-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > To install a local DNS resolver trusted for the DNSSEC validation > running on 127.0.0.1:53. This must be the only name server entry > in /etc/resolv.conf. .... snip ... > People use Fedora on portable/mobile devices which are connected to > diverse networks as and when required. The automatic DNS > configurations provided by these networks are never trustworthy for > DNSSEC validation. As currently there is no way to establish such > trust. > I have a number of concerns about the "readiness" of the proposal. Right now, enabled unbound and dnssec-trigger on a laptop is an extremely difficult experience. I have since taking up this challenge found that turn it off and on again, has become the default solution on my linux install now as a result of these problems. For example, crashes in unbound that are not caught in abrt, forwarders that do not get added (but they display in the list), queries that don't ever get replies (But they work when you by-pass unbound to your glibc forwarder), inability to flush dnscache without sudo, and that dns caches are held over network boundaries to name a few of my concerns. As a result, at this time, enabling this on your system is actually more of a deteriment that the "benefit" being touted. I would prefer working DNS over non working "secure" dns. (I guess it's secure because I can send any traffic out). > Apart from trust, these name servers are often known to be flaky and > unreliable. Which only adds to the overall bad and at times even > frustrating user experience. In such a situation, having a trusted > local DNS resolver not only makes sense but is in fact badly needed. > It has become a need of the hour. (See: [1], [2], [3]) Unbound creates more flakiness than it solves. Unbound caches "no answer" as a negative cache entry. If your wireless blips for an instant, that's it, result vanishes. I think that there should be a large amount of QA focus on this change. Configurations involving split-view dns should be involved in testing, testing stability of unbound between suspend/resume, or even NetworkManager restarts, testing that quieries resolve in esoteric networks (IE networks that capture and redirect DNS traffic). This is a change, that currently, has the potential to seriously damage the user experience of anyone using fedora. I think that much more rigorous testing and thought should go into this before we just steam ahead. If in it's current state you install unbound, you will begin to notice little issues quickly, especially on laptops. That is not a defalt we should aim for. NOTE: I'm not just raging here, I actually have opened BZ's for these issues that I have. I think that awareness of these issues is low, and that it should be brought to light. I hope that more thorough testing is carried out in a wider set of environments to eventually get this to a point where it's a seamless change to enable this service. However at this time, that is not the case. - -- Sincerely, William Brown -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBAgAGBQJUtQq/AAoJEO/EFteBqAmav6QP/iol4/Mk9VGWJDFIuUqlDPDH gHFtlFw3DnFQvQ6bZZXWQLOCQ058ao5fuaRAnr1cxu7cFbrdqnZtYC8cry4SbRGs EQsA2OziHdcULnBxWRXF7JgCJx1785A1TzYLduPb7GnxHteWEZFVHF4DvYvEHHa+ 5/gTZoG8SdlzKTWx5NDzjOlwYw0KlF9tLOP1afOsmDGiMPyDBqRADJxJO0dvFmQ+ sxNziW+0RJ98jhrQnhyvBvf6P2Txb5B/KM/1KUysiR0UcVa0r/ta/bPD1AEnOOSK a/bwju78zSohdrYpsCgJdlj5ccBDSiLtURNS9R/lYgBgU+IjcmkpBp0VKrrurnvF 579vCjoKo7eUx0SE9c8rb19RtbilrqItWrxe2laSGU5M8BWB35uPzGApbGEJNbmQ 7Em7SBkXzbwHuPDVDE7Qahh8bEAj8ExN8iUzaqa4THX+NrUVWWPahg+KvWdM0zPS LtOHjOP8PoIfzxVLC8Cw+pp1CBVqOTLjFgkEy9aFNecI50FtGKxoV3OZyRzhv0iv iRbsSQrMOlzfHVGZjtDBGrDygs/LDjMCgKJs9k9tjH9upHPDR34KA1KVhrrz985y PKEBOW+El9tbCwKGOJ5WVGWDR/+fo3BCb6C+zow0x2jLHXa4XQI4rQKcXBD5FM7M KAHX33yz8C0KqFkdVo79 =xIFE -----END PGP SIGNATURE----- -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
