On 02/26/2013 08:57 PM, b...@bitrate.net wrote:
On Feb 26, 2013, at 11.51, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
On Tue, Feb 26, 2013 at 09:58:54AM -0500, Robert Moskowitz wrote:
I have recently updated my DNS server and am observing the traffic
from my mail server to constantly query for names. Some of these
names are frequent requests, for example: zen.spamhaus.org. So I
was thinking that I could benefit from running a namecaching setup
on my mail server platform. This would cut down on traffic and time
on my mail server.
Is this a practice that is common? Are there any downsizes to doing this?
When Postfix support for DANE (RFC 6698) is introduced, there will
be a requirement to operate a local nameserver that is DNSSEC aware
on any machine that wants to take advantage of peer certificate details
published via DNSSEC to scalably deliver verified TLS email to many
sites without the overhead of local per-site configuration.
why must the nameserver be local? i gather the point is to be able to trust
the dns responses, which of course goes without saying - but there are methods
for accomplishing this in scenarios with a non local nameserver, aren't there?
i think rfc 6698 speaks to this briefly?
I don't think there is a MUST there in the IETF tradition. More of a
SHOULD; I think it is a matter of performance, and perhaps security (I
would have to net it out; definitely less 'room' for a MITM). I suspect
people with experience in this area (mine is elsewhere in the IETF and
IEEE 802) can well list the advantages of 'co-location'.
