On Feb 26, 2013, at 11.51, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
> On Tue, Feb 26, 2013 at 09:58:54AM -0500, Robert Moskowitz wrote: > >> I have recently updated my DNS server and am observing the traffic >> from my mail server to constantly query for names. Some of these >> names are frequent requests, for example: zen.spamhaus.org. So I >> was thinking that I could benefit from running a namecaching setup >> on my mail server platform. This would cut down on traffic and time >> on my mail server. >> >> Is this a practice that is common? Are there any downsizes to doing this? > > When Postfix support for DANE (RFC 6698) is introduced, there will > be a requirement to operate a local nameserver that is DNSSEC aware > on any machine that wants to take advantage of peer certificate details > published via DNSSEC to scalably deliver verified TLS email to many > sites without the overhead of local per-site configuration. why must the nameserver be local? i gather the point is to be able to trust the dns responses, which of course goes without saying - but there are methods for accomplishing this in scenarios with a non local nameserver, aren't there? i think rfc 6698 speaks to this briefly? -ben
