Florian Weimer wrote:
* Jelte Jansen:
Ralf Weber wrote:
No redirection on SERVFAIL seems to be a strange recommendation.
Wouldn't this be a very good reason to provide a diagnostics page,
especially if there's been a DNSSEC validation failure?
This sounds like an excellent idea to help DNSSEC adoption and
is something that should go into the draft.
then a SERVFAIL will also result in an e-mail bounce that says
connection refused
Not a hard 5xx error?
not unless there's also a specific 5xx error generator listening on the host
that is redirected to, i guess.
instead of DNS error (assuming there's no e-mail
sink on the host that is redirected to). Fun times for the helpdesk.
Only if the mail server falls back to the A record if the MX lookup
results in SERVFAIL, which seems like a questionable approach to me.
is it? (i'm asking, i don't know; even the updated smtp rfc seems a bit unclear
about that)
Anyway, I think DNS rewriting is mainly for folks who also block
25/TCP in- and outgoing or list the address space on the PBL and
similar DNSBLs, so the SMTP argument is not really valid anymore.
well in that case it might be worth adding a section that your own services
should definitely not have the same resolvers that you have set up for your
customers, and that a separate non-lying resolver should be set up for those.
But this is just an example of an unintended side effect from assuming that only
web browsers ask for A/AAAA.
Jelte
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
