On 01/19/2015 06:16 PM, Pete Zaitcev wrote:
Can you tell why you're trying that. Everyone I talk to always go unbound, unbound, unbound... WHY? Unbound is plain broken and does not work, especially with DNSSEC.
Can you explain exactly what does not work? Some of the largest ISPs in the US are using unbound for all their customers.
But I use plain dnsmasq with NM, and everything works perfectly
Perfectly insecure without DNSSEC I assume. The problem is not that unbound is bad, the problem is that people depend on DNS lies, and using DNSSEC along with those lies is a complicated matter. So yes, the hotspot use case is tricky. dnssec-trigger plus unbound is not ideal. The ideal situation is NM integrating the required dnssec-trigger support, with additional DNS configuration properties per-connection and a selinux sandbox hotspot login dealing with HTTP and DNS lies. Just give me a few engineers for a few months :P Paul -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
