On Mo, 28.09.20 19:51, Fedora Development ML (devel@xxxxxxxxxxxxxxxxxxxxxxx) wrote: > On 28.09.2020 18:11, Michael Catanzaro wrote: > > Similarly, system-resolved will allow us to enable DNS over TLS (DoT) > > systemwide for supported providers. That's not enabled in F33, but I > > think we should flip the default for F34. > > Btw, Russian Federation is going to completely block DoT and DoH. > Forcing these technologies to end users will disrupt Internet access for > people from such countries. I doubt we can force that even if we wanted, even in places that aren't Russia. The vast majority of DNS servers you see in public wifi DHCP leases or company DHCP leases can't do DoT. And then I am pretty sure we should not bypass local DNS server info willy-nilly. That said, the "opportunistic" mode we have might be something we want to turn on by default: in that mode you get DoT if we can but if not you don't. In Russia you thus typically wouldn't get DoT, but everyone else would. Opportunistic mode means vulnerability to downgrade attacks, but I guess that's still better than nothing, given that the downgrade attack surface is probably mostly limited to local networks. Lennart -- Lennart Poettering, Berlin _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
