On Mon, Sep 28, 2020 at 06:36:02PM +0200, Florian Weimer wrote: > * Andrew Lutomirski: > > > Paul may well have been mixing different things here, but I don't > > think you answered the one that seems like the most severe problem: > > systemd-resolved removed perfectly valid DNSSEC records that were > > supplied by the upstream server. One might reasonably debate whether > > Fedora's default DNS resolver configuration should validate DNSSEC, > > but I think it should honor the DO bit in client requests and return > > DNSSEC data. > > FWIW, this is <https://bugzilla.redhat.com/show_bug.cgi?id=1879028>. In an ideal world, we would just implement this missing functionality. It's definitely on the TODO list, and there has been some preparatory work done, but so far nobody found the time. If this is judged necessary, we'll raise the priority of that work. Nevertheless, I don't think it is such high priority — the number of people using DNSSEC is not too large, and they are generally power-users who understand how to specify a different server. So while definitely annoying, I didn't consider this a deal-breaker. Zbyszek _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
