DTNX Postmaster:
> On Feb 27, 2013, at 12:58, Wietse Venema <wie...@porcupine.org> wrote:
>
> > Viktor Dukhovni:
> >> Perhaps "postfix check" could generate a warning if DANE is enabled
> >> and non-local nameservers are found in /etc/resolv.conf (or and/or
> >> its chroot-jail version).
> >
> > I think it would be entirely reasonable to share a DNS cache among
> > multiple systems within the same trusted perimeter. One DNS server
> > per host in a farm of mail servers may not be practical.
>
> A local cache on each, forwarding to two or three resolvers that are
> nearby? Local for DNSSEC verification, nearby cache for performance
> reasons? Am I missing something that would make that impractical?
I think it would be helpful to give examples of how "secure DNS"
caches can be shared, instead of outright banning this. On non-trivial
deployments, DNS and MAIL are managed by different people.
Wietse
