On Fri, 8 Jun 2012, Benny Pedersen wrote:
Den 2012-06-08 20:29, Kevin A. McGrail skrev:
I think we can agree that local caching name server is the correct
solution in 99.9% of the cases, yes?
is 0.1% the geek people on spamassassin ? :=)
i just tryin to find where forwards is usefull when dig +trace example.org is
not using forwards
The 0.1% is for people who manage a site that runs multiple smtp-MX servers.
In that case you set up one "big beefy bind" server with no forwarders
(goes directly to roots and any local data-feed provided DNS sources,
such as a purchased feed of spamhaus).
Then on each smtp-MX server you set up a bind that forwards to your
big-beefy-bind(tm).
That way when a spam run tries multiple MXs for your domain, the first
hit goes MX->BBB-> remote-RBL-or-other-source
then when they hit your next MX server, the RBL queries for that message
are answered by BBB cache so no additional off-site RBL queries.
Hopefully by the time you get to the need for this kind of complexity
you have the knowledge & skill-set to handle it. ;)
Bottom line, if you need trustworthy DNS service don't forward to DNS
servers you don't trust. (kinda like setting your trusted networks in SA).
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
