Tony Finch wrote:
On Wed, 30 Apr 2008, Arvel Hathcock wrote:Enter the NXDOMAIN check. If, as part of the ADSP algorithm, an NXDOMAIN check is performed, the algorithm can quickly detect that the domain doesn't exist and that _this_ might be the reason there is no ADSP record. This added insight closes the hole and can be used by filtering agents.NXDOMAIN is the wrong check. A domain is not a valid mail domain if it has neither MX nor A nor AAAA records. If it has a TXT record then a lookup will not return NXDOMAIN even though it is not a valid mail domain. That's true, which is one of the reasons I wasn't crazy about allowing AAAA records to define valid mail domains, in addition to the fact that the use of A records is really for legacy reasons. It adds one more thing to check, both here and when sending mail. NXDOMAIN does what might be considered a "sloppy" check since it some domains that aren't valid mail domains might look OK. I don't have a sense for how many such domains there are; probably not many at the registrar level but perhaps quite a few domains that are intended for internal use and not for mail routing. This is one of the reasons the ADSP specification needs to define how this is done: just saying "don't use it on non-existent domains" isn't precise enough. -Jim |
_______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html