Loading ...
Sorry, an error occurred while loading the content.

291638Re: Running namecache service on postfix server?

Expand Messages
  • Robert Moskowitz
    Feb 27, 2013
      On 02/27/2013 10:20 AM, Wietse Venema wrote:
      > DTNX Postmaster:
      >> On Feb 27, 2013, at 12:58, Wietse Venema <wietse@...> wrote:
      >>
      >>> Viktor Dukhovni:
      >>>> Perhaps "postfix check" could generate a warning if DANE is enabled
      >>>> and non-local nameservers are found in /etc/resolv.conf (or and/or
      >>>> its chroot-jail version).
      >>> I think it would be entirely reasonable to share a DNS cache among
      >>> multiple systems within the same trusted perimeter. One DNS server
      >>> per host in a farm of mail servers may not be practical.
      >> A local cache on each, forwarding to two or three resolvers that are
      >> nearby? Local for DNSSEC verification, nearby cache for performance
      >> reasons? Am I missing something that would make that impractical?
      > I think it would be helpful to give examples of how "secure DNS"
      > caches can be shared, instead of outright banning this. On non-trivial
      > deployments, DNS and MAIL are managed by different people.

      True, but we are talking about a namecaching server here, not your
      standard fare for DNS support people. Or rather they are old hands at
      deploying caching servers where appropriate and could well supply
      standard templates for them.

      RHEL/Centos bind installs as a caching server, requiring very little in
      edits, though as I pointed out in an earlier message I need to add
      chroot since I have selinux off on the mail server (I don't think it was
      postfix, but rather dovecot that forced this). Also I think if I change
      my DNS address in ifcfg-eth0 to 127.0.0.1 and ::1 I can stop bind
      listening on the local addresses so even less added to named.conf.

      But to share a single DNS among a number of mail servers, say in a mail
      farm that probably has lots of other types of servers running with
      questionable content, I would want secure tunnels from the mail server
      to the DNS server and that no longer is a non-trivial exercise. Now you
      can always use my HIP protocol instead of IKEv2 for keying ESP, but
      people doing this may want distro provided tunneling.

      How much resources does a local caching server demand? I would think it
      is mostly memory for the cache. You may have to throw a couple more Gb
      at loaded server.
    • Show all 25 messages in this topic