On Wed, Feb 27, 2013 at 03:25:41PM +0100, DTNX Postmaster wrote: > > I think it would be entirely reasonable to share a DNS cache among > > multiple systems within the same trusted perimeter. One DNS server > > per host in a farm of mail servers may not be practical. > > A local cache on each, forwarding to two or three resolvers that are > nearby? Local for DNSSEC verification, nearby cache for performance > reasons? Am I missing something that would make that impractical?
No, and that's pretty much what my original post suggests: On Tue, Feb 26, 2013 at 04:51:22PM +0000, Viktor Dukhovni wrote: > On Tue, Feb 26, 2013 at 09:58:54AM -0500, Robert Moskowitz wrote: > > Setting up DNSSEC on a local unbound cache that forwards all queries > to an upstream server boils down to: > > /etc/unbound/unbound.conf > server: > ... > trust-anchor: ". IN DS 19036 8 2 > 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5" > > # Forward all requests to upstream server at 192.0.2.1 > forward-zone: > name: "." > forward-addr: "192.0.2.1" As you say, one would typically add a couple of additional upstream caches: forward-addr: "192.0.2.2" forward-addr: "192.0.2.3" -- Viktor.