On Mon, Sep 28, 2020 at 1:20 pm, Chuck Anderson <cra@xxxxxxxxxxxx>
wrote:
I thought Fedora was supposed to be First? How can it be if Fedora
chooses to use/configure software by default that is missing critical
DNSSEC functionality and breaks DNS standards?
Well, let's amend that to "first when it's smart to be first." We can't
ever *require* DNSSEC validation, because Windows and macOS are not
going to do so. They have to be first. I could just as well counter
with "How can Fedora be first if it refuses to implement split DNS
behavior by default that breaks user expectations and leaks queries to
unexpected networks?"
As for just passing along records, see Zbigniew's responses; it's
possible to do by default, just not a priority. This is really only
interesting for specialized applications like mail servers that live on
controlled networks where you know that DNSSEC is not broken, i.e. not
relevant for 99% of users. If you're running such applications, it's a
one-line change in resolved.conf to enable DNSSEC, not really a big
deal. It's annoying to have to edit an extra config file, yes, and we
should do better, but I don't think that should derail this change.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
