On Mon, 07.12.15 13:25, Gerd Hoffmann (kraxel(a)redhat.com) wrote:
Hi,
> Quite frankly: a setup like this one isn't just very typical for home
> router networks, but also in many companies, where ".lan" or
> ".companyname" or something like that is frequently established in the
> internal network. And you will make Fedora incompatible with all these
> networks by default.
Even if you don't grab some random name it still is a problem. /me runs
home.kraxel.org zone for my home network (and, yes,
kraxel.org is mine).
That zone isn't visible outsize my home network, if you try to resolve
that by walking down from the root zone you wouldn't find it, you have
to use the local dns server propagated by dhcp.
This case should actually not be a problem normally, even with
DNSSEC, since in such a case you wouldn't enable DNSSEC on
kraxel.org.
If you want to do such "split horizon" setups, then don't sign your
zones. I think that's a completely fair requirement to make, and if
you did sign your domains then this should really mean "don't allow
anything below my domain except what I define here or delegated".
The problem is pretty much limited to top-level domains, where those
routers and company networks invented stuff.
Lennart
--
Lennart Poettering, Red Hat