On Tue, Nov 19, 2019 at 09:21:23AM -0500, Bill Cole wrote:
> Generally, a mail server should have a caching recursive resolver
> running locally: either on the same machine or the same truly local
> network.
+1, especially for running on the MTA host itself, on the loopback
interface, with only 127.0.0.1 listed in /etc/resolv.conf. Make
that a DNSSEC validating resolver, and enabled DANE outbound:
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
If you want to share cache hits with other nearby MTAs, the loopback
resolver can forward queries to a shared nearby forwarder.
> Between some distributions adopting Unbound and others changing their
> standard BIND configs to be simple caching resolvers, the excuses for
> not running a local caching recursive resolver on a mail server have
> become quite weak.
Indeed.
--
Viktor.
