use of a DNS cache in front of samba4 internal DNS

[David Mansfield]

Hi all:

I'd like to understand a little more about how samba4 as an AD uses DNS. 
In every document, it stresses the point the DNS must be working 
correctly (and resolving against the AD) to have a working domain, but 
I'm not sure why.

The reason is that I'd like my mail server to authenticate users against 
samba4, however to do this it must resolve DNS against it. But the mail 
server gets multiple mails per second and resolves all remote ip 
addresses and does other header checks etc.  i.e. a ton of DNS traffic.

My current configuration is to have a dedicated DNS cache (djbdns 
dnscache) which resolves for the mail server, and I'd to keep this 
configuration if possible.

djbdns dnscache can be configured to resolve different zones using 
different servers, so it is possible to configure the cache to resolve 
"samdom.example.com" against samba4 and other zones as usual.

So my question is, does samba4 properly use TTL etc. so that this 
configuration will work correctly in general?

In particular I'd like postfix to auth. my users, and as I understand it 
I have two options, one is to join the machine to the domain 
(pam_winbind) and then postfix will authenticate that way (via pam), and 
the other would be to use postfix with SASL and in turn have sasl use 
kerberos5 or ldap.

In case anyone has read this far and has suggestions, I'd love to hear 
them, and also w.r.t using sasl and kerberos5, how do I set up a keytab 
and SPN using samba4?  I've googled and googled and cannot seem to get 
it straight.

Thanks in advance!
David Mansfield