On Monday 07 December 2015 14:57:36 Paul Wouters wrote: > But you gain nothing with waiting. There is no "fix" to wait for. Those > stolen domains are broken and they will start to fail. The only difference > could be that fedora won't be the first where this breaks on, but I > thought "First" was one of our motto's ? Yes, as long as the "first" to fail use-case isn't too massive. So I have a question about another very common use-case: * Many times, Linux users or groups are a small "island" inside a big traditional corporation. * Usually, it translates to MS products: lousy DHCP server + lousy DNS server, managed via Active Directory (TM). * I think we should test this kind of setup and have very clear policy and instructions how to deal with it. * Remember, in most of these places the Linux team hardly knows who manage all the Windows stuff, let alone affect corporate internal policies (e.g: internal domain names and DHCP setup). * Failing in this kind of environment is shooting both Fedora and DNSSEC adoption in the foot. IMO, when introducing DNSSEC as default it should not be *enforcing*: * There's a lesson to be learned by what happened to SELinux in Fedora-2 (I personally do have SELinux "enforcing" on all my systems, but many would never try it again). * It's far better to accept "broken" DNS servers *at first* and just warn. (I know warning end-users isn't effective, but its important as a stop-gap until we know how such a feature affect millions of users in the real world. * E.g: "WARNING: the yellow icon is a reminder that your local network use non-secure technology <link-to-further-explanation>" (someone may have an idea how to warn server people [/etc/issue?]) * BTW: hits on the above link would give us *some* measurement about people having problems/investigating this. Bye, -- Oron Peled Voice: +972-4-8228492 oron@xxxxxxxxxxxx http://users.actcom.co.il/~oron "A standard for copy protection is as premature as a standard for teleportation." --- Noted computer security expert and Princeton University Professor Edward Felten. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx