On Friday 11 December 2015 09:09:28 Paul Wouters wrote:
> On 12/09/2015 06:02 PM, Oron Peled wrote:
> > Why don't we plan this feature in two stages:
> > * Fedora 24: turn it on by default, but *keep using results* from bad DNS
> > servers,
> > just issue a user-visible warning, possibly with a link to a page with
> > friendly
> > explanation and suggestions for further action.
I'll answer both Paul and Reindl which replied "there's no safe and clean way
to solve that"...
> DNS lookups don't have users like web browsers.
First, that's only partially correct:
* The client (resolver) normally *does* have a user (the uid of the process
calling the resolver library).
* But after that, your are correct that the caller identity is gone.
Still, IMO, the goal to warn users can be achieved quite easily. Two examples
from the top of my head.
1. log + notify:
* The information may be logged with special prefix (or special field via
sd-journal).
* Users would have a small desktop service that would monitor for these
messages and notify about them.
2. dbus:
* The local DNS server would send specific DBUS signal (e.g:
net.dnsseq.InsecureDNSReply).
* A desktop process would listen on these signals and show proper desktop
notification.
BTW: SELinux failures may also be found in non-desktop-user context, but still
the desktop user
can receive warnings about them.
> I have been running this setup since Fedora 17. Breakage is not that bad.
Hmmm... even if all of us, fedora-devel subscribers, would run this
it's still a far cry from a full release cycle of Fedora:
* large-numbers: millions of machines would reveal much more varied use-cases
than what a 500-1000 machines of "fedora-devel" people can show.
* I suspect Fedora developers are very different from Fedora users (like
developers/users in other technologies), so we are bound to miss important
use-cases.
So my hunch feeling is still: make F24 with DNSSEC by default, but not
"enforcing". Than, F25 will enforce DNSSEC validation.
--
Oron Peled Voice: +972-4-8228492
o...@actcom.co.il http://users.actcom.co.il/~oron
MCSE: Must Consult Someone Experienced
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
