On 10.12.2015 00:02, Oron Peled wrote: > On Wednesday 09 December 2015 13:37:12 Paul Wouters wrote: >> On 12/09/2015 01:04 PM, Debarshi Ray wrote: >>> Since this is likely to break networking on a lot of client-side systems, I would have expected you to do this research before submitting it as a System >>> Wide Change. >> >> We did. We are the First at undertaking this at an OS level. If the others >> proceed they will run in the exact same issue. The problem of broken and >> badly designed DNS setups is, is that they only go away when it finally >> breaks down. > > OK, but currently it's hard to estimate the amount of real-world breakage. > > E.g: if 90% of user setups will break -- the backlash would damage not only Fedora, > but also DNSSEC adoption. > > Why don't we plan this feature in two stages: > * Fedora 24: turn it on by default, but *keep using results* from bad DNS servers, > just issue a user-visible warning, possibly with a link to a page with friendly > explanation and suggestions for further action. > > * Fedora 25: we would have much better view of the amount and types of failures > in real world (from F24). This would enable to improve/fine-tune the ways > to handle problematic use-cases. > So at that stage, we may ship DNSSEC as "fail-bad-DNS-servers-by-default". > > Make sense? It certainly makes sense, and if read https://fedoraproject.org/w/index.php?title=Changes/Default_Local_DNS_Resolver and pages linked from https://fedoraproject.org/w/index.php?title=Changes/Default_Local_DNS_Resolver#Documentation you will find yourself that that is basically what we intended to do, with few tweaks. -- Petr Spacek @ Red Hat -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
