[dns-wg] DNSSEC breaks qmail
Lutz Donnerhacke lutz at iks-jena.de
Fri Feb 17 13:11:39 CET 2006
* Jim Reid wrote: > qmail won't be asking for DNSSEC RR types. That's for sure. And it > won't be setting the DO bit either because DJB is no fan of EDNS0. Qmail asks for "ANY" and this includes "NSEC" and "RRSIG", too. Qmail does not support EDNS and therefore get an truncated response as RfC 1035 requires. Qmail does not support the TCP fallback requirement and got struck. > So qmail's lookups should not be getting RRSIGs If qmail would ask for "MX" and "A", there would be no problem at all. But qmail ask for "ANY". > So your local name server shouldn't be handing out these RRtypes to > qmail's ANY QTYPE queries unless qmail set the D0 bit. "NSEC" and "RRSIG" are covered by "ANY".
[ dns-wg Archives ]