On 7.12.2015 20:35, Lennart Poettering wrote: > On Mon, 07.12.15 15:31, Björn Persson (Bjorn@rombobjörn.se) wrote: > >> Lennart Poettering <mzerqung@xxxxxxxxxxx> wrote: >>> You *have* to use the local DNS servers by default, even if they are >>> crap. >> >> I for one want my laptop to be suspicious of random DNS servers it >> encounters in public places, and bypass them if they're found to be >> lying. > > Well, if you are knoweledgeable enough to understand the problem, then > you hould also be able to install/configure dnssec yourself. But I am > pretty sure that the typical user is neither knowledgeable enough > about this to make the decision, nor does he really care... > > As I understood the feature was posted to make something the default > in Fedora, and I am just concerned about that new default. > >> It seems to me that the system needs to ask the user whether they are >> in a public hotspot that they're using only as a way to access the >> Internet, or whether they're visiting a friend and want to access >> internal servers. I don't see a way to tell the difference reliably >> without any user interaction. > > I think that would be pretty bad UI. You shouldn't ask users questions > they likely won't grok. In fact, you better shouldn't ask users > technical questions at all... Lennart, you could find more information in the Fedora change page: https://fedoraproject.org/wiki/Networking/NameResolution/DNSSEC/Design#Broken_networks As you might see, we were thinking about this hard and actually made attempted to make it interaction-less. In short, public/fallback DNS servers will be used to detect if part of DNS sub-tree (like home.lennart.me) is unsigned. If the sub-tree is unsigned the query will be re-send to local servers and returned to the client. The assumption here is that if your domain is signed you have enough wisdom so use DNSSEC-enabled resolvers in your network. If the domain is not signed we will trust the crappy local servers. -- Petr Spacek @ Red Hat -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
