[dns-operations] DNSSEC and qmail

Shumon Huque shuque at isc.upenn.edu
Thu Oct 8 13:39:52 UTC 2009

On Thu, Oct 08, 2009 at 12:36:40PM +0100, Tony Finch wrote:
> On Thu, 8 Oct 2009, Roy Arends wrote:
> >
> > This is odd.
> >
> > What cname?
> It's asking for cam.ac.uk. IN ANY when trying to canonicalize the
> recipient domain.
> > Second, I'd expect qmail to talk to resolver. resolvers generally trip the
> > response to stubs to fit a 512 udp message.
> They do?
> Looking at the code I think what is happening is that the stub resolver is
> getting a truncated UDP response, and retrying with TCP. The stub resolver
> truncates responses that don't fit in the caller's buffer by just chopping
> off the end (much less gracefully than a recursive server truncates a UDP
> response) and when qmail tries to parse the chopped packet it fails with a
> temporary error.
> Tony.

We had a similar problem right after UPENN.EDU was signed 3 months
ago. An internal department reported that they could no longer
send mail to Penn mail servers. The problem was the same but involved
an older version of sendmail and a firewall. This sendmail 
(sendmail AIX4.3/8.9.3) was making type=ANY, DO=0 queries, getting 
a truncated response (RRSIG and NSEC records were tipping the response
over 512 bytes), retrying the query over TCP through a firewall that
wasn't allowing 25/tcp (groan).

I think they ended up fixing their firewall rules and upgrading to
a newer sendmail version that did MX followed by A queries.


More information about the dns-operations mailing list