On Wed, Feb 26, 2014 at 12:46:13AM CET, DTNX Postmaster <postmas...@dtnx.net> said: > On 26 Feb 2014, at 00:29, li...@rhsoft.net wrote: > > > Am 25.02.2014 17:41, schrieb Dirk Stöcker: > >> On Tue, 25 Feb 2014, Viktor Dukhovni wrote: > >>>> smtp_dns_support_level = dnssec > >>>> > >>>> was enough to fix this. I'll see how many servers will have a > >>>> "Verified" connection in the future. > >>> > >>> I hope you read the note about the importance of having 127.0.0.1 > >>> and/or ::1 as the only nameservers listed in /etc/resolv.conf, and > >> > >> No, did not read it, but this was obvious :-) > > > > why and how should this work for real networks where > > you have two DNS servers for failover in the LAN and > > typically no one on the mailserver? > > > > if 192.168.196.1 and 192.168.196.2 support DNSSEC it > > has to work if both of them in resolv.conf, otherwise > > DANE will not happen in the real world > > The local resolver can have the resolvers on the LAN configured as > forwarders, but you need the local stub resolver. No reason not to have > one, really, especially on a busy mail server.
However your "local" resolver could be in another jail/zone/container (depending on your OS) with another IP address and not the loopback. You could also have an IPSEC link to your resolver to get you trust you use the right one. This 127.0.0.1 (or ::1) is in my sense too restrictive, but you need a trusted link between your postfix and your resolver.
