On 06/01/2015 10:37 AM, Tomas Hozza wrote: > On 06/01/2015 03:32 PM, Matthew Miller wrote: >> On Mon, Jun 01, 2015 at 08:03:27AM -0400, Jan Kurik wrote: >>> People use Fedora on portable/mobile devices which are connected to >>> diverse networks as and when required. The automatic DNS >>> configurations provided by these networks are never trustworthy for >>> DNSSEC validation. As currently there is no way to establish such >>> trust. >> Is this proposal meant to apply to Cloud and Server as well? With >> Cloud, it's at least conventional to assume that the network >> infrastructure provided by the provider is trustworthy (see >> cloud-init). And Server presumably will not be running on >> portable/mobile devices connecting to arbitrary networks. For Server, >> there may be other advantages, but do we also want these for Cloud? > As you can read in the Change proposal, this is part of the scope: > "discuss with WGs in which products the change makes sense and > what are the expectations of WGs for different Fedora products" > > Yes, we think the change makes sense for Server. It is still > beneficial from the security point of view to do the DNSSEC > validation on Server. Even though the configuration on Server > will be static, dnssec-trigger + unbound can be used for this. > Otherwise it would require manual configuration from the > administrator, to enable DNSSEC validation. I disagree; for server & cloud deployments it doesn't make sense to duplicate a DNS server on *every* host, and if you care about DNSSEC you likely already run a trusted resolver. The trust and management models for Server are fundamentally different from those of Workstation, since servers don't usually get tossed in a backpack and put on potentially-hostile coffee shop wi-fi. They also generally try to run fewer services than a workstation. The datacenter network is generally trusted, and a shared DNSSEC resolver makes way more sense. It may be "beneficial" from a security PoV to have DNSSEC resolution, but it isn't beneficial to have to patch 1 million copies of unbound if a vuln is discovered instead of just a few shared resolvers for the whole DC. > ...[snip]... -- Ryan Brown / Software Engineer, Openstack / Red Hat, Inc. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct