On Mon, 07.12.15 17:23, Tomas Hozza (thozza@xxxxxxxxxx) wrote: > > Can you elaborate a bit? Is the intent that, if .box were private, then .box would be forwarded to DHCP-provided revolvers regardless of whether those resolvers were functional when asking for DNSSEC signature data? > > > > If so, what cases does this not cover? It fails in the split-horizon DNSSEC-enabled case where the domain owner hasn't set it up right, but I'd argue that that's a good thing. > > I think that explicit list of domains would cover pretty much any > use-case. We were thinking about configuring the mixed-mode module > with local resolvers only in case these are not DNSSEC-capable. In > such situation everything would work fine. However if the local > resolvers are DNSSEC-capable, then we would not configure the mixed > mode module with them and I such case the validation would simply > fail for any faked TLD. So we would have to configure mixed-mode > module with local resolvers in any case. I guess it would be fine, > but I would have to think about it little bit more. Hmm? If I work for a company "Foo Corp" that defined .foocorp as its private TLD, then I won't be able to access servers in that local network until I added .foocorp to a local whitelist, is that what you are saying? Or do you want to ship your package with all those domains pre-configured? How would you know .foocorp in advance? I am pretty sure these things need to work out-of-the-box, and that means a whitelist cannot really work. Lennart -- Lennart Poettering, Red Hat -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
