This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] DNSSEC breaks qmail
- Previous message (by thread): [dns-wg] DNSSEC breaks qmail
- Next message (by thread): [dns-wg] DNSSEC breaks qmail
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Peter Koch
pk at DENIC.DE
Fri Feb 17 12:48:19 CET 2006
On Fri, Feb 17, 2006 at 11:11:00AM +0000, Lutz Donnerhacke wrote: > - qmail send an "ANY IN edri.org" query in order to deliver mail. MX has been around for quite a while. > * Due to DNSSEC, there are a some signatures catched by ANY so the > response packet size is 605 bytes. Qmail has already had problems in the past with domain names where an ANY response exceeds 512 octets. It happens with large NS RRsets, RFC1101 PTRs or large TXT RR(Set)s which seem not so uncommon these days (although that's a mistake). There was a patch at <http://www.ckdhr.com/ckd/qmail-103.patch>, but i have no idea whether that can be applied today. > - qmail does not support EDNS extensions for larger UDP packets. That's probably not the application's problem, but the resolver's. > * The response is truncated to 512 bytes and marked "truncated". > - qmail does not support the very old TCP fallback requirement for DNS. If that's the case, see above. > MX edri.org | 237 byte > A edri.org | 213 byte These are fine. > ANY edri.org +dnssec | 1331 byte > MX edri.org +dnssec | 923 byte > A edri.org +dnssec | 731 byte These are also fine, since per RFC 3226 the resolver asking for DNSSEC must support at least 1220 octets payload. The interesting question here is whether there are other applications that issue ANY queries (most likely for the zone apex) and their resolvers _do_ fall back to TCP. -Peter
- Previous message (by thread): [dns-wg] DNSSEC breaks qmail
- Next message (by thread): [dns-wg] DNSSEC breaks qmail
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]