On Wed, Feb 27, 2013 at 10:53:58AM -0500, Robert Moskowitz wrote: > But to share a single DNS among a number of mail servers, say in a > mail farm that probably has lots of other types of servers running > with questionable content, I would want secure tunnels from the mail > server to the DNS server and that no longer is a non-trivial > exercise.
Nothing of the sort, just enable validation of outside domains and exempt local domains if unsigned. TSIG configuration is must more complex and is both beyond our reasonable ability to document with specificity (too many variants between GSSAPI, and other security mechanisms) and the ability of most administrators to configure. The same goes for IPSEC, ... > How much resources does a local caching server demand? I would think > it is mostly memory for the cache. You may have to throw a couple > more Gb at loaded server. GB is the wrong order of magnitude. A megabyte of RAM should be more than enough for local cache on most mail servers. Just need room in the cache for the MX, A, TLSA and RRSIG of the 10 highest volume destination domains and the A and PTR records of the 10 highest volume clients. The purpose of the local cache (before DANE support) is to reduce latency for the highest volume requests and to give the MTA administrator the flexibility to craft custom local MX RRsets in suitable local zones: example.net.localhost. IN MX 0 internal-mx1.example.net. example.net.localhost. IN MX 0 internal-mx2.example.net. example.com.localhost. IN MX 0 gw1.localhost. example.com.localhost. IN MX 0 gw2.localhost. gw1.localhost. IN A 192.0.2.1 gw2.localhost. IN A 192.0.2.2 Then one can add transport table entries: example.net smtp:example.net.localhost example.com smtp:example.com.localhost these won't break DNSSEC zone validation since "localhost" would be a local unsigned zone. With DANE + DNSSEC the local cache also makes it possible to trust the AD-bit without jumping through hoops with TSIG or implementing DNSSEC validation in Postfix. I think we've beaten this thread to death, I'm done for now. -- Viktor.