[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

Tony Finch dot at dotat.at
Fri Jun 24 11:11:56 UTC 2011

On 22 Jun 2011, at 10:31, "Marco Davids (SIDN)" <marco.davids at sidn.nl> wrote:
> Unless I am missing something here, it should be safe to return a
> REFUSED for them (I was told that Postfix is using them for some obscure
> reason, so maybe I am talking rubbish here).

Qmail (not Postfix) uses ANY queries to canonicalize the envelope domains in outgoing SMTP transactions. This is a bug: it should use MX queries for this purpose. It causes amusing interactions with qmail's buggy 512 byte DNS packet buffer and signed zones.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/

More information about the dns-operations mailing list