https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6862
Priority: P2
Bug ID: 6862
Assignee: [email protected]
Summary: Allow a DNS resolver to use EDNS - UDP packets larger
than 512 bytes (configurable)
Severity: enhancement
Classification: Unclassified
OS: All
Reporter: [email protected]
Hardware: All
Status: NEW
Version: 3.4 SVN branch
Component: Libraries
Product: Spamassassin
Now that google.com went overboard with switching to DKIM
signatures signed with a 2048-bit key, a DNS query for a public
key comes close to an old DNS/UDP limit of 512 bytes. Depending
on a recursive DNS server in use, the google's public key comes
back either just below the 512 byte limit (when there are no
additional answer sections, like with an 'unbound' resolver),
or somewhat above this limit (with 'bind'), in which case
the Net::DNS::Resolver on seeing a truncated response
retries the query using TCP.
The issue could be avoided if Net::DNS::Resolver were allowed
to form an extended query (EDNS0, RFC 2671, RFC 2671bis draft),
which can tell that a client is willing to accept UDP packets
larger than the ancient 512 limit.
Here is an example:
perl -le 'use Net::DNS; $r=Net::DNS::Resolver->new;
$r->udppacketsize(4096);
print $r->send("20120113._domainkey.google.com","TXT")->print'
( the above text is from my enhancement request to Mail::DKIM,
https://rt.cpan.org/Public/Bug/Display.html?id=80425 )
There should be a configurable way for SpamAssassin to enable
EDNS option in Net::DNS::Resolver. The attached patch adds an
option 'EDNS' to dns_options configuration setting.
It also passes the resolver object to the DKIM plugin for the
benefit of a Mail::DKIM module, so that it can use the same
settings as the rest of SpamAssassin (just like the SPF plugin).
As some of the DNS resolver settings are now configurable,
I had to postpone the call to DnsResolver::load_resolver
in SpamAssassin.pm until after a config is read.
This is from a new documentation:
=item dns_options opts (default: empty)
Provides a (whitespace or comma -separated) list of options applying
to DNS resolving. Available options are 'rotate', 'dns0x20' and 'edns'
(without quotes). Option name may be negated by prepending a 'no' (e.g.
'norotate', 'noEDNS') to counteract previously enabled option. Option
names are not case-sensitive.
The last setting in configuration files prevails. By default options
'rotate', 'dns0x20' and 'edns' are disabled.
Option 'edns' may take a value which specifies a requestor's UDP payload
size according to EDNS0 specifications (RFC 2671bis draft), e.g. edns=4096.
When the option is enabled but a value is not provided, a conservative default
of 1280 bytes is implied. It is recommended to enable 'edns' when using a
local recursive DNS server which supports EDNS0 (like most modern DNS servers
do). This may avoid a need for a DNS query to fail-over to a TCP query when
an answer DNS UDP packet would exceed 512 bytes. The option should remain
disabled when a recursive DNS resolver is only reachable through some
old-fashioned firewall which cannot cope with DNS UDP packets longer than
512 bytes or which discards IP fragments.
[...]
--
You are receiving this mail because:
You are the assignee for the bug.
