--On Monday, May 07, 2012 10:05 PM +0000 "Murray S. Kucherawy"
<msk_at_cloudmark.com> wrote:
>> -----Original Message-----
>> From: Quanah Gibson-Mount [mailto:quanah_at_zimbra.com]
>> Sent: Monday, May 07, 2012 2:45 PM
>> To: Rolf E. Sonneveld; Murray S. Kucherawy
>> Cc: opendkim-users_at_lists.opendkim.org
>> Subject: Re: Broken opendkim caching of LDAP result
>>
>> AD's inability to be a real LDAP server doesn't make my point any less
>> valid. LDAP is designed for fast, scalable reads.
>
> AD might be why that optional caching layer was added, actually. (I
> can't remember exactly, and this head cold isn't helping!)
>
> Via a separate compile time option, OpenDKIM can also cache retrieved
> keys to keep the load on DNS down, rather than going to the resolver each
> time something signed is presented for verification.
I can see that the likelyhood of data changing in DNS is probably fairly
low. ;) LDAP generally has a higher rate of change.
In any case, disabling the ldap caching works well. I would put a strong
warning around the LDAP cache option that enabling it requires restarting
opendkim any time you make changes to the LDAP data that could affect
opendkim.
--Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
Received on Mon May 07 2012 - 22:23:23 PST