On Tue, Feb 11, 2025 at 11:20:54AM +0100, Danjel Jungersen via Postfix-users
wrote:
> On 11-02-2025 10:31, Viktor Dukhovni via Postfix-users wrote:
> > Use a validating resolver on the local machine as a cache that forwards
> > to that upstream. You SHOULD NOT trust the AD bit from a resolver
> > running on another machine, the DNS protocol (DoH aside, when you
> > fully trust the upstream) is not immune to MiTM attacks.
> Would setting up a secondary bind, on my local postfix box, solve this?
> Or should I set one up completely on it's own?
A secondary is not needed, but if you want a secondary, you can do that.
Keep in mind that when a resolver hosts an authoritative zones, its
responses set the AA flag rather than the AD flag, and Postfix does not
currently consider the AA flag as an indication that the response is
trustworthy. So if you want to have usable TLSA records in a zone,
you should not be a primary or secondary for that zone.
> Would love to not have duplicate zone setup's
You don't need to.
> I'm no expert to say the least, so this may be a stupid question:
> If setting up a completely seperate bind is preferred, could I make an
> "empty" setup and use my primary as forwarder?
Yes, that's the idea. With "unbound" it is quite typical to not be
authoritative for any zones, unlike BIND it is not also designed to be a
fully-featured authoritative server.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
