Wietse Venema: > Viktor Dukhovni: > > On Tue, May 04, 2021 at 10:02:49AM +0200, Bjoern Franke wrote: > > > > > Do I miss something why postfix has the trouble with the reply? > > > > > > $ dig +dnssec -t TLSA _25._tcp.smtp-relay-in-s1.neusta.de > > > > You're testing with "dig", which is *not* the same as the C library stub > > DNS resolver. > > > > > ;; Truncated, retrying in TCP mode. > > > > The response is too large for UDP, given a conservative EDNS buffer > > size... > > > > > ;; OPT PSEUDOSECTION: > > > ; EDNS: version: 0, flags: do; udp: 1232 > > > > Which "dig" uses, but the C library likely sets the historical default > > of "4096" bytes, expecting that to work. I am not aware of any way to > > configure the EDNS buffer size in the C library stub resolver, short of > > recompiling the C library. > > Another data point: by default, Postfix uses a 4096-byte buffer > when it calls the C library stub resolver, but it will repeat the > call with a larger buffer if the response has the 'truncated' flag > raised, and leaving it up to the library to switch to TCP as needed. > This has been sufficient at least with 'main stream' libc implementations > for the past 21+ years. > > However, I recall that some stub resolvers (libc-musl?) don't support > queries over TCP. Could that be the problem?
Indeed, libc-musl does not support DNS queries over TCP. https://www.linkedin.com/pulse/musl-libc-alpines-greatest-weakness-rogan-lynch/?trackingId=FsMR%2BhJfQqyOH9e1MIN0jw%3D%3D, which also has a link for the resolver author's rationale. Wietse
