On Fri, Apr 11, 2014 at 16:59:05 -0400, Paul Wouters <paul@xxxxxxxxx> wrote:
On Fri, 11 Apr 2014, Bruno Wolff III wrote: If you don't know there is an exception for a domain (eg at the other end of a VPN) than you will get the public answers and might not get where you need to go. Additionally, with DNSSEC there is the problem that the public view cryptographically proves the internal view does not exist (eg internal.fedoraproject.org)
With an iterative resolver that may not be true. If the route to the name server that has that information is over the VPN (so that you have the correct source address), you should get the right answer.
Indeed, with DNSSEC we can use them as cache, because we can validate the answers. But those servers should never be "trusted".
That doesn't get you the right answers though, it only tells you that they are lying.
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
