On Mon, Dec 7, 2015 at 11:31 AM, Lennart Poettering <mzerqung@xxxxxxxxxxx> wrote: > On Mon, 07.12.15 17:23, Tomas Hozza (thozza@xxxxxxxxxx) wrote: > >> > Can you elaborate a bit? Is the intent that, if .box were private, then .box would be forwarded to DHCP-provided revolvers regardless of whether those resolvers were functional when asking for DNSSEC signature data? >> > >> > If so, what cases does this not cover? It fails in the split-horizon DNSSEC-enabled case where the domain owner hasn't set it up right, but I'd argue that that's a good thing. >> >> I think that explicit list of domains would cover pretty much any >> use-case. We were thinking about configuring the mixed-mode module >> with local resolvers only in case these are not DNSSEC-capable. In >> such situation everything would work fine. However if the local >> resolvers are DNSSEC-capable, then we would not configure the mixed >> mode module with them and I such case the validation would simply >> fail for any faked TLD. So we would have to configure mixed-mode >> module with local resolvers in any case. I guess it would be fine, >> but I would have to think about it little bit more. > > Hmm? If I work for a company "Foo Corp" that defined .foocorp as its > private TLD, then I won't be able to access servers in that local > network until I added .foocorp to a local whitelist, is that what you > are saying? Or do you want to ship your package with all those domains > pre-configured? How would you know .foocorp in advance? > > I am pretty sure these things need to work out-of-the-box, and that > means a whitelist cannot really work. > If you work for foocorp, and they use .foocorp as a private TLD, then shouldn't do some combination of: (a) tell their employees to set whatever config they need specifically for their connection to the foo corp network (b) actually use foocorp.private.foocorp.com or some such and have employees set it up in the search path so they are actually protected by DNSSEC (c) make sure that .foocorp isn't about to become a public TLD I honestly don't think that Fedora should consider supporting broken setups like the one you're describing without requiring setting changes to be an absolute requirement. Also, I've connected to public networks with unusable DNS twice in the last week. I would *love* for my laptop to have automatically fallen back to something other than the DHCP-provided non-working servers. --Andy -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
