* Lennart Poettering: > Long story short: if you experienced issues with DNSSEC on with > resolved today, then be assured that with DNSSEC off things are much > much better, and that's how we'd ship it in Fedora if it becomes the > default. Would you please clarify what switching DNSSEC off means? Just no validation, or no DNSSEC support at all? I'm worried that the following scenario will break: A Fedora system on a uses a DNSSEC-capable resolver (validating or not) and performs its own DNSSEC validation, using data obtained by contacting the name servers in /etc/resolv.conf. (/etc/resolv.conf is managed by NetworkManager or cloud-init in this scenario.) Since /etc/resolv.conf is already managed, I expect that after the upgrade, systemd-resolved will be active, with the same upstream recursive resolvers as before. The new /etc/resolv.conf contents will point to the local systemd-resolved DNS service, though. If systemd-resolved is not DNSSEC-aware with DNSSEC=off on the DNS interface, this will break DNSSEC validation in the application. It requires an explicit configuration change to fix. In the past, caching resolvers have dealt with this situation by having separate caches for DO (DNSSEC answer OK) or CD (Checking Disabled) queries. This allows non-DNSSEC operations to continue even if the DNSSEC side is broken, so it is safe to enable it by default. It would also ensure that the configuration sketched above would not break (at least not for this reason). Thanks, Florian _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
