On 02/27/2013 10:20 AM, Wietse Venema wrote:
DTNX Postmaster:
On Feb 27, 2013, at 12:58, Wietse Venema <wie...@porcupine.org> wrote:
Viktor Dukhovni:
Perhaps "postfix check" could generate a warning if DANE is enabled
and non-local nameservers are found in /etc/resolv.conf (or and/or
its chroot-jail version).
I think it would be entirely reasonable to share a DNS cache among
multiple systems within the same trusted perimeter. One DNS server
per host in a farm of mail servers may not be practical.
A local cache on each, forwarding to two or three resolvers that are
nearby? Local for DNSSEC verification, nearby cache for performance
reasons? Am I missing something that would make that impractical?
I think it would be helpful to give examples of how "secure DNS"
caches can be shared, instead of outright banning this. On non-trivial
deployments, DNS and MAIL are managed by different people.
True, but we are talking about a namecaching server here, not your
standard fare for DNS support people. Or rather they are old hands at
deploying caching servers where appropriate and could well supply
standard templates for them.
RHEL/Centos bind installs as a caching server, requiring very little in
edits, though as I pointed out in an earlier message I need to add
chroot since I have selinux off on the mail server (I don't think it was
postfix, but rather dovecot that forced this). Also I think if I change
my DNS address in ifcfg-eth0 to 127.0.0.1 and ::1 I can stop bind
listening on the local addresses so even less added to named.conf.
But to share a single DNS among a number of mail servers, say in a mail
farm that probably has lots of other types of servers running with
questionable content, I would want secure tunnels from the mail server
to the DNS server and that no longer is a non-trivial exercise. Now you
can always use my HIP protocol instead of IKEv2 for keying ESP, but
people doing this may want distro provided tunneling.
How much resources does a local caching server demand? I would think it
is mostly memory for the cache. You may have to throw a couple more Gb
at loaded server.
