On 07.12.2015 20:57, Paul Wouters wrote: > On Mon, 7 Dec 2015, Matthew Miller wrote: > >> I read your whole post. Those possibilities seem pretty limited, from >> the point of view of serious regressions in Fedora usability. It isn't >> that I "like" Fedora being less than technically correct (especially >> around security-related features), but I don't think we can discount >> the prevalence of "broken" schemes in the real world. > > But you gain nothing with waiting. There is no "fix" to wait for. Those > stolen domains are broken and they will start to fail. The only difference > could be that fedora won't be the first where this breaks on, but I > thought "First" was one of our motto's ? > >> I don't really care about that. I care that we pick the solutions that >> are best for our users. > > Supporting DNSSEC per default is best for the user. Not enabling DNSSEC > is not a serious option. We delayed this feature a few times to ensure > we would get better integration with gnome and VPNs so that we could > address the _real_ problems. > > People using stolen or made up domain names is not a use case that can > be supported anymore with Secure DNS. If it causes problems you have no time to fix, you will do "selinux=0 dnssec=0" -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
