Viktor Dukhovni:
> On Mon, Nov 24, 2014 at 01:38:15PM -0500, Wietse Venema wrote:
>
> > /etc/postfix/smtp_dns_reply_filter:
> > # /domain ttl IN AAAA address/ action, all case-insensitive.
> > # Note: the domain name ends in ".".
> > /^\S+\.google.com\.\s+\S+\s+\S+\s+AAAA\s+/ IGNORE
> >
> > The implementation renders a DNS record as a string in the format
> > that we know from dig(1) and other tools, then matches that string
> > against a list of lookup tables. Currently, IGNORE is the only
> > implemented action. It removes the record from the DNS lookup result.
> >
> > When all DNS lookup result reply records are deleted, it returns a
> > DNS_NOTFOUND status plus a diagnostic text with "All records
> > suppressed by policy filter".
>
> There might be cases in which "DNS_NOTFOUND" should be replaced
> with "DNS_FAIL" if as a result the RRset becomes empty.
I don't think that the distinction between different kinds of "empty"
is needed in the user interface.
Specifically, if the filter uses a distinct status for "all records
deleted", e.g., DNS_POLICY, then the caller already knows if that
means "record not found" (most queries) or "service unavailable"
(MX queries, or other queries for records with MX-like behavior).
Whether "empty" is a hard or soft error is a different matter. We
could have IGNORE -> DNS_POLICY, and SOFT_IGNORE -> DNS_RETRY (but
only when all records are deleted).
Wietse
