On 02/27/2013 06:58 AM, Wietse Venema wrote:
Viktor Dukhovni:
Perhaps "postfix check" could generate a warning if DANE is enabled
and non-local nameservers are found in /etc/resolv.conf (or and/or
its chroot-jail version).
I think it would be entirely reasonable to share a DNS cache among
multiple systems within the same trusted perimeter. One DNS server
per host in a farm of mail servers may not be practical.
In such a case I would run IPsec between them with a policy for only DNS
traffic through the tunnel. ESP encapsulation is rather cheap and
assures you the traffic is going where you want it.
Or if you have very good VLAN control, you could run 802.1AE, but the
app space cannot tell (typically) if MACsec is working.