It occurs to me that this issue hasn't yet been mentioned on this mailing
list, and that it might be as well to alert people here to it.

qmail, as abandoned [completed?] by its author, has a bug which shows
up if a DNS query with type ANY for a mail domain name gives a response
of more than 512 bytes. Although that can happen for various reasons,
it is quite inevitable if the mail domain name is the apex of a signed
zone.

The effect is that unpatched qmail systems are unable to route e-mail
for such mail domains, or at least have severe reliability problems
doing so (it can depend on which DNS records are presented in the first
512 bytes of the response, and that itself depends on all sorts of
other details).

One moderately recent thread about this, which I think covers the
essential points, can be found starting at

https://lists.dns-oarc.net/pipermail/dns-operations/2009-October/004530.html

So:

1. If you decide to sign your DNS zones, you should be aware that
   some qmail systems may be unable to deliver e-mail to your mail
   domains.

2. If you are using qmail as an MTA, make sure that you apply one of
   the various patches that increase the size of its 512-byte buffer
   (they are easy enough to find via Google). Or, of course, switch
   to some other MTA (qmail is unique in using these type ANY queries).

-- 
Chris Thompson               University of Cambridge Computing Service,
Email: [log in to unmask]    New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715       United Kingdom.