Re: This is bad, was Re: Fedora 33 System-Wide Change proposal: systemd-resolved

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 9/29/20 3:44 PM, Lennart Poettering wrote:
> On Di, 29.09.20 13:47, Björn Persson (Bjorn@rombobjörn.se) wrote:
> 
>> Lennart Poettering wrote:
>>> On Mo, 28.09.20 22:54, Björn Persson (Bjorn@rombobjörn.se) wrote:
>>>
>>>> It can work in company-scope if the company has competent network
>>>> admins. My local DNS server at home resolves local hostnames to private
>>>> IPv4 addresses in the 192.168/16 block. Clients on the Internet see
>>>> another view. Both views are DNSsec-signed, and validation works fine.
>>>> There's no reason why this setup wouldn't work on a corporate network.
>>>> The key is to use a domain that is actually registered to the company,
>>>> not some made-up TLD like "internal" or whatever the incompetent
>>>> network admins come up with.
>>>
>>> You never take your laptop outside to a cafe or so? You never
>>> connected it to something that is not your home or office network?
>>
>> A cafe is company-scope? I'm not sure whether that counts as moving the
>> goalposts or changing the subject, but neither is a constructive way to
>> discuss a technical topic.
> 
> I am just saying: Fedora cannot be focussed on just working for people
> who have a competent company admin and use their laptops in
> company networks only. We must have something that works well in
> company networks, as in home networks as in cafe wifis and suchlike.
> 
> Client-side DNSSEC only works in a subset of the "competent network
> admin" scenario, but not in the cafe wifi scenario or the home lan
> scenario.
Can you prove this claim somehow?

Is there list of cafe wifi scenarios and home lan scenarios, you are
referring to? With explanation how resolved fixes them if possible?

Anyway, we might forgive working dnssec validation. What we cannot
forgive is lack of DNSSEC information passtrough in 2020. For me, this
would be blocker to Fedora release. Default installation cannot be
supressing DNSSEC usability. It might not enforce it, but not disallow it.

If you want home lan to work, just accept local answers without
signature, which then prove non-existing under DNSSEC. But do not allow
changed addresses, other than localhost (for blocklist inclusion).

I am dnsmasq maintainer, which is found in most of cheap boxes you were
referring to. It can proxy DNSSEC, unlike resolved with turned off
support. Quite similar to resolved, it is not full-fledged DNS server,
it just forwards (and optionally caches) queries forward. It fixed
DNSSEC support some year back. Is your favourite café network broken so
much?

> 
> Lennart
> 
> --
> Lennart Poettering, Berlin

Thanks,

Petr
-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik@xxxxxxxxxx
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux