I don't agree that this is the right action in all cases, nor that
"can't be verified" includes transient DNS errors.
But this isn't a transient DNS error. The authoritative answer from
bellsouth.net is that there's no such key, because they forgot to install
it. I tried sending myself a message from my BT Internet account, which
is also handled by Yahoo. It's key is s1024._domainkey.btinternet.com,
which does exist.
I took "can't be verified" in RFC4871 to mean only "the crypto didn't
add up". If the DNS times out, I think that's inconclusive, and I'd
prefer to temp-fail in that case.
I agree that it's reasonable to return 4XX on a soft DNS failure since the
chances are pretty good that you'll get a better answer if you try later.
But that's not what happened here, it's a hard failure, and I don't see
any reasonable reading of the DKIM spec that allows you to turn that into
a hard failure.
Regards,
John Levine, johnl(_at_)taugh(_dot_)com, Taughannock Networks, Trumansburg NY
"I dropped the toothpaste", said Tom, crestfallenly.
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops