I thought almost all cloud providers use anycast these days, elminating the need to serve different IPs per region. Joachim
-----Ursprüngliche Nachricht----- Von: Viktor Dukhovni via Postfix-users <postfix-users@postfix.org> Gesendet: Samstag, 9. März 2024 18:42 An: postfix-users@postfix.org Betreff: [pfx] Re: mta-sts and smtp_tls_security_level On Sat, Mar 09, 2024 at 10:46:17AM +0100, Joachim Lindenberg via Postfix-users wrote: > > Viktor Dukhovni: > > not sufficient market pressure to make it a priority. > Unfortunately yes, not yet. > > various load balancers would need to do online DNSSEC signing > Can you please elaborate why that should be required? Some of the load balancing is DNS-based, directing users to "nearby" datacentre locations, that are currently up and not experiencing overload. So names like "www.google.com" have return addresses with short TTLs and different content for different queries. Static DNSSEC signing is a poor fit for this, so signing needs to be on-the-fly. Cloudflare does this, so there a proof of concept, but it is a non-trivial implementation requiring some engineering effort, well beyond just spinning up BIND or Knot for a statically signed zone. -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org