On Tue, 2015-06-30 at 14:23 +0200, Tomas Hozza wrote: > Except that this is exactly what we DON'T want to do. DNSSEC is an > extension of DNS and it can be used even without the need for the > whole > Internet to be signed. We want to use it even if the network-provided > DNS resolvers don't support DNSSEC. I'm confused on one point: why would the user ever want to turn off DNSSEC validation (except to get past a for captive portal)? It sounds like you have no shortage of safeguards in place to make sure this always works: for it to break the user would have to be on a network that doesn't support DNSSEC, that blocks VPN, with the Fedora infrastructure down, right? I think it's OK to fail connections in that case (provided we have a story for captive portals). What we basically do not want is to give the user an option for turning a security feature off. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
