On Mon, 4 Nov 2019 at 11:44, Michael Cronenworth <mike@xxxxxxxxxx> wrote: > > Hi, > > Is there any project or team involved with improving encrypted DNS support in > Fedora? Any movement in Red Hat corporate? > > - Glibc team? > The /etc/resolv.conf file needs some love. AFAIK it still does not verify DNSSEC. > - Bind team? > Using 'stunnel' is not a real option. > - DHCP(d & c) team? > Some sort of standard for applying DoT/DoH options to resolv.conf > - NetworkManager team? > Same as above. > > This last effort I know of was back in 2012[1] but it was limited to DNSSEC only. > According to Arch's table[2] only two DNS applications have support for encrypted DNS. > > IMHO, this should be our number one priority over modules, new spins, or whatever > paint color the bike shed needs to be today. I would like to see DNS over TLS (DoT) > with DTLS at the very least. > It might be more important but unless you have people who are actually experts in DNS, encryption, TLS, and other items.. you will end up with something a lot worse than any of the things we are currently "bike shedding". The people who have worked on this have come and gone at different times with burnout from the usual 'why are you doing this versus working on this X' that comes from 400 different cats in a bag. I believe we have been running unbound servers for nearly 10 years with some form of DNS over TLS since at least Fedora 13. https://www.linode.com/docs/networking/dns/use-unbound-for-local-dns-resolution-on-fedora-13/ https://fedoraproject.org/wiki/Changes/Default_Local_DNS_Resolver -- Stephen J Smoogen. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx