On Mo, 28.09.20 14:11, Paul Wouters (paul@xxxxxxxxx) wrote: > On Mon, 28 Sep 2020, Michael Catanzaro wrote: > > > Well, let's amend that to "first when it's smart to be first." We can't > > ever *require* DNSSEC validation, because Windows and macOS are not > > going to do so. > > https://tools.ietf.org/id/draft-pauly-add-resolver-discovery-01.html > > That draft has a Microsoft and Apple co-author on it. > > It states for example: > > There are several methods that can be used to discover and validate a resolver designation: > * Discovery using SVCB DNS records (Section 3.1), and validation using DNSSEC > > This document is precisely to discover DNSSEC (and DNS encryption) > services reliably so that DNSSEC validation can be turned on by default. > > Can you cite the documentation for your statement that these two vendors > are not working on enabling DNSSEC validation? Let me emphasize that I primarily care about building something that works IRL. i.e. plans for the future of are absolutely secondary to the work we try to do with resolved. I mean, let's not forget: DNSSEC was the future 5 years already, and it was a dumpster fire back then already. So, lofty plans, great future specs and stuff, is all great, but we try to match up with real implementations of the stuff that is out there, that's our focus. RFCs become interesting if they are actually deployed. i.e. DoT became interesting and something we started to support the instance it was actually deployed on 8.8.8.8 for example. Before that it really didn't matter, sorry. And yes, client-side DNSSEC still hasn't happen, regardless how many specs have been written for it. We support it nonetheless, in an opt-in kind of fashion. We'll revisit this and find ways to support it better out-of-the-box but a spec saying that you should do it doesn't influence us at all on this: real life does, and what is deployed on the real Internet. Or to say this differently: resolved is *not* supposed to be a *pioneer* of any of this, but just an implementation of what is used in real life and has shown it works. You come from a very different perspective, I totally understand that. You intend to *design* DNS, and hence have the luxury to not care as much about edge routers and how they actually implement DNS today. Lennart -- Lennart Poettering, Berlin _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
