dnssec-trigger + GNOME + NetworkManager integration

[Björn Persson]

Michael Catanzaro wrote:
> I'm confused on one point: why would the user ever want to turn off
> DNSSEC validation (except to get past a for captive portal)? It sounds
> like you have no shortage of safeguards in place to make sure this
> always works: for it to break the user would have to be on a network
> that doesn't support DNSSEC, that blocks VPN, with the Fedora
> infrastructure down, right? I think it's OK to fail connections in
> that case (provided we have a story for captive portals).

I have been in situations where I had to switch to hotspot sign-on mode
and keep it that way for an extended time. For example, a few months ago
when I did some work in a customer's office I found that I couldn't look
up their internal servers. They had an internal DNS view, but their DNS
servers were in rather bad shape and my Fedora was bypassing them. DNS
administration wasn't what I was there to do, and starting by expanding
my job seemed like a bad idea. I needed to get my job done, so my
workaround was to use the hotspot sign-on mode the whole time I was
there.

But I'm a programmer who knows a lot about Internet protocols. I agree
that the users that Gnome 3 targets won't be able to make informed
decisions about DNSsec. For them the solution is to complain until the
sysadmins fix the broken DNS servers. (When it turns out that they can
access everything except the internal servers, then that will hopefully
be a hint that there is a problem with the local domain.) If Gnome 3 has
no option to disable validation, but the current DNSsec-trigger applet
remains available and discoverable to people like me, then that's fine
with me.

Björn Persson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signatur
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150710/38be73cf/attachment.sig>