#168 "reply was unresolved CNAME" should not be a temperror

2.8.2
closed-fixed
None
6
2014-08-25
2013-06-08
No

There was a question about it on the maillist back in 2010:
http://lists.opendkim.org/archive/opendkim/users/2010/01/0081.html

When the sending domain has a CNAME for '_adsp._domainkey.example.com', but this CNAME does not eventually resolve into a DKIM record, this is, in my understanding, a perfectly legit situation, strictly equivalent to "the domain does not have the _adsp DKIM record". However, it is treated by opendkim as temperror:

Authentication-Results: dehost; dkim=fail
    reason="verification failed; unprotected key"
    header.d=yahoo.com header.i=@yahoo.com header.b=z9etjPv7;
    dkim-adsp=temperror reason="'_adsp._domainkey.yahoo.com' reply was unresolved CNAME" (unprotected policy);
    dkim-atps=neutral

In this particular case the CNAME is of course a wildcard. I believe that such configuration should resolve to definite "record not present" rather then temperror.

Discussion

  • Murray S. Kucherawy

    Expect something for this in 2.9.0.

     
  • Murray S. Kucherawy

    • assigned_to: Murray S. Kucherawy
    • Priority: 5 --> 6
     
  • Murray S. Kucherawy

    Done for 2.9.0.

     
  • Murray S. Kucherawy

    v2.9.0 released.

     
  • Murray S. Kucherawy

    • status: open --> closed-fixed
     

Log in to post a comment.