[dns-wg] DNSSEC breaks qmail

On Fri, Feb 17, 2006 at 11:11:00AM +0000, Lutz Donnerhacke wrote:

>   - qmail send an "ANY IN edri.org" query in order to deliver mail.

MX has been around for quite a while.

>   * Due to DNSSEC, there are a some signatures catched by ANY so the
>     response packet size is 605 bytes.

Qmail has already had problems in the past with domain names where an ANY
response exceeds 512 octets. It happens with large NS RRsets, RFC1101 PTRs
or large TXT RR(Set)s which seem not so uncommon these days (although that's
a mistake). There was a patch at <http://www.ckdhr.com/ckd/qmail-103.patch>,
but i have no idea whether that can be applied today.

>   - qmail does not support EDNS extensions for larger UDP packets.

That's probably not the application's problem, but the resolver's.

>   * The response is truncated to 512 bytes and marked "truncated".
>   - qmail does not support the very old TCP fallback requirement for DNS.

If that's the case, see above.

>     MX edri.org           |  237 byte
>     A edri.org            |  213 byte

These are fine.

>     ANY edri.org +dnssec  | 1331 byte
>     MX edri.org +dnssec   |  923 byte
>     A edri.org +dnssec    |  731 byte

These are also fine, since per RFC 3226 the resolver asking for DNSSEC must
support at least 1220 octets payload.

The interesting question here is whether there are other applications that
issue ANY queries (most likely for the zone apex) and their resolvers
_do_ fall back to TCP.

-Peter