[dns-operations] DNSSEC and qmail

[Mark Andrews]

In message <20091008133952.GA16569 at isc.upenn.edu>, Shumon Huque writes:
> On Thu, Oct 08, 2009 at 12:36:40PM +0100, Tony Finch wrote:
> > On Thu, 8 Oct 2009, Roy Arends wrote:
> > >
> > > This is odd.
> > >
> > > What cname?
> > 
> > It's asking for cam.ac.uk. IN ANY when trying to canonicalize the
> > recipient domain.
> > 
> > > Second, I'd expect qmail to talk to resolver. resolvers generally trip th
> e
> > > response to stubs to fit a 512 udp message.
> > 
> > They do?
> > 
> > Looking at the code I think what is happening is that the stub resolver is
> > getting a truncated UDP response, and retrying with TCP. The stub resolver
> > truncates responses that don't fit in the caller's buffer by just chopping
> > off the end (much less gracefully than a recursive server truncates a UDP
> > response) and when qmail tries to parse the chopped packet it fails with a
> > temporary error.
> > 
> > Tony.
> 
> We had a similar problem right after UPENN.EDU was signed 3 months
> ago. An internal department reported that they could no longer
> send mail to Penn mail servers. The problem was the same but involved
> an older version of sendmail and a firewall. This sendmail 
> (sendmail AIX4.3/8.9.3) was making type=ANY, DO=0 queries, getting 
> a truncated response (RRSIG and NSEC records were tipping the response
> over 512 bytes), retrying the query over TCP through a firewall that
> wasn't allowing 25/tcp (groan).

People will do silly things with firewalls.

> I think they ended up fixing their firewall rules and upgrading to
> a newer sendmail version that did MX followed by A queries.
> 
> --Shumon.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org