On Fri, Apr 17, 2020 at 8:34 AM Chris Adams <li...@cmadams.net> wrote:
> Once upon a time, Lennart Poettering <mzerq...@0pointer.de> said: > > The DNS servers in edge routers are awful at supporting > > either. i.e. the DNS servers you usually get informed about in DHCP > > leases are typically too crap at supporting either kind of DNSSEC (and > > that for a reason actually, these devices generally define their own > > private, local DNS names (e.g. "fritz.box"), which couldn't possibly > > be validated with DNSSEC, because they are made up and local.) > > That might be true if you are just considering residential users with > cheap gateways as your only use case (but even then, most of those run > dnsmasq, which has gotten a lot better). However, there are lots of > other use cases. > > > We > > intend to implement the "AD" stuff however correctly for this, but > > this isn't tested much since pretty much noone except for a few DNS > > devs actually set this, hence there might be issues, which might be > > what Florian found. > > Advertising yourself as a "nameserver" in /etc/resolv.conf means you get > to handle all the requests, including the ones you didn't think about or > want to just dismiss as only of interest "a few DNS devs". That's the > only standard way for software to find DNS servers to use for any > purpose. Returning errors to clients for things you don't care about is > basically useless, because they have no other way to get that > information when actual DNS servers aren't in /etc/resolv.conf. > > If systemd-resolved is not going to implement a standards-compliant DNS > server (and not just "we return errors to things we don't care about", > but actual current DNS standards), then it does not belong in > /etc/resolv.conf. Listening on the system bus as an alternative, to > implment gethostbyname/getaddrinfo/etc., is fine, but don't pretend to > be an actual DNS server and go in /etc/resolv.conf. > I tend to agree. Right now, a client-side resolving validator works on Fedora. This change proposal breaks that. Could resolved be extended to pass DNSSEC data through correctly so that client side validation will continue to work?
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
