On Tue, Jun 23, 2015 at 05:41:40PM -0700, Terry Barnum wrote:
> > This is more a matter of policy than law. I prefer to turn some
> > additional tests when check_client_access matches "unknown".
> >
> > Wietse
>
> Can you show your additional tests?
>
> let me add my thanks to you Wietse for such great software.
One thing to keep in mind is that "unknown" might be a transient
(4XX) failure in name resolution, but could also be a name that
definitely does not resolve. Therefor rules based on matching
"unknown" need to take some care, you can enable additional tests,
but try to make them not overly onerous, and perhaps "defer"
rather than "reject".
A long time ago I suggested splitting the name "unknown" into two
names, one for the 4XX case and another for 5XX case. This was
not seen sufficient compelling or easy to document at the time.
At this point, the conflation of the two cases is I think likely
to stay.
--
Viktor.
