May be they should test their DNS servers using: https://www.dns-oarc.net/oarc/services/replysizetest
or setup edns udp size to 1400 instead of the default 4096 is they don't want to allow fragmented packets in: http://www.zytrax.com/books/dns/ch7/hkpng.html#edns-udp-size This is also likely to affect SPF results when the zone is overloaded with TXT record at the root, and even more when you enable DNSSEC verification... On Tue, Jun 7, 2016 at 10:41 AM, Steve Atkins <st...@blighty.com> wrote: > > > On Jun 7, 2016, at 10:31 AM, Simon <s...@4lists.simonliebold.de> wrote: > > > > Am 07.06.2016 um 18:27 schrieb Steve Atkins: > >> The 2048 bit key plus the CNAME gives a reply packet big enough that > >> the UDP reply to a non-edns query is truncated. Retrying over TCP > >> works, but a DNS resolver that doesn't do TCP would just error out. > >> That's probably why the DKIM temperror. If you make your reply small > >> enough that a UDP reply works (either by not using the CNAME in the > >> same zone, or by using a slightly smaller key) I expect it'd go away. > > > > Yes at some point it will start to work when sending to hotmail.com, > > outlook.com. Interestingly Google, Yahoo, AOL & Co don't seem to mind > > switching protocols during key retrieval. > > > > That explains why those ESPs that want you to set a CNAME from your zone > > pointing to a pubkey in their zone don't use 2048 bit keys yet. > > A CNAME in a different zone would likely not have the issue. But 1536 bit > keys > might be the sweet spot anyway, I guess. DNS is a little fragile when you > push > it's historical limits. > > Cheers, > Steve > > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop >
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
