Tony Finch wrote:
On Wed, 30 Apr 2008, Arvel Hathcock wrote:
Enter the NXDOMAIN check. If, as part of the ADSP algorithm, an
NXDOMAIN check is performed, the algorithm can quickly detect that the
domain doesn't exist and that _this_ might be the reason there is no
ADSP record. This added insight closes the hole and can be used by
filtering agents.
NXDOMAIN is the wrong check. A domain is not a valid mail domain if it has
neither MX nor A nor AAAA records. If it has a TXT record then a lookup
will not return NXDOMAIN even though it is not a valid mail domain.
That's true, which is one of the reasons I wasn't crazy about allowing
AAAA records to define valid mail domains, in addition to the fact that
the use of A records is really for legacy reasons. It adds one more
thing to check, both here and when sending mail.
NXDOMAIN does what might be considered a "sloppy" check since it some
domains that aren't valid mail domains might look OK. I don't have a
sense for how many such domains there are; probably not many at the
registrar level but perhaps quite a few domains that are intended for
internal use and not for mail routing.
This is one of the reasons the ADSP specification needs to define how
this is done: just saying "don't use it on non-existent domains" isn't
precise enough.
-Jim
|
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html