On Feb 17, 2006, at 11:11, Lutz Donnerhacke wrote:
Qmail can't deliver to DNSSEC protected domains. (Repost from edri.org-ML)
Reason: - qmail send an "ANY IN edri.org" query in order to deliver mail. * Due to DNSSEC, there are a some signatures catched by ANY so the response packet size is 605 bytes. - qmail does not support EDNS extensions for larger UDP packets. * The response is truncated to 512 bytes and marked "truncated". - qmail does not support the very old TCP fallback requirement for DNS. - qmail refuses to deliver the mail and logs "CNAME_lookup_failed_temporarily."
Hmmm. Even though DJB's enthusiasm for DNSSEC is well known, I'm not sure it's fair to be blaming qmail. Well this time at least... This looks to be a local name server misconfiguration. Or perhaps a bug. qmail won't be asking for DNSSEC RR types. That's for sure. And it won't be setting the DO bit either because DJB is no fan of EDNS0. So qmail's lookups should not be getting RRSIGs and suchlike, which would hopefully mean it won't get truncated responses. RFC3225 says don't send DNSSEC RRtypes unless the client has set the DO bit to indicate they understand DNSSEC. So your local name server shouldn't be handing out these RRtypes to qmail's ANY QTYPE queries unless qmail set the D0 bit. Or have I missed something?