This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[dns-wg] DNSSEC breaks qmail
- Previous message (by thread): [dns-wg] Announcement DNS Training Course
- Next message (by thread): [dns-wg] DNSSEC breaks qmail
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Lutz Donnerhacke
lutz at iks-jena.de
Fri Feb 17 12:11:00 CET 2006
Qmail can't deliver to DNSSEC protected domains. (Repost from edri.org-ML)
Reason:
- qmail send an "ANY IN edri.org" query in order to deliver mail.
* Due to DNSSEC, there are a some signatures catched by ANY so the
response packet size is 605 bytes.
- qmail does not support EDNS extensions for larger UDP packets.
* The response is truncated to 512 bytes and marked "truncated".
- qmail does not support the very old TCP fallback requirement for DNS.
- qmail refuses to deliver the mail
and logs "CNAME_lookup_failed_temporarily."
Overview of packet sizes
question | answer size
-----------------------|--------------
ANY edri.org | 605 byte
MX edri.org | 237 byte
A edri.org | 213 byte
-----------------------|--------------
ANY edri.org +dnssec | 1331 byte
MX edri.org +dnssec | 923 byte
A edri.org +dnssec | 731 byte
- Previous message (by thread): [dns-wg] Announcement DNS Training Course
- Next message (by thread): [dns-wg] DNSSEC breaks qmail
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]