-----Original Message-----
From: dkim-ops-bounces(_at_)mipassoc(_dot_)org [mailto:dkim-ops-
bounces(_at_)mipassoc(_dot_)org] On Behalf Of John Levine
Sent: Wednesday, August 26, 2009 11:10 AM
To: dkim-ops(_at_)mipassoc(_dot_)org
Subject: Re: [dkim-ops] Yahoo/BellSouth configuration
But it's also a bug at your end, since the DKIM spec is quite clear
that a signature that can't be verified is equivalent to no signature.
Your fix was the correct one, turn off the buggy code that rejects
mail on a DKIM DNS lookup failure.
I don't agree that this is the right action in all cases, nor that "can't be
verified" includes transient DNS errors. I took "can't be verified" in RFC4871
to mean only "the crypto didn't add up".
If the DNS times out, I think that's inconclusive, and I'd prefer to temp-fail
in that case.
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops