> On Jun 7, 2016, at 10:31 AM, Simon <s...@4lists.simonliebold.de> wrote: > > Am 07.06.2016 um 18:27 schrieb Steve Atkins: >> The 2048 bit key plus the CNAME gives a reply packet big enough that >> the UDP reply to a non-edns query is truncated. Retrying over TCP >> works, but a DNS resolver that doesn't do TCP would just error out. >> That's probably why the DKIM temperror. If you make your reply small >> enough that a UDP reply works (either by not using the CNAME in the >> same zone, or by using a slightly smaller key) I expect it'd go away. > > Yes at some point it will start to work when sending to hotmail.com, > outlook.com. Interestingly Google, Yahoo, AOL & Co don't seem to mind > switching protocols during key retrieval. > > That explains why those ESPs that want you to set a CNAME from your zone > pointing to a pubkey in their zone don't use 2048 bit keys yet.
A CNAME in a different zone would likely not have the issue. But 1536 bit keys might be the sweet spot anyway, I guess. DNS is a little fragile when you push it's historical limits. Cheers, Steve _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
