Re: This is bad, was Re: Fedora 33 System-Wide Change proposal: systemd-resolved

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 9/29/20 5:23 PM, Lennart Poettering wrote:
> On Di, 29.09.20 16:51, Petr Menšík (pemensik@xxxxxxxxxx) wrote:
> 
>>> I am just saying: Fedora cannot be focussed on just working for people
>>> who have a competent company admin and use their laptops in
>>> company networks only. We must have something that works well in
>>> company networks, as in home networks as in cafe wifis and suchlike.
>>>
>>> Client-side DNSSEC only works in a subset of the "competent network
>>> admin" scenario, but not in the cafe wifi scenario or the home lan
>>> scenario.
>> Can you prove this claim somehow?
>>
>> Is there list of cafe wifi scenarios and home lan scenarios, you are
>> referring to?
> 
> I can give you an address of a local Cafe here with a non-working
> DNSSEC. I am pretty sure where you live they have plenty of those
> cafes too.
Define please what is non-working DNSSEC. Does it use few internal
names, which fail to validate? Does it refuse DNSSEC enabled query like
resolved does? Is there any link describing their connection, which
could you share? dig answers, traffic dumps or similar stuff?
> 
> Or German ICE trains public wifi doesn't allow DNSSEC.

What does that mean? Is there any bug/ticket related to it?

What does it reply to dig +dnssec? I have worked few times on Regiojet
here in Czechia. Aside from few connections dropped, it worked just fine.

I think only login web dashboards are frequent reasons for dnssec
failures. After they allow you internet access, it usually works fine
(to me). Could this be also your case?

But I admit I connect most often just by smartphone, which does not have
dnssec enabled. I have it just on my laptop and I never noticed such
problem on it. I will check few myself.

> 
>> With explanation how resolved fixes them if possible?
> 
> Our fix: we do not do DNSSEC by default.
That is incorrect. You do NOT ALLOW DNSSEC by default. Which is big
difference. It even refuses to ask with DNSSEC when I make request for
it. It refuses to pass me unmodified answer. I makes it the most broken
DNS resolver I know about.

Have you tried asking them to fix it?

Note: DNS flag day 2019[1] made guessing due timeouts obsolete.
According to DNS people, it was quite success, misbehaving servers are
quite minimal. It should be enough to resend query with DNSSEC disabled
just on FORMERR response.


> 
> Lennart
> 
> --
> Lennart Poettering, Berlin

1. https://dnsflagday.net/2019/#experts

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik@xxxxxxxxxx
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux