On Sun, Apr 05, 2009 at 01:56:47PM -0400, Chuck Anderson wrote: > On Sun, Apr 05, 2009 at 12:32:37PM -0400, Jonathan Kamens wrote: > > On 04/05/2009 12:04 PM, Chuck Anderson wrote: > >> Because DNSSEC is still in it's infancy w.r.t. production deployment > >> on the Internet. The powers that be still haven't signed the root > >> zone, and most TLD zones aren't signed either. So we have to live > >> with the hack known as DLV for now, and there isn't much robustness in > >> that service yet. > >> > > Then Fedora shouldn't be shipping bind RPMs that turn DNSSEC validation > > on, should it? Or perhaps dnssec-must-be-secure can be used in > > named.conf to configure in such a way that named tries DNSSEC validation > > but allows the query to proceed (with an error message logged) even if > > it fails? > > Despite my initial enthusiasm for enabling DNSSEC by default in > Fedora, I tend to agree with you now that we should probably keep it > off by default for a while longer. It is dead simple to turn off/on > though. See the "dnssec-configure" command, which works for both BIND > and Unbound. BTW, if anyone would like to follow this issue further, you can find the discussion on the dns-operations list: https://lists.dns-oarc.net/mailman/listinfo/dns-operations -- fedora-test-list mailing list fedora-test-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-test-list