* Tomas Mraz: > On Wed, 2020-04-15 at 10:02 -0500, Michael Catanzaro wrote: >> On Wed, Apr 15, 2020 at 1:38 pm, Florian Weimer <fwei...@redhat.com> >> wrote: >> > Not sure if that's compatible with the new split DNS model because >> > VPN1 >> > could simply start pushing longer names in the scope of VPN2, thus >> > hijacking internal traffic there (and this sort of hijacking is >> > exactly >> > what a DNS sinkhole against typosquatting would need). >> >> You deserve bonus points for thinking like an attacker and exploring >> the security model, but let's assume the configured VPNs are >> trusted. >> Otherwise the user is screwed no matter what. ;) > > Trusted for what? I would expect corporate VPNs doing such tricks to > monitor the user's internet traffic. Which does not mean the user is > fully screwed with such VPN if he for example uses hardcoded > configuration of a caching nameserver.
Yes, what I described was given as a motivation for this change. I find the response puzzling. I would definitely like to see greater robustness to hostile networks, but it is a lot of work. Really a lot. Lots of code to review, and quite a few shell scripts as well. Thanks, Florian _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
