On Wed, Feb 27, 2013 at 03:25:41PM +0100, DTNX Postmaster wrote:
> > I think it would be entirely reasonable to share a DNS cache among
> > multiple systems within the same trusted perimeter. One DNS server
> > per host in a farm of mail servers may not be practical.
>
> A local cache on each, forwarding to two or three resolvers that are
> nearby? Local for DNSSEC verification, nearby cache for performance
> reasons? Am I missing something that would make that impractical?
No, and that's pretty much what my original post suggests:
On Tue, Feb 26, 2013 at 04:51:22PM +0000, Viktor Dukhovni wrote:
> On Tue, Feb 26, 2013 at 09:58:54AM -0500, Robert Moskowitz wrote:
>
> Setting up DNSSEC on a local unbound cache that forwards all queries
> to an upstream server boils down to:
>
> /etc/unbound/unbound.conf
> server:
> ...
> trust-anchor: ". IN DS 19036 8 2
> 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5"
>
> # Forward all requests to upstream server at 192.0.2.1
> forward-zone:
> name: "."
> forward-addr: "192.0.2.1"
As you say, one would typically add a couple of additional upstream caches:
forward-addr: "192.0.2.2"
forward-addr: "192.0.2.3"
--
Viktor.
