Am 26.02.2014 02:25, schrieb DTNX Postmaster: > On 26 Feb 2014, at 00:54, li...@rhsoft.net wrote: >> Am 26.02.2014 00:46, schrieb DTNX Postmaster: >>> On 26 Feb 2014, at 00:29, li...@rhsoft.net wrote: >>>> Am 25.02.2014 17:41, schrieb Dirk Stöcker: >>>>> On Tue, 25 Feb 2014, Viktor Dukhovni wrote: >>>>>>> smtp_dns_support_level = dnssec >>>>>>> >>>>>>> was enough to fix this. I'll see how many servers will have a >>>>>>> "Verified" connection in the future. >>>>>> >>>>>> I hope you read the note about the importance of having 127.0.0.1 >>>>>> and/or ::1 as the only nameservers listed in /etc/resolv.conf, and >>>>> >>>>> No, did not read it, but this was obvious :-) >>>> >>>> why and how should this work for real networks where >>>> you have two DNS servers for failover in the LAN and >>>> typically no one on the mailserver? >>>> >>>> if 192.168.196.1 and 192.168.196.2 support DNSSEC it >>>> has to work if both of them in resolv.conf, otherwise >>>> DANE will not happen in the real world >>> >>> The local resolver can have the resolvers on the LAN configured as >>> forwarders, but you need the local stub resolver. No reason not to have >>> one, really, especially on a busy mail server >> >> yes, you normally have a local resolver on the mailserver >> but you hardly trust that one alone and in case it crashs >> you typically have another one on the LAN >> >> mailserver's /etc/resolv.conf: >> 127.0.0.1 >> 192.168.196.1 >> 192.168.192.2 > > If you cannot trust a local resolver by itself
redundancy has nothing to do with trust as well as RAID is not a backup > as the only resolver configured at the system level, you have a > different problem that has nothing to with DANE, or Postfix see above > For DANE to work properly and reliable, local only is a requirement if you can not trust your resolvers in the own network you have a problem and if your localhost resolver does nothing else than ask these resolvers you gain noting in case you have a postfix relay on any machine and if you start to implement DANE network wirde it is nonsense run on 20, 30, 100 machines on top of the same virtualization host a local resolver asking another VM on the same host
