On Mon, Dec 07, 2015 at 04:12:20PM +0100, Lennart Poettering wrote: > On Mon, 07.12.15 13:25, Gerd Hoffmann (kraxel@xxxxxxxxxx) wrote: > > > Quite frankly: a setup like this one isn't just very typical for home > > > router networks, but also in many companies, where ".lan" or > > > ".companyname" or something like that is frequently established in the > > > internal network. And you will make Fedora incompatible with all these > > > networks by default. > > > > Even if you don't grab some random name it still is a problem. /me runs > > home.kraxel.org zone for my home network (and, yes, kraxel.org is mine). > > That zone isn't visible outsize my home network, if you try to resolve > > that by walking down from the root zone you wouldn't find it, you have > > to use the local dns server propagated by dhcp. > > This case should actually not be a problem normally, even with > DNSSEC, since in such a case you wouldn't enable DNSSEC on > kraxel.org. > > If you want to do such "split horizon" setups, then don't sign your > zones. I think that's a completely fair requirement to make, and if > you did sign your domains then this should really mean "don't allow > anything below my domain except what I define here or delegated". Why would you say that? Split horizon with DNSSEC works fine -- just sign both external and internal views. -- Scott Schmit
<<attachment: smime.p7s>>
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
