On Mon, Sep 28, 2020 at 12:44 am, Paul Wouters <paul@xxxxxxxxx> wrote:
My fedora mail server uses DNSSEC based TLSA records to prevent MITM attacks on the STARTTLS layer, which is now completely broken. My IPsec VPN server uses dnssec validation using the specified nameserves in /etc/resolve.conf that now point to systemd-resolvd that does not return DNSSEC records and is completely broken:
If you're running mail servers or VPN servers, you can probably configure the DNS to your liking, right? Either enable DNSSEC support in systemd-resolved, or disable systemd-resolved. I'm not too concerned about this....
Honestly, I don't have a strong opinion on whether systemd-resolved is used by default on servers. There you normally have just one DNS server that you want to use, or at most a fallback or two that should return the same results, and old-style nss-dns name resolution should be fine. On workstations, though, where we really *cannot* enable DNSSEC, where VPN users often expect split DNS, and where we cannot expect users to configure anything manually, systemd-resolved is solving a real problem that nss-dns will never be able to handle.
Michael _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
