On Mon, 2020-09-28 at 12:30 -0500, Michael Catanzaro wrote:
On Mon, Sep 28, 2020 at 1:20 pm, Chuck Anderson
<cra(a)alum.wpi.edu>
wrote:
> I thought Fedora was supposed to be First? How can it be if Fedora
> chooses to use/configure software by default that is missing critical
> DNSSEC functionality and breaks DNS standards?
Well, let's amend that to "first when it's smart to be first." We
can't
ever *require* DNSSEC validation, because Windows and macOS are not
going to do so. They have to be first. I could just as well counter
with "How can Fedora be first if it refuses to implement split DNS
behavior by default that breaks user expectations and leaks queries to
unexpected networks?"
Requiring Validation, and *passing through* requests for DNSSEC records
are *entirely* different things.
As for just passing along records, see Zbigniew's responses;
it's
possible to do by default, just not a priority. This is really only
interesting for specialized applications like mail servers that live on
controlled networks where you know that DNSSEC is not broken, i.e. not
relevant for 99% of users. If you're running such applications, it's a
one-line change in resolved.conf to enable DNSSEC, not really a big
deal. It's annoying to have to edit an extra config file, yes, and we
should do better, but I don't think that should derail this change.
It is breaking working systems for people, at the very least it should
be very high on priority, not downplayed to irrelevance (as that is the
route for never fixing it, and having people always disable resolved as
a matter of fact)
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc