On Mon, 7 Dec 2015, Matthew Miller wrote:
I read your whole post. Those possibilities seem pretty limited, from the point of view of serious regressions in Fedora usability. It isn't that I "like" Fedora being less than technically correct (especially around security-related features), but I don't think we can discount the prevalence of "broken" schemes in the real world.
But you gain nothing with waiting. There is no "fix" to wait for. Those stolen domains are broken and they will start to fail. The only difference could be that fedora won't be the first where this breaks on, but I thought "First" was one of our motto's ?
I don't really care about that. I care that we pick the solutions that are best for our users.
Supporting DNSSEC per default is best for the user. Not enabling DNSSEC is not a serious option. We delayed this feature a few times to ensure we would get better integration with gnome and VPNs so that we could address the _real_ problems. People using stolen or made up domain names is not a use case that can be supported anymore with Secure DNS. Paul -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
