On Wed, Feb 27, 2013 at 10:20:50AM -0500, Wietse Venema wrote: > > > I think it would be entirely reasonable to share a DNS cache among > > > multiple systems within the same trusted perimeter. One DNS server > > > per host in a farm of mail servers may not be practical. > > > > A local cache on each, forwarding to two or three resolvers that are > > nearby? Local for DNSSEC verification, nearby cache for performance > > reasons? Am I missing something that would make that impractical? > > I think it would be helpful to give examples of how "secure DNS" > caches can be shared, instead of outright banning this. On non-trivial > deployments, DNS and MAIL are managed by different people.
This was the intent of my original example, I guess I did not draw sufficient attention to the: forward-zone: name: "." forward-addr: 192.0.2.1 stanza at the bottom of the unbound.conf example. We'll need to provide a similar configuration example for BIND, and explain the rationale for both, so other local nameservers could also be supported by an MTA administrator who understands the requirements. -- Viktor.