On Wed, Feb 27, 2013 at 10:53:58AM -0500, Robert Moskowitz wrote:
> But to share a single DNS among a number of mail servers, say in a
> mail farm that probably has lots of other types of servers running
> with questionable content, I would want secure tunnels from the mail
> server to the DNS server and that no longer is a non-trivial
> exercise.
Nothing of the sort, just enable validation of outside domains and
exempt local domains if unsigned. TSIG configuration is must more
complex and is both beyond our reasonable ability to document with
specificity (too many variants between GSSAPI, and other security
mechanisms) and the ability of most administrators to configure.
The same goes for IPSEC, ...
> How much resources does a local caching server demand? I would think
> it is mostly memory for the cache. You may have to throw a couple
> more Gb at loaded server.
GB is the wrong order of magnitude. A megabyte of RAM should be
more than enough for local cache on most mail servers. Just need
room in the cache for the MX, A, TLSA and RRSIG of the 10 highest
volume destination domains and the A and PTR records of the 10
highest volume clients.
The purpose of the local cache (before DANE support) is to reduce
latency for the highest volume requests and to give the MTA
administrator the flexibility to craft custom local MX RRsets in
suitable local zones:
example.net.localhost. IN MX 0 internal-mx1.example.net.
example.net.localhost. IN MX 0 internal-mx2.example.net.
example.com.localhost. IN MX 0 gw1.localhost.
example.com.localhost. IN MX 0 gw2.localhost.
gw1.localhost. IN A 192.0.2.1
gw2.localhost. IN A 192.0.2.2
Then one can add transport table entries:
example.net smtp:example.net.localhost
example.com smtp:example.com.localhost
these won't break DNSSEC zone validation since "localhost" would
be a local unsigned zone. With DANE + DNSSEC the local cache also
makes it possible to trust the AD-bit without jumping through hoops
with TSIG or implementing DNSSEC validation in Postfix.
I think we've beaten this thread to death, I'm done for now.
--
Viktor.
