[dns-operations] DNSSEC and qmail
George Barwood
george.barwood at blueyonder.co.uk
Thu Oct 8 12:48:57 UTC 2009
----- Original Message -----
From: "Tony Finch" <dot at dotat.at>
To: "George Barwood" <george.barwood at blueyonder.co.uk>
Cc: <dns-operations at mail.dns-oarc.net>
Sent: Thursday, October 08, 2009 12:39 PM
Subject: Re: [dns-operations] DNSSEC and qmail
> On Thu, 8 Oct 2009, George Barwood wrote:
>>
>> I think the DNSSEC spec is ill-advised on this point., see point 7 of
>>
>> http://www.george-barwood.pwp.blueyonder.co.uk/DnsServer/NotesOnDNS_Standard.htm
>
> The bug in qmail will be triggered by any zone that has a lot of data at
> its apex, whether because of DNSSEC or otherwise.
That's true, but any zone that has a lot of data at its apex may encounter
major inter-operability problems. Operators may not be very aware of
this, because if you operate sensibly it's quite unlikely it will happen.
For example if you have too may A records, your website will be unreachable
by many implementations ( they are buggy - but the standards process is all about
bugs - documenting them, and where possible devising solutions that work in any
case, especially where it costs nothing ).
Either the authors of RFC 3225 knew about the issue and did not document it in the security section
( which would be reprehensible ), or more likely did not consider it - I have not found any discussion of the
issue at the time. So it goes.
To some extent RFC 3225 contradicts itself, and the list of types does not appear in RFC 4035
which updates it, so I think implementations are justified in erring on the side of inter-operability,
but that's just my opinion.
George
> Tony.
> --
> f.anthony.n.finch <dot at dotat.at> http://dotat.at/
> GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY SHOWERS.
> MODERATE OR GOOD.
>
More information about the dns-operations
mailing list