[dns-wg] DNSSEC breaks qmail

On Feb 17, 2006, at 11:11, Lutz Donnerhacke wrote:

> Qmail can't deliver to DNSSEC protected domains. (Repost from  
> edri.org-ML)
>
> Reason:
>   - qmail send an "ANY IN edri.org" query in order to deliver mail.
>   * Due to DNSSEC, there are a some signatures catched by ANY so the
>     response packet size is 605 bytes.
>   - qmail does not support EDNS extensions for larger UDP packets.
>   * The response is truncated to 512 bytes and marked "truncated".
>   - qmail does not support the very old TCP fallback requirement  
> for DNS.
>   - qmail refuses to deliver the mail
>     and logs "CNAME_lookup_failed_temporarily."

Hmmm. Even though DJB's enthusiasm for DNSSEC is well known, I'm not  
sure it's fair to be blaming qmail. Well this time at least... This  
looks to be a local name server misconfiguration. Or perhaps a bug.

qmail won't be asking for DNSSEC RR types. That's for sure. And it  
won't be setting the DO bit either because DJB is no fan of EDNS0. So  
qmail's lookups should not be getting RRSIGs and suchlike, which  
would hopefully mean it won't get truncated responses. RFC3225 says  
don't send DNSSEC RRtypes unless the client has set the DO bit to  
indicate they understand DNSSEC. So your local name server shouldn't  
be handing out these RRtypes to qmail's ANY QTYPE queries unless  
qmail set the D0 bit.

Or have I missed something?