[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record
Tony Finch
dot at dotat.at
Fri Jun 24 11:11:56 UTC 2011
On 22 Jun 2011, at 10:31, "Marco Davids (SIDN)" <marco.davids at sidn.nl> wrote:
>
> Unless I am missing something here, it should be safe to return a
> REFUSED for them (I was told that Postfix is using them for some obscure
> reason, so maybe I am talking rubbish here).
Qmail (not Postfix) uses ANY queries to canonicalize the envelope domains in outgoing SMTP transactions. This is a bug: it should use MX queries for this purpose. It causes amusing interactions with qmail's buggy 512 byte DNS packet buffer and signed zones.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
More information about the dns-operations
mailing list