Doug Barton wrote:
Max Tulyev wrote:
We (NetAssist, Kiev, Ukraine) did it a year ago (RIPE backresolve, .se, .ru, .net, .com as well as ISC's DLV checking).
I think this is a great move. Have you had any feedback from your users?
Common users didn't notify any differences. But some of experienced ones notified slightly increased time of resolve. I notified significant decrease of spam.
How is the information about whether the RRsets are signed and/or validated, or not, getting back to the clients? IOW, if I'm a piece of anti-spam software, how do I know that the answer I received is signed and validated?
If you are just resolver client and someone trying to cheat backresolve tests - you'll get this IP is just not resolved. And of course, you can use libraries such as http://www.net-dns.org/ For me, failed DNSSEC validation of DNS resolve (including DNS BL tests) is the enough argument to drop that mail as the spam or fraud. By the way, is there any tools and/or log analyzers to gather and analyze some statistics about DNSSEC working on my servers? -- WBR, Max Tulyev (MT6561-RIPE, 2:463/253@FIDO)