On Wednesday 09 December 2015 13:37:12 Paul Wouters wrote:
> On 12/09/2015 01:04 PM, Debarshi Ray wrote:
> > Since this is likely to break networking on a lot of client-side systems, I would have expected you to do this research before submitting it as a System
> > Wide Change.
>
> We did. We are the First at undertaking this at an OS level. If the others
> proceed they will run in the exact same issue. The problem of broken and
> badly designed DNS setups is, is that they only go away when it finally
> breaks down.
OK, but currently it's hard to estimate the amount of real-world breakage.
E.g: if 90% of user setups will break -- the backlash would damage not only Fedora,
but also DNSSEC adoption.
Why don't we plan this feature in two stages:
* Fedora 24: turn it on by default, but *keep using results* from bad DNS servers,
just issue a user-visible warning, possibly with a link to a page with friendly
explanation and suggestions for further action.
* Fedora 25: we would have much better view of the amount and types of failures
in real world (from F24). This would enable to improve/fine-tune the ways
to handle problematic use-cases.
So at that stage, we may ship DNSSEC as "fail-bad-DNS-servers-by-default".
Make sense?
--
Oron Peled Voice: +972-4-8228492
oron@xxxxxxxxxxxx http://users.actcom.co.il/~oron
The most exciting phrase to hear in science, the one that heralds new
discoveries, is not "Eureka!" (I found it!) but "That's funny ..."
-- Isaac Asimov
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
