On Tue, 01.12.15 11:15, Tomas Hozza (thozza@xxxxxxxxxx) wrote: > You are not mistaken. > > This is the third time, because previously we rather moved the change to the > next Fedora to bring better user experience. Every time there was something > enhanced, since we learned a lot about user use-cases, so this is definitely > not the same change as before, only the root idea is the same. The Change Wiki > is up-to-date and contains the current information. > > Also with many projects involved - Gnome Shell, NetworkManager, Unbound, > dnssec-trigger, SELinux (always a pleasure:), Docker... it is not the easiest > thing to agree on changes and coordinate everything on time. So, here's a question: in germany "Fritzbox" wifi routers are very popular. Their configuration page is reachable under the "fritz.box" pseudo-domain from inside their wifi network, and all other systems on the network are also eachable below this domain under their DHCP-configured hostnames. It implements a DNS proxy otherwise, only synthesizing A/AAAA RRs for *.box. Now, one can certainly argue that this is borked, since the manufacturer doesn't own the ".box" domain, but discussing this is pretty pointless, as the fact that this is what is deployed in probably half of the homes in Germany... Also I am pretty sure other routers form other manufacturers do the same thing. Now, if we default to DNSSEC validation soon, does this mean people won't be able to configure their wifi routers anymore, or reach other systems on their home networks anymore, because the NSEC/NSEC3 RRs in the root domain claim .box does not exist? What's your strategy there? Why do you think DNSSEC is worth breaking pretty much everybody's network? Note that Fritzbox is not a random crappy router, it's probably of the better products you can find. How do other popular desktop/consumer OSes deal with this? Windows, MacOS, iOS, Android, ChromeOS? Does any of them do client-side DNSSEC validation by default and how are they dealing with this issue? Lennart -- Lennart Poettering, Red Hat -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
