[dns-operations] DNSSEC misconfiguration
dot at dotat.at
Tue Aug 3 23:56:42 UTC 2010
On 2 Aug 2010, at 18:03, Michael Sinatra <michael at rancid.berkeley.edu> wrote:
> On 07/31/10 00:21, George Barwood wrote:
>> "Tony Finch"<dot at dotat.at> wrote:
>>> What has caused problems that users notice is qmail's DNS resolution bugs which make it unable to cope with our signed zone.
>> This is due to the unfortunate standards decision to make ANY insensitive to the DO flag.
> Actually, it's caused by the hideously broken behavior of qmail, where it rejects a DNS response longer than 512 bytes, regardless of whether TCP was used.
It should also not be making ANY queries.
> The consequences of this behavior came up long before DNSSEC, with email domains with large numbers of MX records (e.g. AOL several years ago).
Or long SPF records etc.
>> Can you give more details on the scale of the qmail problem?
> In 8 months of signing, I have received exactly 3 complaints about it. There are probably more issues out there (especially if they can't email me about it!), but this is not a problem that demands a standards response (and keep in mind this is coming from an ops guy).
Our complaint rates are about the same. I agree that no changes need to be made to the DNS to support buggy 12-year-old code.
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
More information about the dns-operations