Loading ...
Sorry, an error occurred while loading the content.

291642Re: Running namecache service on postfix server?

Expand Messages
  • Robert Moskowitz
    Feb 27, 2013
    • 0 Attachment
      On 02/27/2013 10:43 AM, Viktor Dukhovni wrote:
      > On Wed, Feb 27, 2013 at 10:20:50AM -0500, Wietse Venema wrote:
      >>>> I think it would be entirely reasonable to share a DNS cache among
      >>>> multiple systems within the same trusted perimeter. One DNS server
      >>>> per host in a farm of mail servers may not be practical.
      >>> A local cache on each, forwarding to two or three resolvers that are
      >>> nearby? Local for DNSSEC verification, nearby cache for performance
      >>> reasons? Am I missing something that would make that impractical?
      >> I think it would be helpful to give examples of how "secure DNS"
      >> caches can be shared, instead of outright banning this. On non-trivial
      >> deployments, DNS and MAIL are managed by different people.
      > This was the intent of my original example, I guess I did not draw
      > sufficient attention to the:
      > forward-zone:
      > name: "."
      > forward-addr:
      > stanza at the bottom of the unbound.conf example. We'll need to
      > provide a similar configuration example for BIND, and explain the
      > rationale for both, so other local nameservers could also be
      > supported by an MTA administrator who understands the requirements.

      On Centos 6.3 (bind 9.8.2 with security patches) I did:

      yum install bind bind-chroot

      In /etc/sysconfig/network-scripts/ifcfg-eth0 set:


      ifdown eth0; ifup eth0

      Add to /var/named/chroot/etc/named.conf options section:

      forward only;
      forwarders {
      'IPv4 addr of forwarded server';
      'IPv6 addr of forwarded server';

      service bind start
      chkconfig bind on

      You CAN use 'forward first' and then if your forward server is
      unreachable, your caching server will go out on the net to the '.'
      servers and walk down from there. Look at 'first' as opportunistic local
      forwarding and 'only' as forced local forwarding.
    • Show all 25 messages in this topic