I thought almost all cloud providers use anycast these days, elminating the
need to serve different IPs per region.
Joachim
-----Ursprüngliche Nachricht-----
Von: Viktor Dukhovni via Postfix-users <postfix-users@postfix.org>
Gesendet: Samstag, 9. März 2024 18:42
An: postfix-users@postfix.org
Betreff: [pfx] Re: mta-sts and smtp_tls_security_level
On Sat, Mar 09, 2024 at 10:46:17AM +0100, Joachim Lindenberg via Postfix-users
wrote:
> > Viktor Dukhovni:
> > not sufficient market pressure to make it a priority.
> Unfortunately yes, not yet.
> > various load balancers would need to do online DNSSEC signing
> Can you please elaborate why that should be required?
Some of the load balancing is DNS-based, directing users to "nearby"
datacentre locations, that are currently up and not experiencing overload. So
names like "www.google.com" have return addresses with short TTLs and different
content for different queries.
Static DNSSEC signing is a poor fit for this, so signing needs to be
on-the-fly. Cloudflare does this, so there a proof of concept, but it is a
non-trivial implementation requiring some engineering effort, well beyond just
spinning up BIND or Knot for a statically signed zone.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an
email to postfix-users-le...@postfix.org
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
