On Mon, 28 Sep 2020, Michael Catanzaro wrote:
Well, let's amend that to "first when it's smart to be first." We can't ever *require* DNSSEC validation, because Windows and macOS are not going to do so.
https://tools.ietf.org/id/draft-pauly-add-resolver-discovery-01.html That draft has a Microsoft and Apple co-author on it. It states for example: There are several methods that can be used to discover and validate a resolver designation: * Discovery using SVCB DNS records (Section 3.1), and validation using DNSSEC This document is precisely to discover DNSSEC (and DNS encryption) services reliably so that DNSSEC validation can be turned on by default. Can you cite the documentation for your statement that these two vendors are not working on enabling DNSSEC validation?
They have to be first. I could just as well counter with "How can Fedora be first if it refuses to implement split DNS behavior by default that breaks user expectations and leaks queries to unexpected networks?"
How about systemd-resolved people join the IETF draft process, so that they can still influence the protocols while they are being designed, so that it can be made to work with systemd-resolved properly? There are a dozens of long time seasonsed DNS architects and programmers at the IETF working on this problem now. Join their effort.
As for just passing along records, see Zbigniew's responses; it's possible to do by default, just not a priority. This is really only interesting for specialized applications like mail servers that live on controlled networks where you know that DNSSEC is not broken, i.e. not relevant for 99% of users.
Please stop filtering out the use cases you don't like. Besides that, what percentage of desktops / laptops uses Linux versus what percentage of servers use Linux? I would strongly argue the case is quite the reverse. Linux desktop uses are 0.000000% and Linux on servers is like 99.999999%
If you're running such applications, it's a one-line change in resolved.conf to enable DNSSEC, not really a big deal. It's annoying to have to edit an extra config file, yes, and we should do better, but I don't think that should derail this change.
If systemd-resolved was only installed on Linux desktops, you would have a much stronger argument. But right now it is part of the same package as /sbin/init. Paul _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
