On Mo, 28.09.20 11:10, Andrew Lutomirski (luto@xxxxxxx) wrote: > > If the other big OSes would enable DNSSEC client-side by default > > things might change, but neither Windows nor MacOS or Android do. > > > > > The old unbound-resolveconf actually worked quite well when I played with > it. The only problem I had was that I couldn't load google.com from one > particular network. Upon a bit of investigation, I discovered that the ISP > was maliciously replacing the A records for google.com with its own servers > to inject JavaScript. So unbound-resolveconf's behavior was arguably > correct. A better solution might have been to pop up some kind of > notification like "your network is attempting to tamper with google.com. > You can use the tampered version of google.com at your own risk by > following these instructions, or you could try to access the real google.com > by doing this other thing". That's terrible UI. The thing is: this stuff should just work and not pester users with questions they couldn#t possibly understand or answer properly. I mean, let's face it. DNSSEC is great, but does it actually make your bank transfer safer? not really, SSL certs validate domains too in a way, so DNSSEC isn't strictly necessary because trusting a SSL CA isn't much different than trusting the DNSSEC root. hence: client-side DNSSEC is certainly something we should support if we can: but it's not deployable as default as it stands now, simply because it breaks more stuff than it helps. Lennart -- Lennart Poettering, Berlin _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
