On Feb 27, 2013, at 12:58, Wietse Venema <wie...@porcupine.org> wrote:
> Viktor Dukhovni: >> Perhaps "postfix check" could generate a warning if DANE is enabled >> and non-local nameservers are found in /etc/resolv.conf (or and/or >> its chroot-jail version). > > I think it would be entirely reasonable to share a DNS cache among > multiple systems within the same trusted perimeter. One DNS server > per host in a farm of mail servers may not be practical. A local cache on each, forwarding to two or three resolvers that are nearby? Local for DNSSEC verification, nearby cache for performance reasons? Am I missing something that would make that impractical? Cya, Jona
