> -----Original Message----- > From: [email protected] [mailto:dkim-ops- > [email protected]] On Behalf Of John Levine > Sent: Wednesday, August 26, 2009 11:10 AM > To: [email protected] > Subject: Re: [dkim-ops] Yahoo/BellSouth configuration > > But it's also a bug at your end, since the DKIM spec is quite clear > that a signature that can't be verified is equivalent to no signature. > Your fix was the correct one, turn off the buggy code that rejects > mail on a DKIM DNS lookup failure.
I don't agree that this is the right action in all cases, nor that "can't be verified" includes transient DNS errors. I took "can't be verified" in RFC4871 to mean only "the crypto didn't add up". If the DNS times out, I think that's inconclusive, and I'd prefer to temp-fail in that case. _______________________________________________ dkim-ops mailing list [email protected] http://mipassoc.org/mailman/listinfo/dkim-ops
