On Mon, Sep 28, 2020 at 11:57 AM Paul Wouters <paul@xxxxxxxxx> wrote: > > On Mon, 28 Sep 2020, Tom Hughes via devel wrote: > > > On 28/09/2020 15:57, Marius Schwarz wrote: > >> Am 28.09.20 um 13:47 schrieb Zbigniew Jędrzejewski-Szmek: > >>> DNSSEC support in resolved can be enabled through resolved.conf. > >> Why isn't that the default, if this resolver can do it? > > > > Because DNSSEC is a disaster area and if you try and use it > > on random networks you're going to get failed lookups on a > > reasonable number - it's fine if you're on a known network > > with decent upstream servers but once you start going out > > and using random WiFi hotspots and things it's a very > > different story. > > And that's why DNS-Over-TLS (DoT) and DNS-over-HTTPS (DoH) are now > being deployed. And why browsers are, contrary to Michael Catanzaro's > wrong claim, overriding the system DNS already. See Mozilla's TRR > program https://wiki.mozilla.org/Trusted_Recursive_Resolver and > Google's chrome https://www.chromium.org/developers/dns-over-https > Michael is not wrong. We are, in fact, forcing Firefox to respect system DNS settings in Fedora. But if you use Mozilla's builds, you will have this problem. Same goes for Chrome/Chromium. -- 真実はいつも一つ!/ Always, there's only one truth! _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx