[dns-operations] DNSSEC misconfiguration
george.barwood at blueyonder.co.uk
Sat Jul 31 07:21:23 UTC 2010
----- Original Message -----
From: "Tony Finch" <dot at dotat.at>
To: "Carlos Vicente" <cvicente at network-services.uoregon.edu>
Cc: <dns-operations at dns-oarc.net>
Sent: Friday, July 30, 2010 11:34 PM
Subject: Re: [dns-operations] DNSSEC misconfiguration
> What has caused problems that users notice is qmail's DNS resolution bugs which make it unable to cope with our signed zone.
This is due to the unfortunate standards decision to make ANY insensitive to the DO flag.
Can you give more details on the scale of the qmail problem? Currently it's hard to know
how serious the problem is likely to be. Maybe the major qmail users have now applied the relevant patch.
I am using my own software (GbDns) which doesn't send DNSSEC records in response to
an ANY query unless DO=1 ( not standards compliant, but this doesn't cause any problems ).
Maybe other suppliers of DNSSEC software could also support this to allow DNSSEC to be deployed
in corporate environments ( where chasing up email that cannot be delivered is not a realistic option ).
More information about the dns-operations