I thought almost all cloud providers use anycast these days, elminating the need to serve different IPs per region. Joachim
-----Ursprüngliche Nachricht----- Von: Viktor Dukhovni via Postfix-users <[email protected]> Gesendet: Samstag, 9. März 2024 18:42 An: [email protected] Betreff: [pfx] Re: mta-sts and smtp_tls_security_level On Sat, Mar 09, 2024 at 10:46:17AM +0100, Joachim Lindenberg via Postfix-users wrote: > > Viktor Dukhovni: > > not sufficient market pressure to make it a priority. > Unfortunately yes, not yet. > > various load balancers would need to do online DNSSEC signing > Can you please elaborate why that should be required? Some of the load balancing is DNS-based, directing users to "nearby" datacentre locations, that are currently up and not experiencing overload. So names like "www.google.com" have return addresses with short TTLs and different content for different queries. Static DNSSEC signing is a poor fit for this, so signing needs to be on-the-fly. Cloudflare does this, so there a proof of concept, but it is a non-trivial implementation requiring some engineering effort, well beyond just spinning up BIND or Knot for a statically signed zone. -- Viktor. _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected] _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
