On Wed, Mar 04, 2009 at 11:20:30PM -0500, Paul Wouters wrote: > 1) Should we enable DNSSEC when a recursing nameserver is installed? > 2) If we do, should we enable DLV support? > (The only real DLV being http://dlv.isc.org/) > Both Adam and I think we are ready to enable DNSSEC per default for > those Fedora installs that install a recursive nameservers. > > The DLV has not been very active yet. Likely it contains many keys that > DNS administrators once submitted but then forgot about. Those people > would lose their domains when DLV is used, and could wrongly blame > Fedora for that. I would recommend leaving the DLV disabled for now. > > Though in the future, I would like to see all fedora installs use a > local DNSSEC nameserver using the DNS servers presented by Network > Manager as forwarders, I would not recommend doing that at this point. > > Please, let me know what you think. Feel free to ask any questions. I > would like to hear what people think, and then we can make a collective > decision on how to proceed. I'm not that knowledgeable with DNSSEC, so I defer to your best judgement, but it sounds like you've done a good job, covered all the bases, documented this well, and I think the world needs a push towards DNSSEC, so I say go for it! I agree that the exposure is limited right now since this will not be used as default local caching resolver. You've gotten me all excited now so I'll have to go test this feature right away. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
