dnssec-trigger + GNOME + NetworkManager integration

Stef Walter stefw at redhat.com
Tue Jun 30 20:43:35 UTC 2015


On 30.06.2015 16:50, Tomas Hozza wrote:
> 
> 
> On 30.06.2015 16:07, Michael Catanzaro wrote:
>> On Tue, 2015-06-30 at 14:23 +0200, Tomas Hozza wrote:
>>> Except that this is exactly what we DON'T want to do. DNSSEC is an
>>> extension of DNS and it can be used even without the need for the 
>>> whole
>>> Internet to be signed. We want to use it even if the network-provided
>>> DNS resolvers don't support DNSSEC.
>>
>> I'm confused on one point: why would the user ever want to turn off
>> DNSSEC validation (except to get past a for captive portal)? It sounds
>> like you have no shortage of safeguards in place to make sure this
>> always works: for it to break the user would have to be on a network
>> that doesn't support DNSSEC, that blocks VPN, with the Fedora
>> infrastructure down, right? I think it's OK to fail connections in that
>> case (provided we have a story for captive portals).
>>
>> What we basically do not want is to give the user an option for turning
>> a security feature off.

Right. The UI is what people are balking against.

> Thank you for explanation. In that case we don't need any UI integration
> for this. Even though we use dnssec-trigger daily on our machines, we
> wanted to give the user a way to disable the feature if needed without
> the root access. This is more of a precaution in case something is
> broken and we didn't know about it.

So this should then become a network setting and go into NetworkManager
then, as one of its many options, and sit next to other DNS settings?

Non-root users can perform limited network configuration (think wifi
passwords and friends), so this isn't such a stretch.

Stef



More information about the devel mailing list