentially
have
including
the
tree
walk.
C
B
So
not
a
dmarc
expert
do
know
a
little
bit
about
dns.
On
the
other
hand,
so
a
couple
of
things,
and
I
I
don't
I'm
not
even
sure
I
have
an
opinion
on
walking
myself
or
not.
I
think
if
you
asked
a
lot
of
people,
you'd
get,
you
know
a
bunch
of
different
answers.
In
fact,
if
you
ask
10
people,
you
get
11
answers,
I'm
sure,
but
as
to
whether
it's
actually
you
know
good
or
bad.
I
will
point
out
a
couple
of
things.
One.
B
The
caa
example
is
is
one
where
they,
where
it's
done,
but
there's
a
huge
amount
of
difference
between
the
queries
that
will
be
generated
by
caa
searches
which
are
rare
versus
those.
You
know
by
mail
servers
actually
doing
dmarc,
there's
there's
a
significant
difference
in
traffic,
so
you
know
q
name.
Minimization
is
actually
another
way,
we're
actually
increasing
the
load
on
the
dns
by
by
making
more
requests
and
that's
sort
of
a
tree
walk
going
downward.
B
Ideally,
the
right
thing
to
do
is
provide
guidance
at
that
point,
and
so,
if
you
have
a
lot
of
different,
you
know
subdivisions
within
a
university.
For
example,
I'm
I'm
at
one,
so
I'm
just
as
equally
as
guilty
right.
We
have
a
sub
department
that
that
you
know
is
inside
of
the
major
one.
It'd
be
better
if
you
could
add
a
reference
right
to
to
be
able
to
say
and
that
reference
could
be.
You
know
even
possibly
just
a
cname
would
work
of.
B
I
need
my
sub
department
to
actually
I
want
you
to
go,
follow
this
policy
somewhere
else,
and
that
way
you
know
you
don't
have
to
do
a
walk.
If
you
can
point
directly
at
it
right,
you
take
out
that's
a
much
more
optimized
solution.
In
terms
of
both
you
know
the
number
of
dns
requests
required,
as
well
as
just
simplicity
of
an
algorithm.
A
A
Any
other
comments
anybody
who
wants
to
maybe
have
a
strong
feelings
against
dns
work.