Re: Running namecache service on postfix server?

Tue, 26 Feb 2013 08:51:47 -0800 

On Tue, Feb 26, 2013 at 09:58:54AM -0500, Robert Moskowitz wrote:

> I have recently updated my DNS server and am observing the traffic
> from my mail server to constantly query for names.  Some of these
> names are frequent requests, for example: zen.spamhaus.org.  So I
> was thinking that I could benefit from running a namecaching setup
> on my mail server platform.  This would cut down on traffic and time
> on my mail server.
> 
> Is this a practice that is common?  Are there any downsizes to doing this?

When Postfix support for DANE (RFC 6698) is introduced, there will
be a requirement to operate a local nameserver that is DNSSEC aware
on any machine that wants to take advantage of peer certificate details
published via DNSSEC to scalably deliver verified TLS email to many
sites without the overhead of local per-site configuration.

Consider not only deploying a local cache, but also making sure
that it is DNSSEC aware. I recommend "unbound" from nlnetlabs.nl.
Of course you don't have to use DANE and TLS, but you still benefit
from a local cache regardless.

Setting up DNSSEC on a local unbound cache that forwards all queries
to an upstream server boils down to:

    /etc/unbound/unbound.conf
        server:
            ... other server settings ...
            #
            # Local (non-public) cache listens only on the loopback interface.
            #
            interface: 127.0.0.1
            interface: ::1
            access-control: 127.0.0.1 allow
            access-control: ::1 allow
            #
            # Enable internal non-DNSSEC RFC 1918 nets.
            #
            local-zone: "10.in-addr.arpa." nodefault
            domain-insecure: "10.in-addr.arpa."
            #
            local-zone: "16.172.in-addr.arpa." nodefault
            domain-insecure: "16.172.in-addr.arpa."
            #
            local-zone: "17.172.in-addr.arpa." nodefault
            domain-insecure: "17.172.in-addr.arpa."
            ...
            #
            local-zone: "30.172.in-addr.arpa." nodefault
            domain-insecure: "30.172.in-addr.arpa."
            #
            local-zone: "31.172.in-addr.arpa." nodefault
            domain-insecure: "31.172.in-addr.arpa."
            #
            local-zone: "168.192.in-addr.arpa." nodefault
            domain-insecure: "168.192.in-addr.arpa."
            #
            # Internal domains may map to private addresses,
            # and may not be DNSSEC signed.
            #
            private-domain: "example.com."
            domain-insecure: "example.com."

            #
            # root zone key fingerprint, get your copy from a trusted source.
            # AND update it from time to time if and when the root zone key is
            # updated.
            #
            trust-anchor: ". IN DS 19036 8 2 
49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5"

        # Forward all requests to upstream server at 192.0.2.1
        # This server must not forward queries for internal
        # names (forward or reverse) to the public internet.
        #
        forward-zone:
            name: "."
            forward-addr: "192.0.2.1"

-- 
        Viktor.

Reply via email to