Paul Wouters wrote: > On Tue, 13 Jan 2015, Neal Becker wrote: > >> How will this impact the following (common) situation? >> >> I carry my linux laptop between home and work. When at work, I need to use >> my employer's dns to lookup names of (non-public) local machines. > > When connecting to work, dnssec-trigger will probe the DHCP obtained > resolver and use it when it works (well enough to support DNSSEC) > > If your work's public DNS view is unsigned, then your > corporate DNS server can lie all it want and we'll believe it. > > If your work's public DNS view is signed, then your internal view better > be signed with that key too, or else we'll mis-detect it as an attack. > > If you connect via VPN to your work, the VPN client should receive the > domain and nameservers via the VPN options, and configure a forward > inside your resolver. (libreswan IPsec supports this and I use it daily > when connecting to the RedHat VPN :) > > NetworkManager should allow for a connection property based on network > identification where you can configure overrides. > > DNSSEC in general will make split view DNS much harder to maintain. We > are not introducing this problem - we just have to try and cope with it. > > Paul Just tried it on f21. Did: sudo systemctl enable dnssec-triggerd.service sudo systemctl start dnssec-triggerd.service host slashdot.org: [ works fine ] Now a local machine: host nbecker7 host nbecker7 Host nbecker7 not found: 3(NXDOMAIN) [nbecker@nbecker1 ~]$ tail /var/log/messages tail /var/log/messages Jan 13 10:32:55 nbecker1 dnssec-trigger-script: ok removed 0 rrsets, 0 messages and 0 key entries Jan 13 10:32:56 nbecker1 dnssec-trigger-script: Global forwarders: 10.33.41.30 Jan 13 10:32:56 nbecker1 dnssec-triggerd: [31187] error: http_probe_create_get: Network is unreachable Jan 13 10:32:56 nbecker1 dnssec-triggerd: [31187] error: http_probe_create_get: Network is unreachable Jan 13 10:32:56 nbecker1 dnssec-triggerd: [31187] error: http_probe_create_get: Network is unreachable Jan 13 10:32:56 nbecker1 dnssec-triggerd: [31187] error: could not UDP send to ip 2001:503:ba3e::2:30 Jan 13 10:32:56 nbecker1 dnssec-triggerd: [31187] error: could not UDP send to ip 2001:503:ba3e::2:30 Jan 13 10:32:56 nbecker1 dnssec-triggerd: [31187] error: could not send queries for probe Jan 13 10:32:56 nbecker1 dnssec-trigger-script: Connection provided zone 'hughes.com' (insecure): 10.33.41.30 Jan 13 10:32:56 nbecker1 dnssec-triggerd: ok but if I unplug enet cable, and replug, it seems no longer working for local hosts. host nbecker7.hughes.com Host nbecker7.hughes.com not found: 3(NXDOMAIN) I'm guessing I need to manually configure /etc/unbound/unbound.conf? No clue why behavior changed after unplug/replug enet cable. I did NOT try logout/login or reboot. -- -- Those who don't understand recursion are doomed to repeat it -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
