On 9/29/20 5:23 PM, Lennart Poettering wrote: > On Di, 29.09.20 16:51, Petr Menšík (pemensik@xxxxxxxxxx) wrote: > >>> I am just saying: Fedora cannot be focussed on just working for people >>> who have a competent company admin and use their laptops in >>> company networks only. We must have something that works well in >>> company networks, as in home networks as in cafe wifis and suchlike. >>> >>> Client-side DNSSEC only works in a subset of the "competent network >>> admin" scenario, but not in the cafe wifi scenario or the home lan >>> scenario. >> Can you prove this claim somehow? >> >> Is there list of cafe wifi scenarios and home lan scenarios, you are >> referring to? > > I can give you an address of a local Cafe here with a non-working > DNSSEC. I am pretty sure where you live they have plenty of those > cafes too. Define please what is non-working DNSSEC. Does it use few internal names, which fail to validate? Does it refuse DNSSEC enabled query like resolved does? Is there any link describing their connection, which could you share? dig answers, traffic dumps or similar stuff? > > Or German ICE trains public wifi doesn't allow DNSSEC. What does that mean? Is there any bug/ticket related to it? What does it reply to dig +dnssec? I have worked few times on Regiojet here in Czechia. Aside from few connections dropped, it worked just fine. I think only login web dashboards are frequent reasons for dnssec failures. After they allow you internet access, it usually works fine (to me). Could this be also your case? But I admit I connect most often just by smartphone, which does not have dnssec enabled. I have it just on my laptop and I never noticed such problem on it. I will check few myself. > >> With explanation how resolved fixes them if possible? > > Our fix: we do not do DNSSEC by default. That is incorrect. You do NOT ALLOW DNSSEC by default. Which is big difference. It even refuses to ask with DNSSEC when I make request for it. It refuses to pass me unmodified answer. I makes it the most broken DNS resolver I know about. Have you tried asking them to fix it? Note: DNS flag day 2019[1] made guessing due timeouts obsolete. According to DNS people, it was quite success, misbehaving servers are quite minimal. It should be enough to resend query with DNSSEC disabled just on FORMERR response. > > Lennart > > -- > Lennart Poettering, Berlin 1. https://dnsflagday.net/2019/#experts -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemensik@xxxxxxxxxx PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx