On Mon, 07.12.15 17:23, Tomas Hozza (thozza(a)redhat.com) wrote:
> Can you elaborate a bit? Is the intent that, if .box were
private, then .box would be forwarded to DHCP-provided revolvers regardless of whether
those resolvers were functional when asking for DNSSEC signature data?
>
> If so, what cases does this not cover? It fails in the split-horizon DNSSEC-enabled
case where the domain owner hasn't set it up right, but I'd argue that that's
a good thing.
I think that explicit list of domains would cover pretty much any
use-case. We were thinking about configuring the mixed-mode module
with local resolvers only in case these are not DNSSEC-capable. In
such situation everything would work fine. However if the local
resolvers are DNSSEC-capable, then we would not configure the mixed
mode module with them and I such case the validation would simply
fail for any faked TLD. So we would have to configure mixed-mode
module with local resolvers in any case. I guess it would be fine,
but I would have to think about it little bit more.
Hmm? If I work for a company "Foo Corp" that defined .foocorp as its
private TLD, then I won't be able to access servers in that local
network until I added .foocorp to a local whitelist, is that what you
are saying? Or do you want to ship your package with all those domains
pre-configured? How would you know .foocorp in advance?
I am pretty sure these things need to work out-of-the-box, and that
means a whitelist cannot really work.
Lennart
--
Lennart Poettering, Red Hat