On Mon, Sep 28, 2020 at 04:59:17PM +0000, Zbigniew Jędrzejewski-Szmek wrote: > On Mon, Sep 28, 2020 at 06:36:02PM +0200, Florian Weimer wrote: > > * Andrew Lutomirski: > > > > > Paul may well have been mixing different things here, but I don't > > > think you answered the one that seems like the most severe problem: > > > systemd-resolved removed perfectly valid DNSSEC records that were > > > supplied by the upstream server. One might reasonably debate whether > > > Fedora's default DNS resolver configuration should validate DNSSEC, > > > but I think it should honor the DO bit in client requests and return > > > DNSSEC data. > > > > FWIW, this is <https://bugzilla.redhat.com/show_bug.cgi?id=1879028>. > > In an ideal world, we would just implement this missing functionality. > It's definitely on the TODO list, and there has been some preparatory > work done, but so far nobody found the time. If this is judged necessary, > we'll raise the priority of that work. Nevertheless, I don't think it is > such high priority — the number of people using DNSSEC is not too large, > and they are generally power-users who understand how to specify a different > server. So while definitely annoying, I didn't consider this a deal-breaker. DNSSEC is not meant for power-users, and it doesn't require specifying "a different server". I thought Fedora was supposed to be First? How can it be if Fedora chooses to use/configure software by default that is missing critical DNSSEC functionality and breaks DNS standards? _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
