On Mon, 2020-09-28 at 16:02 +0100, Tom Hughes via devel wrote: > On 28/09/2020 15:57, Marius Schwarz wrote: > > Am 28.09.20 um 13:47 schrieb Zbigniew Jędrzejewski-Szmek: > > > DNSSEC support in resolved can be enabled through resolved.conf. > > Why isn't that the default, if this resolver can do it? > > Because DNSSEC is a disaster area and if you try and use it > on random networks you're going to get failed lookups on a > reasonable number - it's fine if you're on a known network > with decent upstream servers but once you start going out > and using random WiFi hotspots and things it's a very > different story. Surely this is better solved by using DoH toward known good servers for anything but the local resources ? I mean the whole point of systemd-resolved should be to make things better including DNSSEC ? As it was already pointed out it is also reasonably simple to detect if the local network have bad DNS servers ... What am I missing ? Simo. -- Simo Sorce RHEL Crypto Team Red Hat, Inc _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
