Viktor Dukhovni wrote:
There are two prerequisites for DANE verification to happen:1. Your DNS resolver in /etc/resolv.conf needs to be a *validating* DNS resolver and for any meaningful security must be either on the loopback interface or reachable via a securely keyed IPsec tunnel or similar.
I'm curious how necessary this really is in the case of "many" servers all talking to a local cache on the same switch. Do I really have to set up IPsec tunnels for DANE-friendly DNS resolution on those machines?
Setting up a cache on each machine would be simpler, but then you lose the benefit of merging cached results from multiple requesting systems - you end up either forwarding to another local cache anyway, or multiplying your external DNS lookup traffic by the number of servers in the cluster.
-kgd
