-
Wágner Ferenc authored
Especially DNSSEC employs big payloads. The original EDNS buffer size of 4096 isn't recommended anymore, modern clients advertise 1232 bytes instead (the glibc stub resolver uses the even more conservative 1200 bytes), and servers similarly truncate their responses to avoid having them fragmented. This initiates TCP fallback, which, if not allowed, leads to "DANE error: tlsa lookup DEFER" failure messages from the Exim remote_smtp transport (after a long connect timeout). https://labs.apnic.net/?p=1390 https://dnsflagday.net/2020/
f1c7ad8a