On Mon, 2020-09-28 at 12:30 -0500, Michael Catanzaro wrote:
On Mon, Sep 28, 2020 at 1:20 pm, Chuck Anderson cra@alum.wpi.edu wrote:
I thought Fedora was supposed to be First? How can it be if Fedora chooses to use/configure software by default that is missing critical DNSSEC functionality and breaks DNS standards?
Well, let's amend that to "first when it's smart to be first." We can't ever *require* DNSSEC validation, because Windows and macOS are not going to do so. They have to be first. I could just as well counter with "How can Fedora be first if it refuses to implement split DNS behavior by default that breaks user expectations and leaks queries to unexpected networks?"
Requiring Validation, and *passing through* requests for DNSSEC records are *entirely* different things.
As for just passing along records, see Zbigniew's responses; it's possible to do by default, just not a priority. This is really only interesting for specialized applications like mail servers that live on controlled networks where you know that DNSSEC is not broken, i.e. not relevant for 99% of users. If you're running such applications, it's a one-line change in resolved.conf to enable DNSSEC, not really a big deal. It's annoying to have to edit an extra config file, yes, and we should do better, but I don't think that should derail this change.
It is breaking working systems for people, at the very least it should be very high on priority, not downplayed to irrelevance (as that is the route for never fixing it, and having people always disable resolved as a matter of fact)