On 26 Feb 2014, at 00:29, li...@rhsoft.net wrote: > Am 25.02.2014 17:41, schrieb Dirk Stöcker: >> On Tue, 25 Feb 2014, Viktor Dukhovni wrote: >>>> smtp_dns_support_level = dnssec >>>> >>>> was enough to fix this. I'll see how many servers will have a >>>> "Verified" connection in the future. >>> >>> I hope you read the note about the importance of having 127.0.0.1 >>> and/or ::1 as the only nameservers listed in /etc/resolv.conf, and >> >> No, did not read it, but this was obvious :-) > > why and how should this work for real networks where > you have two DNS servers for failover in the LAN and > typically no one on the mailserver? > > if 192.168.196.1 and 192.168.196.2 support DNSSEC it > has to work if both of them in resolv.conf, otherwise > DANE will not happen in the real world
The local resolver can have the resolvers on the LAN configured as forwarders, but you need the local stub resolver. No reason not to have one, really, especially on a busy mail server. Mvg, Joni
