On Feb 26, 2013, at 17:51, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
> On Tue, Feb 26, 2013 at 09:58:54AM -0500, Robert Moskowitz wrote: > >> I have recently updated my DNS server and am observing the traffic >> from my mail server to constantly query for names. Some of these >> names are frequent requests, for example: zen.spamhaus.org. So I >> was thinking that I could benefit from running a namecaching setup >> on my mail server platform. This would cut down on traffic and time >> on my mail server. >> >> Is this a practice that is common? Are there any downsizes to doing this? > > When Postfix support for DANE (RFC 6698) is introduced, there will > be a requirement to operate a local nameserver that is DNSSEC aware > on any machine that wants to take advantage of peer certificate details > published via DNSSEC to scalably deliver verified TLS email to many > sites without the overhead of local per-site configuration. > > Consider not only deploying a local cache, but also making sure > that it is DNSSEC aware. I recommend "unbound" from nlnetlabs.nl. > Of course you don't have to use DANE and TLS, but you still benefit > from a local cache regardless. Another advantage of a local cache is that you can intercept or redirect DNS queries. We have a dedicated zone for our own DNS blacklist, for example, that redirects to rbldnsd on a different port. Postfix (and postscreen) query this local blacklist via DNS, just like they would with Spamhaus blacklists, the BRBL etc. We currently use BIND, but would recommend Unbound as well, that's what we'll be moving towards for DNSSEC support. HTH, Jona
