Am 26.02.2014 00:46, schrieb DTNX Postmaster: > On 26 Feb 2014, at 00:29, li...@rhsoft.net wrote: >> Am 25.02.2014 17:41, schrieb Dirk Stöcker: >>> On Tue, 25 Feb 2014, Viktor Dukhovni wrote: >>>>> smtp_dns_support_level = dnssec >>>>> >>>>> was enough to fix this. I'll see how many servers will have a >>>>> "Verified" connection in the future. >>>> >>>> I hope you read the note about the importance of having 127.0.0.1 >>>> and/or ::1 as the only nameservers listed in /etc/resolv.conf, and >>> >>> No, did not read it, but this was obvious :-) >> >> why and how should this work for real networks where >> you have two DNS servers for failover in the LAN and >> typically no one on the mailserver? >> >> if 192.168.196.1 and 192.168.196.2 support DNSSEC it >> has to work if both of them in resolv.conf, otherwise >> DANE will not happen in the real world > > The local resolver can have the resolvers on the LAN configured as > forwarders, but you need the local stub resolver. No reason not to have > one, really, especially on a busy mail server
yes, you normally have a local resolver on the mailserver but you hardly trust that one alone and in case it crashs you typically have another one on the LAN mailserver's /etc/resolv.conf: 127.0.0.1 192.168.196.1 192.168.192.2
