* Jelte Jansen: > Ralf Weber wrote: >>> No redirection on SERVFAIL seems to be a strange recommendation. >>> Wouldn't this be a very good reason to provide a diagnostics page, >>> especially if there's been a DNSSEC validation failure? >> This sounds like an excellent idea to help DNSSEC adoption and >> is something that should go into the draft. >> > > then a SERVFAIL will also result in an e-mail bounce that says > connection refused
Not a hard 5xx error? > instead of DNS error (assuming there's no e-mail > sink on the host that is redirected to). Fun times for the helpdesk. Only if the mail server falls back to the A record if the MX lookup results in SERVFAIL, which seems like a questionable approach to me. Anyway, I think DNS rewriting is mainly for folks who also block 25/TCP in- and outgoing or list the address space on the PBL and similar DNSBLs, so the SMTP argument is not really valid anymore. > Also, I don't see how the ISP trust anchor for DNSSEC would work (not > knowing the actual zone that it is supposed to cover in advance); it > might be a better idea to simply disable all redirects on DO==1. You can't use trust anchors to guide rewriting. You need to look at the zone contents to see what can be done. With NSEC3 opt-out, there's still lots of wiggle room (at least initially). Generally not spoofing on DO==1 is easier, of course. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
