On Wed, Feb 27, 2013 at 10:20:50AM -0500, Wietse Venema wrote:
> > > I think it would be entirely reasonable to share a DNS cache among
> > > multiple systems within the same trusted perimeter. One DNS server
> > > per host in a farm of mail servers may not be practical.
> >
> > A local cache on each, forwarding to two or three resolvers that are
> > nearby? Local for DNSSEC verification, nearby cache for performance
> > reasons? Am I missing something that would make that impractical?
>
> I think it would be helpful to give examples of how "secure DNS"
> caches can be shared, instead of outright banning this. On non-trivial
> deployments, DNS and MAIL are managed by different people.
This was the intent of my original example, I guess I did not draw
sufficient attention to the:
forward-zone:
name: "."
forward-addr: 192.0.2.1
stanza at the bottom of the unbound.conf example. We'll need to
provide a similar configuration example for BIND, and explain the
rationale for both, so other local nameservers could also be
supported by an MTA administrator who understands the requirements.
--
Viktor.
