On Tue, 13 Jan 2015, Neal Becker wrote:
How will this impact the following (common) situation? I carry my linux laptop between home and work. When at work, I need to use my employer's dns to lookup names of (non-public) local machines.
When connecting to work, dnssec-trigger will probe the DHCP obtained resolver and use it when it works (well enough to support DNSSEC) If your work's public DNS view is unsigned, then your corporate DNS server can lie all it want and we'll believe it. If your work's public DNS view is signed, then your internal view better be signed with that key too, or else we'll mis-detect it as an attack. If you connect via VPN to your work, the VPN client should receive the domain and nameservers via the VPN options, and configure a forward inside your resolver. (libreswan IPsec supports this and I use it daily when connecting to the RedHat VPN :) NetworkManager should allow for a connection property based on network identification where you can configure overrides. DNSSEC in general will make split view DNS much harder to maintain. We are not introducing this problem - we just have to try and cope with it. Paul -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
