Loading ...
Sorry, an error occurred while loading the content.

291639Re: Running namecache service on postfix server?

Expand Messages
  • Viktor Dukhovni
    Feb 27, 2013
      On Wed, Feb 27, 2013 at 10:53:58AM -0500, Robert Moskowitz wrote:

      > But to share a single DNS among a number of mail servers, say in a
      > mail farm that probably has lots of other types of servers running
      > with questionable content, I would want secure tunnels from the mail
      > server to the DNS server and that no longer is a non-trivial
      > exercise.

      Nothing of the sort, just enable validation of outside domains and
      exempt local domains if unsigned. TSIG configuration is must more
      complex and is both beyond our reasonable ability to document with
      specificity (too many variants between GSSAPI, and other security
      mechanisms) and the ability of most administrators to configure.

      The same goes for IPSEC, ...

      > How much resources does a local caching server demand? I would think
      > it is mostly memory for the cache. You may have to throw a couple
      > more Gb at loaded server.

      GB is the wrong order of magnitude. A megabyte of RAM should be
      more than enough for local cache on most mail servers. Just need
      room in the cache for the MX, A, TLSA and RRSIG of the 10 highest
      volume destination domains and the A and PTR records of the 10
      highest volume clients.

      The purpose of the local cache (before DANE support) is to reduce
      latency for the highest volume requests and to give the MTA
      administrator the flexibility to craft custom local MX RRsets in
      suitable local zones:

      example.net.localhost. IN MX 0 internal-mx1.example.net.
      example.net.localhost. IN MX 0 internal-mx2.example.net.

      example.com.localhost. IN MX 0 gw1.localhost.
      example.com.localhost. IN MX 0 gw2.localhost.

      gw1.localhost. IN A
      gw2.localhost. IN A

      Then one can add transport table entries:

      example.net smtp:example.net.localhost
      example.com smtp:example.com.localhost

      these won't break DNSSEC zone validation since "localhost" would
      be a local unsigned zone. With DANE + DNSSEC the local cache also
      makes it possible to trust the AD-bit without jumping through hoops
      with TSIG or implementing DNSSEC validation in Postfix.

      I think we've beaten this thread to death, I'm done for now.

    • Show all 25 messages in this topic