On 07.12.2015 20:57, Paul Wouters wrote:
On Mon, 7 Dec 2015, Matthew Miller wrote:
> I read your whole post. Those possibilities seem pretty limited, from
> the point of view of serious regressions in Fedora usability. It isn't
> that I "like" Fedora being less than technically correct (especially
> around security-related features), but I don't think we can discount
> the prevalence of "broken" schemes in the real world.
But you gain nothing with waiting. There is no "fix" to wait for. Those
stolen domains are broken and they will start to fail. The only difference
could be that fedora won't be the first where this breaks on, but I
thought "First" was one of our motto's ?
> I don't really care about that. I care that we pick the solutions that
> are best for our users.
Supporting DNSSEC per default is best for the user. Not enabling DNSSEC
is not a serious option. We delayed this feature a few times to ensure
we would get better integration with gnome and VPNs so that we could
address the _real_ problems.
People using stolen or made up domain names is not a use case that can
be supported anymore with Secure DNS.
If it causes problems you have no time to fix, you will do "selinux=0 dnssec=0"