Loading ...
Sorry, an error occurred while loading the content.

291637Re: Running namecache service on postfix server?

Expand Messages
  • Viktor Dukhovni
    Feb 27, 2013
    • 0 Attachment
      On Wed, Feb 27, 2013 at 10:20:50AM -0500, Wietse Venema wrote:

      > > > I think it would be entirely reasonable to share a DNS cache among
      > > > multiple systems within the same trusted perimeter. One DNS server
      > > > per host in a farm of mail servers may not be practical.
      > >
      > > A local cache on each, forwarding to two or three resolvers that are
      > > nearby? Local for DNSSEC verification, nearby cache for performance
      > > reasons? Am I missing something that would make that impractical?
      >
      > I think it would be helpful to give examples of how "secure DNS"
      > caches can be shared, instead of outright banning this. On non-trivial
      > deployments, DNS and MAIL are managed by different people.

      This was the intent of my original example, I guess I did not draw
      sufficient attention to the:

      forward-zone:
      name: "."
      forward-addr: 192.0.2.1

      stanza at the bottom of the unbound.conf example. We'll need to
      provide a similar configuration example for BIND, and explain the
      rationale for both, so other local nameservers could also be
      supported by an MTA administrator who understands the requirements.

      --
      Viktor.
    • Show all 25 messages in this topic