Re: This is bad, was Re: Fedora 33 System-Wide Change proposal: systemd-resolved

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, Sep 28, 2020 at 12:14 pm, Paul Wouters <paul@xxxxxxxxx> wrote:

There are use cases for and against routing all DNS over your VPN. If
systemd wants to play system resolver, it needs to be able to be
configured for either use case. You don't get to limit our use cases.
It *can* be configured for either case. It will do whatever you tell it to.
Our GUI network settings don't expose the ability to send DNS to a different network, but systemd-resolved itself does. So if you want to see your employees' DNS, go ahead and configure it! It's easy to do using resolvectl. We're just not going to make it easy for people to shoot themselves in the foot by providing a GUI setting for this. Almost nobody has a personal requirement to send non-employer DNS to their employer. Nobody woke up today and thought "oh no, I sure hope my employer knows how much time I spent today watching Kim Kardashian." The network configuration is complex enough already. Many users will have no clue what "use this connection only for resources on its network" means. Now we have to have separate GUI buttons to allow using the connection for DNS, but not for routing? That's just too complex, so relegating it to command line is appropriate. 


See my previous email with respect to RFC 8598. There is a standard
for this. We supported this in libreswan with unbound before we even
forked from openswan, 10 years ago. I had also patched openvpn when Red 
Hat swithced VPN service type but it seems that patch got lost along
the way.
I've never heard of IKEv2 or this RFC, but reading just the abstract, I guess it's a layer *above* systemd-resolved. You would probably want NetworkManager to implement this if it doesn't already, and then push appropriate configuration to systemd-resolved. I add some ??? question marks because I only read the abstract ??? 

Michael

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux