[dns-operations] DNSSEC and qmail

Olafur Gudmundsson ogud at ogud.com
Fri Oct 9 13:43:18 UTC 2009

At 16:58 08/10/2009, David Conrad wrote:
>On Oct 8, 2009, at 11:37 AM, George Barwood wrote:
>>>>To some extent RFC 3225 contradicts itself,
>>>In what way?
>>When I saw the ANY type listed, I initially thought oops,
>>it was maybe a clerical error, and thought that's inconsistent
>>with the whole purpose of the document.
>The interpretation I made was that ANY means ANY.  The alternative
>interpretation, that ANY doesn't really mean ANY unless a flag was set
>would have implied that the questions "does ANY apply to this and if
>so, how do you signal that" would need to be asked for any future
>RRs.  That seemed like a bad idea to me.  I don't recall being aware
>that this would break any software as I always viewed ANY as a
>diagnostic tool, not something that any sane software would rely on.
>>I can understand that it's surprising that an application
>>would use ANY, so it probably wouldn't seem of much
>>consequence without that knowledge, but in fact it now
>>makes it impossible for me to deploy DNSSEC without
>>risking bouncing email, which is quite unfortunate.
>As several folks have pointed out already, this isn't a DNSSEC- 
>specific thing, it is a large response thing.  The fact that qmail is
>not only broken but also not maintained means that the folks who use
>it are already screwed, they just don't know it because there aren't
>that many large responses. SInce DNSSEC results in larger responses,
>this screwage will simply become more apparent (and as a result will
>hopefully get fixed).
>>Even if qmail (and other applications using ANY) did handle
>>truncated responses perfectly, it would still seem odd and unfair
>>to penalize them with extra overhead for no good reason, when
>>other applications are protected.
>Barring ancient versions of Sendmail, is there any other application
>that uses ANY?

You asked and I looked into my log files:

I see two kinds of ANY queries
#1 For the names of DNS servers for the zones I serve.
#2 For signed domain's apexes

The first one looks like some kind of optimization for A + AAAA lookup,
the second one is by some kind of a DNSSEC monitoring tool.

But I did not see a single ANY query for my mail servers.


More information about the dns-operations mailing list