[dns-operations] DNSSEC and qmail

[David Conrad]

George,

On Oct 8, 2009, at 11:37 AM, George Barwood wrote:
>>> To some extent RFC 3225 contradicts itself,
>> In what way?
> When I saw the ANY type listed, I initially thought oops,
> it was maybe a clerical error, and thought that's inconsistent
> with the whole purpose of the document.

The interpretation I made was that ANY means ANY.  The alternative  
interpretation, that ANY doesn't really mean ANY unless a flag was set  
would have implied that the questions "does ANY apply to this and if  
so, how do you signal that" would need to be asked for any future  
RRs.  That seemed like a bad idea to me.  I don't recall being aware  
that this would break any software as I always viewed ANY as a  
diagnostic tool, not something that any sane software would rely on.

> I can understand that it's surprising that an application
> would use ANY, so it probably wouldn't seem of much

> consequence without that knowledge, but in fact it now
> makes it impossible for me to deploy DNSSEC without
> risking bouncing email, which is quite unfortunate.

As several folks have pointed out already, this isn't a DNSSEC- 
specific thing, it is a large response thing.  The fact that qmail is  
not only broken but also not maintained means that the folks who use  
it are already screwed, they just don't know it because there aren't  
that many large responses. SInce DNSSEC results in larger responses,  
this screwage will simply become more apparent (and as a result will  
hopefully get fixed).

> Even if qmail (and other applications using ANY) did handle

> truncated responses perfectly, it would still seem odd and unfair

> to penalize them with extra overhead for no good reason, when
> other applications are protected.

Barring ancient versions of Sendmail, is there any other application  
that uses ANY?

Regards,
-drc