Brandon Long <bl...@google.com> wrote: > > I won't claim our failure mode here is correct for all cases, but the flip > side is, this is what you get with dnssec by design.
By design the DNS distinguishes between nonexistent (i.e. NXDOMAIN or NODATA) and failure (SERVFAIL). If there is a security error DNSSEC gives you SERVFAIL. Mail systems traditionally treat DNS SERVFAIL as a temporary error, and only reject outright if they get NXDOMAIN or NODATA. So you can't blame DNSSEC for Gmail's choice to reject outright when it gets a SERVFAIL on a reverse DNS lookup. If spammers are playing silly buggers then a 4yz response should be just as effective as a 5yz response, and there is less risk of harming the robustness of legitimate senders. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Forties, Cromarty, Forth: Southeast 5 to 7, veering southerly 6 to gale 8 later. Moderate or rough, occasionally very rough later. Occasional rain. Good, occasionally poor. _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
