Michael Catanzaro wrote: > I'm confused on one point: why would the user ever want to turn off > DNSSEC validation (except to get past a for captive portal)? It sounds > like you have no shortage of safeguards in place to make sure this > always works: for it to break the user would have to be on a network > that doesn't support DNSSEC, that blocks VPN, with the Fedora > infrastructure down, right? I think it's OK to fail connections in > that case (provided we have a story for captive portals). I have been in situations where I had to switch to hotspot sign-on mode and keep it that way for an extended time. For example, a few months ago when I did some work in a customer's office I found that I couldn't look up their internal servers. They had an internal DNS view, but their DNS servers were in rather bad shape and my Fedora was bypassing them. DNS administration wasn't what I was there to do, and starting by expanding my job seemed like a bad idea. I needed to get my job done, so my workaround was to use the hotspot sign-on mode the whole time I was there. But I'm a programmer who knows a lot about Internet protocols. I agree that the users that Gnome 3 targets won't be able to make informed decisions about DNSsec. For them the solution is to complain until the sysadmins fix the broken DNS servers. (When it turns out that they can access everything except the internal servers, then that will hopefully be a hint that there is a problem with the local domain.) If Gnome 3 has no option to disable validation, but the current DNSsec-trigger applet remains available and discoverable to people like me, then that's fine with me. Björn Persson
Attachment:
pgppM1ADkNRBj.pgp
Description: OpenPGP digital signatur
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
