Re: F23 System Wide Change: Default Local DNS Resolver

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 06/12/2015 12:53 PM, Dan Williams wrote:
>> b) Broken networks:
>> Some networks are so broken that even without captive portal they are not able
>> to deliver DNSSEC data to the clients.
>>
>> In that case will try tunnel to other DNS servers on the Internet (Fedora
>> Infra or public DNS root) and use them. Naturally, local/internal domains need
>> to be available.
> 
> While I don't actually care, this might well be a sticking point for
> many people since their DNS information is going to an untrusted (to
> them) DNS server.  Yeah, I tend to trust Fedora, but not everyone will.
> Can the tunnel be turned off, or the broken servers whitelisted, or is
> the answer here to just "dnf remove dnssec-trigger"?

The fallbacks are configured in /etc/dnssec-trigger/dnssec-triggerd.conf

# Provided by fedoraproject.org, #fedora-admin
# It is provided on a best effort basis, with no service guarantee.
ssl443: 140.211.169.201 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
tcp80:  140.211.169.201
ssl443: 66.35.62.163 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
tcp80:  66.35.62.163
ssl443: 152.19.134.150 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
tcp80:  152.19.134.150
ssl443: 2610:28:3090:3001:dead:beef:cafe:fed9 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64
:AA:87:E6:F2
tcp80:  2610:28:3090:3001:dead:beef:cafe:fed9

>> Can we integrate on one place (e.g. by calling into dnssec-trigger) instead
>> overwriting /etc/resolv.conf independently?
> 
> This is the real issue.  It sounds like What you're proposing is to make
> dnssec-trigger into the "DNS broker".  The previous solutions
> (resolvconf, NetworkManager, etc) have all failed for various reasons.
> Touching/changing something so fundamental to the system, as you've
> probably discovered, can be hard...

But it must be done for security reasons.

> systemd-resolved might have a chance here, since it's small and pretty
> simple, but they don't have an external API and don't seem interested in
> creating one any time soon which severely limits it's usefulness.

And last I looked it did not support DNSSEC. I'm also weary about systemd-resolved basically marshalling DNS via DBUS.

> If this is indeed what you're proposing, then lets have a discussion
> about dnssec-trigger+unbound in that context, I do have some thoughts to
> contribute here.

I believe we selected dnssec-trigger because it was the UI/daemon that worked. A better native integration into either
NM or Gnome would be preferred.

Paul
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux