Neal Gompa wrote: > On Tue, Sep 29, 2020 at 7:48 AM Björn Persson <Bjorn@rombobjörn.se> wrote: > > > > Lennart Poettering wrote: > > > On Mo, 28.09.20 22:54, Björn Persson (Bjorn@rombobjörn.se) wrote: > > > > > > > It can work in company-scope if the company has competent network > > > > admins. My local DNS server at home resolves local hostnames to private > > > > IPv4 addresses in the 192.168/16 block. Clients on the Internet see > > > > another view. Both views are DNSsec-signed, and validation works fine. > > > > There's no reason why this setup wouldn't work on a corporate network. > > > > The key is to use a domain that is actually registered to the company, > > > > not some made-up TLD like "internal" or whatever the incompetent > > > > network admins come up with. > > > > > > You never take your laptop outside to a cafe or so? You never > > > connected it to something that is not your home or office network? > > > > A cafe is company-scope? I'm not sure whether that counts as moving the > > goalposts or changing the subject, but neither is a constructive way to > > discuss a technical topic. > > If you're a remote employee, it absolutely is. And especially in this > pandemic, this kind of thing is now the *default* experience. So we're assuming that we have successfully connected to the company VPN, as the company-scope DNS isn't involved unless we have access to the company network. The cafe's network may be crappy, but evidently not so bad that our VPN can't work. Now, how exactly does the cafe prevent us from sending queries with the DO bit set through the VPN tunnel to the company-scope DNS server and receiving security records in the response? Lennart claimed that "propagating DO stuff as is cannot work for [...] company-scope DNS". I'm saying that claim is false. If you can't use the cafe scenario to prove me wrong, then the cafe is irrelevant. To have a constructive technical discussion it is necessary to keep separate issues separate. Björn Persson
Attachment:
pgpMKRXKxdK8p.pgp
Description: OpenPGP digital signatur
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
