On 26 Feb 2014, at 00:54, li...@rhsoft.net wrote: > Am 26.02.2014 00:46, schrieb DTNX Postmaster: >> On 26 Feb 2014, at 00:29, li...@rhsoft.net wrote: >>> Am 25.02.2014 17:41, schrieb Dirk Stöcker: >>>> On Tue, 25 Feb 2014, Viktor Dukhovni wrote: >>>>>> smtp_dns_support_level = dnssec >>>>>> >>>>>> was enough to fix this. I'll see how many servers will have a >>>>>> "Verified" connection in the future. >>>>> >>>>> I hope you read the note about the importance of having 127.0.0.1 >>>>> and/or ::1 as the only nameservers listed in /etc/resolv.conf, and >>>> >>>> No, did not read it, but this was obvious :-) >>> >>> why and how should this work for real networks where >>> you have two DNS servers for failover in the LAN and >>> typically no one on the mailserver? >>> >>> if 192.168.196.1 and 192.168.196.2 support DNSSEC it >>> has to work if both of them in resolv.conf, otherwise >>> DANE will not happen in the real world >> >> The local resolver can have the resolvers on the LAN configured as >> forwarders, but you need the local stub resolver. No reason not to have >> one, really, especially on a busy mail server > > yes, you normally have a local resolver on the mailserver > but you hardly trust that one alone and in case it crashs > you typically have another one on the LAN > > mailserver's /etc/resolv.conf: > 127.0.0.1 > 192.168.196.1 > 192.168.192.2
If you cannot trust a local resolver by itself, as the only resolver configured at the system level, you have a different problem that has nothing to with DANE, or Postfix. For DANE to work properly and reliable, local only is a requirement. Mvg, Joni
