On Thu, Jan 16, 2014 at 06:40:49AM -0700, LuKreme wrote:
> On 15 Jan 2014, at 22:52 , Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
>
> > IMPORTANT DISCLAIMER: If you want to try DANE security in the
> > Postfix SMTP client, you MUST ensure that /etc/resolv.conf contains
> > only "127.0.0.1" and/or "::1" as nameserver entries.
>
> Is this normal? I was told, back in the previous millennium, that
> slave DNS should have the primary in /etc/resolv.conf and that the
> primary should have (if possible) the slave DNS servers in its
> /etc/resolv.conf. I've always done that, but I've also never questioned
> it as it was something that sort of seemed to make sense.
Postfix delegates all DNSSEC cryptography to the recursive resolver,
and requires that the communication path to that resolver (or set
of resolvers) be a secure channel. Using 127.0.0.1:53 qualifies.
If your resolver library supports TSIG and you can configure
appropriate channel security mechanisms in /etc/resolv.conf, you
can remote nameservers where a secure channel is established via
TSIG, otherwise, the "IMPORTANT DISCLAIMER" applies.
I should point out that the concepts of "primary" and "slave" apply
to authoritative servers, not caching recursive resolvers.
I am well aware that historically, the "bind" DNS software has
combined authoritative and recursive servers in a single daemon
process. This design has led to a number of problems over the
years, but they've been worked-around in various ways, and the
design persists...
If at all possible, you should not use your authoritative (primary
or slave) servers as recursive caches, this increases the attack
surface for cache poisoning attacks and related bugs.
A more advanced architecture uses separate daemon processes that
are recursive caches listening on TCP/UDP port:address combinations
distinct from those used by authoritative servers for your domain.
> Of course, 127.0.0.1 is first...
On a Postfix MTA with DANE security, list *only* 127.0.0.1 in
/etc/resolv.conf, and operate a recursive cache listening on
127.0.0.1:53 if that cache happens to also be an authoritative
"bind-like" server, so be it.
--
Viktor.
