On 9/29/20 3:44 PM, Lennart Poettering wrote: > On Di, 29.09.20 13:47, Björn Persson (Bjorn@rombobjörn.se) wrote: > >> Lennart Poettering wrote: >>> On Mo, 28.09.20 22:54, Björn Persson (Bjorn@rombobjörn.se) wrote: >>> >>>> It can work in company-scope if the company has competent network >>>> admins. My local DNS server at home resolves local hostnames to private >>>> IPv4 addresses in the 192.168/16 block. Clients on the Internet see >>>> another view. Both views are DNSsec-signed, and validation works fine. >>>> There's no reason why this setup wouldn't work on a corporate network. >>>> The key is to use a domain that is actually registered to the company, >>>> not some made-up TLD like "internal" or whatever the incompetent >>>> network admins come up with. >>> >>> You never take your laptop outside to a cafe or so? You never >>> connected it to something that is not your home or office network? >> >> A cafe is company-scope? I'm not sure whether that counts as moving the >> goalposts or changing the subject, but neither is a constructive way to >> discuss a technical topic. > > I am just saying: Fedora cannot be focussed on just working for people > who have a competent company admin and use their laptops in > company networks only. We must have something that works well in > company networks, as in home networks as in cafe wifis and suchlike. > > Client-side DNSSEC only works in a subset of the "competent network > admin" scenario, but not in the cafe wifi scenario or the home lan > scenario. Can you prove this claim somehow? Is there list of cafe wifi scenarios and home lan scenarios, you are referring to? With explanation how resolved fixes them if possible? Anyway, we might forgive working dnssec validation. What we cannot forgive is lack of DNSSEC information passtrough in 2020. For me, this would be blocker to Fedora release. Default installation cannot be supressing DNSSEC usability. It might not enforce it, but not disallow it. If you want home lan to work, just accept local answers without signature, which then prove non-existing under DNSSEC. But do not allow changed addresses, other than localhost (for blocklist inclusion). I am dnsmasq maintainer, which is found in most of cheap boxes you were referring to. It can proxy DNSSEC, unlike resolved with turned off support. Quite similar to resolved, it is not full-fledged DNS server, it just forwards (and optionally caches) queries forward. It fixed DNSSEC support some year back. Is your favourite café network broken so much? > > Lennart > > -- > Lennart Poettering, Berlin Thanks, Petr -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemensik@xxxxxxxxxx PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
