This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] DNSSEC breaks qmail
- Previous message (by thread): [dns-wg] DNSSEC breaks qmail
- Next message (by thread): [dns-wg] DNSSEC breaks qmail
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Jim Reid
jim at rfc1035.com
Fri Feb 17 12:40:20 CET 2006
On Feb 17, 2006, at 11:11, Lutz Donnerhacke wrote: > Qmail can't deliver to DNSSEC protected domains. (Repost from > edri.org-ML) > > Reason: > - qmail send an "ANY IN edri.org" query in order to deliver mail. > * Due to DNSSEC, there are a some signatures catched by ANY so the > response packet size is 605 bytes. > - qmail does not support EDNS extensions for larger UDP packets. > * The response is truncated to 512 bytes and marked "truncated". > - qmail does not support the very old TCP fallback requirement > for DNS. > - qmail refuses to deliver the mail > and logs "CNAME_lookup_failed_temporarily." Hmmm. Even though DJB's enthusiasm for DNSSEC is well known, I'm not sure it's fair to be blaming qmail. Well this time at least... This looks to be a local name server misconfiguration. Or perhaps a bug. qmail won't be asking for DNSSEC RR types. That's for sure. And it won't be setting the DO bit either because DJB is no fan of EDNS0. So qmail's lookups should not be getting RRSIGs and suchlike, which would hopefully mean it won't get truncated responses. RFC3225 says don't send DNSSEC RRtypes unless the client has set the DO bit to indicate they understand DNSSEC. So your local name server shouldn't be handing out these RRtypes to qmail's ANY QTYPE queries unless qmail set the D0 bit. Or have I missed something?
- Previous message (by thread): [dns-wg] DNSSEC breaks qmail
- Next message (by thread): [dns-wg] DNSSEC breaks qmail
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]