[dns-operations] DNSSEC misconfiguration

Tony Finch dot at dotat.at
Tue Aug 3 23:56:42 UTC 2010

On 2 Aug 2010, at 18:03, Michael Sinatra <michael at rancid.berkeley.edu> wrote:
> On 07/31/10 00:21, George Barwood wrote:
>> "Tony Finch"<dot at dotat.at> wrote:
>>> What has caused problems that users notice is qmail's DNS resolution bugs which make it unable to cope with our signed zone.
>> This is due to the unfortunate standards decision to make ANY insensitive to the DO flag.
> Actually, it's caused by the hideously broken behavior of qmail, where it rejects a DNS response longer than 512 bytes, regardless of whether TCP was used.

It should also not be making ANY queries.

>  The consequences of this behavior came up long before DNSSEC, with email domains with large numbers of MX records (e.g. AOL several years ago).

Or long SPF records etc.

>> Can you give more details on the scale of the qmail problem? 

> In 8 months of signing, I have received exactly 3 complaints about it.  There are probably more issues out there (especially if they can't email me about it!), but this is not a problem that demands a standards response (and keep in mind this is coming from an ops guy).

Our complaint rates are about the same. I agree that no changes need to be made to the DNS to support buggy 12-year-old code.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/

More information about the dns-operations mailing list