Warren (mailing lists) wrote:
Eric "Shubes" wrote:
I think we need Nick to chime in here with the definitive answer.
That being said, here's my (mis?)understanding.
Yes, you need a *caching* nameserver with the new version that supports
domain keys. This is so that the mail server isn't querying the
nameserver(s) (listed in /etc/resolv.conf) for the domain key info for
each email processed. That would be quite inefficient.
Since it's a caching nameserver, it can't possibly answer requests by
non-local machines. It *might* be used as a nameserver for other local
machines, but that's not necessarily advisable as it could open up
network security holes. Safest route to go would be to have another
caching nameserver that is used strictly by the local network (e.g. on a
local file server). Having a local caching server is a good thing.
In order to implement DK, your authoritative server needs to have the
TXT record containing the appropriate information. (Note, while
unrelated to DK, it should probably have a TXT SPF record too). If you
run your own nameserver, that's where it should go. If you use a DNS
service (such as mydns or dyndns), the TXT records (like the MX record)
need to go in the DNS server of your provider, *not* your caching
nameserver. That way, the TXT records are available to the outside world.
Is that about right? Someone *please* correct me if I'm wrong.
This should probably be clarified in the installation notes.
But then if what you are saying is true, then a caching name server is
not *needed* but is a good thing to have to stop inefficiencies. Again,
I say this because I have setups that only have an authoritative name
server on them and the caching name server is the machine immediately
below it in the rack.
That is my understanding (guess).
I guess the questions are: Does qmail specifically query a name server
on the current machine or does it just do a normal DNS query?
I'm guessing that it just does a normal DNS query, according to
whatever's in /etc/resolv.conf. I can't imagine why it would do it any
other way.
If it specifically does a request to the local machine does it do it on
localhost so that a cachine DNS can be put on localhost and the
authoritative one on the external IP?
Now you've got *me* wondering. I hope we can get Nick to chime in here.
Maybe you can just test it out, Warren. Since your authoritative DNS
server is local, try shutting down the caching service on the qmail box
(# service named stop) and see what happens. (Assuming you have the TXT
DK records on the authoritative server).
Sincerely,
Warren
--
-Eric 'shubes'
---------------------------------------------------------------------
QmailToaster hosted by: VR Hosted <http://www.vr.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
