Viktor Dukhovni:
> On Tue, May 04, 2021 at 10:02:49AM +0200, Bjoern Franke wrote:
>
> > Do I miss something why postfix has the trouble with the reply?
> >
> > $ dig +dnssec -t TLSA _25._tcp.smtp-relay-in-s1.neusta.de
>
> You're testing with "dig", which is *not* the same as the C library stub
> DNS resolver.
>
> > ;; Truncated, retrying in TCP mode.
>
> The response is too large for UDP, given a conservative EDNS buffer
> size...
>
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags: do; udp: 1232
>
> Which "dig" uses, but the C library likely sets the historical default
> of "4096" bytes, expecting that to work. I am not aware of any way to
> configure the EDNS buffer size in the C library stub resolver, short of
> recompiling the C library.
Another data point: by default, Postfix uses a 4096-byte buffer
when it calls the C library stub resolver, but it will repeat the
call with a larger buffer if the response has the 'truncated' flag
raised, and leaving it up to the library to switch to TCP as needed.
This has been sufficient at least with 'main stream' libc implementations
for the past 21+ years.
However, I recall that some stub resolvers (libc-musl?) don't support
queries over TCP. Could that be the problem?
Wietse
