Paul Wouters píše v St 09. 12. 2015 v 13:37 -0500: > On 12/09/2015 01:04 PM, Debarshi Ray wrote: > > On Mon, Dec 07, 2015 at 10:48:55AM +0100, Tomas Hozza wrote: > > > On 04.12.2015 15:57, Lennart Poettering wrote: > > > > How do other popular desktop/consumer OSes deal with this? > > > > Windows, MacOS, iOS, Android, ChromeOS? Does any of them do > > > > client-side DNSSEC validation by > > > > default and how are they dealing with this issue? > > > > > > I'm not able to answer this question. > > > > That is troubling. :( > > > > Since this is likely to break networking on a lot of client-side > > systems, I would have expected you to do this research before > > submitting it as a System > > Wide Change. > > We did. We are the First at undertaking this at an OS level. If the > others > proceed they will run in the exact same issue. The problem of broken > and > badly designed DNS setups is, is that they only go away when it > finally > breaks down. I'm glad to see Fedora being a pioneer in network security among OSes, but I'm not sure if pioneering something that will bring a lot of disruption into lives of our users is something Fedora can afford. Yes, insecure local DNS servers is a problem, but it's the kind of problem only market leaders can effectively crack. If Windows or Android stopped working with those DNS servers there would be complains from users, but there would also be enough pressure to fix it. Fedora is not relevant enough to make such pressure, and I don't think we're relevant enough to motivate the "big guys" to jump on the wagon right after us. So my worry is that we would be an OS which is more secure than others, but doesn't work in many networks. You can bet what the users would decide for... Jiri
Attachment:
signature.asc
Description: This is a digitally signed message part
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
