Loading ...
Sorry, an error occurred while loading the content.

291613Re: Running namecache service on postfix server?

Expand Messages
  • Robert Moskowitz
    Feb 26, 2013
    • 0 Attachment
      On 02/26/2013 08:57 PM, btb@... wrote:
      > On Feb 26, 2013, at 11.51, Viktor Dukhovni <postfix-users@...> wrote:
      >> On Tue, Feb 26, 2013 at 09:58:54AM -0500, Robert Moskowitz wrote:
      >>> I have recently updated my DNS server and am observing the traffic
      >>> from my mail server to constantly query for names. Some of these
      >>> names are frequent requests, for example: zen.spamhaus.org. So I
      >>> was thinking that I could benefit from running a namecaching setup
      >>> on my mail server platform. This would cut down on traffic and time
      >>> on my mail server.
      >>> Is this a practice that is common? Are there any downsizes to doing this?
      >> When Postfix support for DANE (RFC 6698) is introduced, there will
      >> be a requirement to operate a local nameserver that is DNSSEC aware
      >> on any machine that wants to take advantage of peer certificate details
      >> published via DNSSEC to scalably deliver verified TLS email to many
      >> sites without the overhead of local per-site configuration.
      > why must the nameserver be local? i gather the point is to be able to trust the dns responses, which of course goes without saying - but there are methods for accomplishing this in scenarios with a non local nameserver, aren't there? i think rfc 6698 speaks to this briefly?

      I don't think there is a MUST there in the IETF tradition. More of a
      SHOULD; I think it is a matter of performance, and perhaps security (I
      would have to net it out; definitely less 'room' for a MITM). I suspect
      people with experience in this area (mine is elsewhere in the IETF and
      IEEE 802) can well list the advantages of 'co-location'.
    • Show all 25 messages in this topic