GTM DNSSEC fails during ZSK publish period

Where I work we were getting DNSSEC failures occuring during the zone signing key rollover period for our mail records. Other entities who also are validating DNSSEC couldn't do email transactions with us during this time frame. Once the publish period was over everything would clear up. No other DNSSEC enabled entities we did transactions with seemed to share this problem. It only affected the MX records too, nothing else. A nice little mystery to solve.

 

 

What happens first during this rollover period is that a new ZSK is generated and so we then have two keys running simultaneously until the old key expires, then we're back to one key. We started examining this and saw the records grew substantially in size during the publish period because of having two keys. The largest of the files was the MX record too. But why weren't others similarly impacted? Examining their ZSK keys showed they were using 1024 bit encryption while we use 2048. We also run a large number of MX records so that could have also impacted the record size. Our investigation has led us to explore the hypothesis of why a size difference might break things? DNS most days runs on UDP and UDP is not meant for larger file size transfers. So it appears the larger size transaction is escalated to a TCP request instead.

 

 

We enabled the TCP listener for DNS and problem solved. Hope this helps!