On 06/01/2015 03:32 PM, Matthew Miller wrote: > On Mon, Jun 01, 2015 at 08:03:27AM -0400, Jan Kurik wrote: >> People use Fedora on portable/mobile devices which are connected to >> diverse networks as and when required. The automatic DNS >> configurations provided by these networks are never trustworthy for >> DNSSEC validation. As currently there is no way to establish such >> trust. > Is this proposal meant to apply to Cloud and Server as well? With > Cloud, it's at least conventional to assume that the network > infrastructure provided by the provider is trustworthy (see > cloud-init). And Server presumably will not be running on > portable/mobile devices connecting to arbitrary networks. For Server, > there may be other advantages, but do we also want these for Cloud? As you can read in the Change proposal, this is part of the scope: "discuss with WGs in which products the change makes sense and what are the expectations of WGs for different Fedora products" Yes, we think the change makes sense for Server. It is still beneficial from the security point of view to do the DNSSEC validation on Server. Even though the configuration on Server will be static, dnssec-trigger + unbound can be used for this. Otherwise it would require manual configuration from the administrator, to enable DNSSEC validation. As for the Cloud, we are not sure. Maybe it makes sense on the Atomic Host, but we want to discuss this with people involved in the Cloud product(s). > I'm also concerned about going forward with this without having a solid > answer to the container problem. > This is also one of the scopes: "resolve interoperability issues for Docker and other containers use-cases" PJP is looking at this. This is work in progress. We will not enable the change in products and environments in which it will turn out that it does not make sense. Tomas -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
