[dns-operations] DNSSEC and qmail
George Barwood
george.barwood at blueyonder.co.uk
Thu Oct 8 11:28:54 UTC 2009
Tony,
This is one of my hobby-horses.
I think the DNSSEC spec is ill-advised on this point., see point 7 of
http://www.george-barwood.pwp.blueyonder.co.uk/DnsServer/NotesOnDNS_Standard.htm
Operators should at the very least be warned about this nasty side-effect of signing their zones,
and maybe given an option to disable this behavior.
It's the first confirmation of this long-predicted inter-operability problem I have seen,
up to now it has (AFAIK) been theoretical.
George
----- Original Message -----
From: "Tony Finch" <dot at dotat.at>
To: <dns-operations at mail.dns-oarc.net>
Sent: Thursday, October 08, 2009 11:54 AM
Subject: [dns-operations] DNSSEC and qmail
> We've just had a report of qmail being unable to deliver mail to our site.
> The cam.ac.uk zone has been signed for a few months, and it seems that
> some of our DNS responses blow out qmail's 512 byte response buffer. Its
> error messsage is "CNAME lookup failed temporarily" but in fact qmail
> actually performs an T_ANY lookup which produces a 1.3KB reply (DO=0).
>
> Tony.
> --
> f.anthony.n.finch <dot at dotat.at> http://dotat.at/
> GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY SHOWERS.
> MODERATE OR GOOD.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
More information about the dns-operations
mailing list