On 02/27/2013 10:43 AM, Viktor Dukhovni wrote:
On Wed, Feb 27, 2013 at 10:20:50AM -0500, Wietse Venema wrote:
I think it would be entirely reasonable to share a DNS cache among
multiple systems within the same trusted perimeter. One DNS server
per host in a farm of mail servers may not be practical.
A local cache on each, forwarding to two or three resolvers that are
nearby? Local for DNSSEC verification, nearby cache for performance
reasons? Am I missing something that would make that impractical?
I think it would be helpful to give examples of how "secure DNS"
caches can be shared, instead of outright banning this. On non-trivial
deployments, DNS and MAIL are managed by different people.
This was the intent of my original example, I guess I did not draw
sufficient attention to the:
forward-zone:
name: "."
forward-addr: 192.0.2.1
stanza at the bottom of the unbound.conf example. We'll need to
provide a similar configuration example for BIND, and explain the
rationale for both, so other local nameservers could also be
supported by an MTA administrator who understands the requirements.
On Centos 6.3 (bind 9.8.2 with security patches) I did:
yum install bind bind-chroot
In /etc/sysconfig/network-scripts/ifcfg-eth0 set:
DNS1=127.0.0.1
DNS2=::1
ifdown eth0; ifup eth0
Add to /var/named/chroot/etc/named.conf options section:
forward only;
forwarders {
'IPv4 addr of forwarded server';
'IPv6 addr of forwarded server';
'etc.';
};
service bind start
chkconfig bind on
You CAN use 'forward first' and then if your forward server is
unreachable, your caching server will go out on the net to the '.'
servers and walk down from there. Look at 'first' as opportunistic local
forwarding and 'only' as forced local forwarding.
