[dns-wg] DNSSEC breaks qmail

On Fri, 17 Feb 2006, Roy Arends wrote:

>> Qmail can't deliver to DNSSEC protected domains. (Repost from
> edri.org-ML)
>>
>> Reason:
>>   - qmail does not support the very old TCP fallback requirement for
> DNS.
>>   - qmail refuses to deliver the mail
>>     and logs "CNAME_lookup_failed_temporarily."
>
> I can think of non-dnssec responses that are larger than 512 octets, so
> the subject of this message does not cover its content.
> I am not sure what CNAME has to do with this.

The logic leading to that log message is 'I did not receive a valid A or 
MX record result, so I must have been looking up a CNAME and the remote 
DNS server failed to give a response'.

Qmail should (according to qmail FAQ 2.5) retry the message later, however 
it will most probably get the same result as the remote zone will not have 
changed.

On Fri, 17 Feb 2006, Peter Koch wrote:

> Qmail has already had problems in the past with domain names where an ANY
> response exceeds 512 octets. It happens with large NS RRsets, RFC1101 PTRs
> or large TXT RR(Set)s which seem not so uncommon these days (although that's
> a mistake). There was a patch at <http://www.ckdhr.com/ckd/qmail-103.patch>,
> but i have no idea whether that can be applied today.

No new releases of qmail by the author have been made since that patch was 
created; it should still apply.

>>   - qmail does not support EDNS extensions for larger UDP packets.
>
> That's probably not the application's problem, but the resolver's.

Qmail runs its own resolver, which is where the problem arises.

-- 
   Bruce Campbell