Dave Taht <dave.taht@gmail.com> writes:

> Since most forwarders can't be trusted to return NXDOMAIN, an internal
> email box at several of my sites runs dns directly. A few dnsrbl
> providers offer ipv6 transport, so it's possible.

Ah, I see. I just run bind on cerowrt. Have to set an ntp server by IP
(or in /etc/hosts; I use an internal GPS-backed server) to bootstrap,
but otherwise it works well.

> One advantage of dnssec is we get NXDOMAIN working again, so a
> forwarder can be used...

Presumably only if the forwarder doesn't strip the dnssec stuff?

-Toke