1. MTAs should run their own caching resolvers, even if they forward
to another caching resolver upstream (e.g. 8.8.8.8).
I used to run a local caching server, but ran into a problem when I
first started using DNSSEC. To make life a little easier while sorting
out the DNSSEC problems I got rid of it.
reinstated as of today.
using posttls-finger now produces expected results.
2. If you are doing any RBL lookups, you must not make them via an
upstream forwarder (avoid looking up RBLs via 8.8.8.8 and friends).
A little thought and this is obvious.
3. If you want any security from DANE when sending outbound
email to remote domains, you MUST use a local 127.0.0.1
resolver that validates DNSSEC record signatures for itself.
done, but why?
If you're not using 'smtp_tls_security_level = dane', then
the local resolver is not essential for security, but is still
a good idea.
