Am 06.10.20 um 23:21 schrieb Solomon Peachy:
>> It's one thing to contact your repo or distro servers, and another if
>> it's a known dataminer, that gets all domainnames you visit.
> So.. given that both Google and Cloudfare have actual European business
> offices, aren't they bound by the GPDR t
On Tue, Oct 06, 2020 at 11:00:23PM +0200, Marius Schwarz wrote:
> It's one thing to contact your repo or distro servers, and another if
> it's a known dataminer, that gets all domainnames you visit.
So.. given that both Google and Cloudfare have actual European business
offices, aren't they bound
Am 05.10.20 um 11:12 schrieb Petr Menšík:
>> * Immediately after you connect to the network, Fedora connects to
>> http://fedoraproject.org/static/hotspot.txt to see if you're behind a
>> captive portal
> Fedora is contacting fedora server, seems predictable.
It's one thing to contact your repo or
OK, you convinced me:
https://src.fedoraproject.org/rpms/systemd/pull-request/37.
Let's see what others say.
Zbyszek
On Fri, Oct 02, 2020 at 12:34:32AM +0200, Marius Schwarz wrote:
> Am 01.10.20 um 16:36 schrieb Alexander Bokovoy:
> >
> > You can also drop a configuration snippet in
> > /etc/sy
On 9/28/20 6:44 AM, Paul Wouters wrote:
Subject: Re: Fedora 33 System-Wide Change proposal: systemd-resolved
I was just hit by the first bug in systemd-resolved 4 days after I
upgraded to fedora33. I will file a bug report for that, but I wanted
to discuss something more fundamental.
systemd
On 10/2/20 2:16 PM, Michael Catanzaro wrote:
> On Fri, Oct 2, 2020 at 12:34 am, Marius Schwarz
> wrote:
>> If you send a DNS REQUEST to a US DNS server from within a company
>> network, and with ipv6 the internal ip is sent out i learned lately, you
>> have sent personal data which is protected
On Fri, Oct 02, 2020 at 03:37:21PM +0200, Eugene Syromiatnikov wrote:
> > FFS, if Fedora is "bad" for doing these things, how is MacOS, iOS,
> > Android, or even Windows acceptible?
> >
> > (out-of-the-box, that is. because that's what we're talking about here)
>
> They are not, and that is why
On Fri, 2020-10-02 at 00:50 +0200, Marius Schwarz wrote:
> Am 01.10.20 um 19:36 schrieb Simo Sorce:
> > That said,
> > if it really is an internal DNS and there are strong policies around it
> > I assume that the perimeter or the local machine firewall will be
> > configured to block UDP packets to
On Fri, Oct 02, 2020 at 09:23:12AM -0400, Solomon Peachy wrote:
> On Fri, Oct 02, 2020 at 02:34:15PM +0200, Eugene Syromiatnikov wrote:
> > Only those that think that they are smarter that a user and ignore her/his
> > privacy.
>
> In other words, all of them?
>
> FFS, if Fedora is "bad" for do
On Fri, Oct 02, 2020 at 02:34:15PM +0200, Eugene Syromiatnikov wrote:
> Only those that think that they are smarter that a user and ignore her/his
> privacy.
In other words, all of them?
FFS, if Fedora is "bad" for doing these things, how is MacOS, iOS,
Android, or even Windows acceptible?
(o
On Fri, Oct 02, 2020 at 07:16:38AM -0500, Michael Catanzaro wrote:
> On Fri, Oct 2, 2020 at 12:34 am, Marius Schwarz
> wrote:
> >If you send a DNS REQUEST to a US DNS server from within a company
> >network, and with ipv6 the internal ip is sent out i learned lately, you
> >have sent personal data
On Fri, Oct 2, 2020 at 12:34 am, Marius Schwarz
wrote:
If you send a DNS REQUEST to a US DNS server from within a company
network, and with ipv6 the internal ip is sent out i learned lately,
you
have sent personal data which is protected under the GDRP. It's not
unlikely to use company pcs for
Am 01.10.20 um 19:36 schrieb Simo Sorce:
> That said,
> if it really is an internal DNS and there are strong policies around it
> I assume that the perimeter or the local machine firewall will be
> configured to block UDP packets to port 53 to any other external
> servers ...
>
> This leaves out on
Am 01.10.20 um 16:36 schrieb Alexander Bokovoy:
>
> You can also drop a configuration snippet in
> /etc/systemd/resolved.conf.d/ to contain
>
> FallbackDNS=
>
> This will disable global DNS servers for any case.
>
if that would be the default, it would be ok.
Am 01.10.20 um 16:03 schrieb Michael
On Wed, Sep 30, 2020 at 11:50:00AM -0500, Michael Catanzaro wrote:
> On Wed, Sep 30, 2020 at 6:43 pm, Dominik 'Rathann' Mierzejewski
> wrote:
> >What if I'm using NetworkManager and dnssec-trigger? This has been
> >working very well for me for the last couple of releases and I'd hate
> >to be forc
On Thu, 2020-10-01 at 09:03 -0500, Michael Catanzaro wrote:
> On Thu, Oct 1, 2020 at 3:32 pm, Marius Schwarz
> wrote:
> > I think, he meant the systemd-resolved fiallback to Cloudflare and
> > Google. Is that in the fedora build? If so, i suggest to patch it out.
> > That will fix the issue for m
On to, 01 loka 2020, Michael Catanzaro wrote:
On Thu, Oct 1, 2020 at 3:32 pm, Marius Schwarz
wrote:
I think, he meant the systemd-resolved fiallback to Cloudflare and
Google. Is that in the fedora build? If so, i suggest to patch it out.
That will fix the issue for me in perspective of the GDPR
On Thu, Oct 1, 2020 at 3:32 pm, Marius Schwarz
wrote:
I think, he meant the systemd-resolved fiallback to Cloudflare and
Google. Is that in the fedora build? If so, i suggest to patch it out.
That will fix the issue for me in perspective of the GDPR.
Unless you explain this *very* clearly, I'm
Am 30.09.20 um 17:13 schrieb Michael Catanzaro:
>
> On Wed, Sep 30, 2020 at 3:14 pm, Graham Leggett wrote:
>> Regulations like the GDPR exist, and ignorance of them is not a defence.
>>
>> I am required by these regulations and many other regulations in
>> multiple jurisdictions to make sure my us
Dne 01. 10. 20 v 0:10 Michael Catanzaro napsal(a):
> On Wed, Sep 30, 2020 at 11:49 pm, Björn Persson
> wrote:
>> So there's no need to revert any changes to /etc/nsswitch.conf? I've
>> seen some discussion about that file in relation to systemd-resolved.
>> It seemed far from easy to understand h
On Tuesday, September 29, 2020 9:36:38 AM MST Dan Williams wrote:
> On Tue, 2020-09-29 at 09:18 -0700, John M. Harris Jr wrote:
>
> > On Tuesday, September 29, 2020 5:13:48 AM MST Zbigniew Jędrzejewski-
> > Szmek
> > wrote:
> >
> > > On Mon, Sep 28, 2020 at 11:41:12PM -0700, John M. Harris Jr wr
On Wed, Sep 30, 2020 at 11:49 pm, Björn Persson
wrote:
So there's no need to revert any changes to /etc/nsswitch.conf? I've
seen some discussion about that file in relation to systemd-resolved.
It seemed far from easy to understand how to make it work correctly.
You don't have to touch /etc/ns
Michael Catanzaro wrote:
> On Wed, Sep 30, 2020 at 6:43 pm, Dominik 'Rathann' Mierzejewski
> wrote:
> > What if I'm using NetworkManager and dnssec-trigger? This has been
> > working very well for me for the last couple of releases and I'd hate
> > to be forced to manually reconfigure things so t
On Wed, Sep 30, 2020 at 9:58 pm, Petr Menšík
wrote:
Shouldn't it change resolv.conf only in case NM is active AND
resolv.conf is generated by Network Manager?
Correct, that's indeed what it does. (Since Zbigniew changed it
yesterday. Previously, it did not check if NM is active.)
The system
On 9/30/20 7:11 PM, Michael Catanzaro wrote:
> On Wed, Sep 30, 2020 at 9:54 am, PGNet Dev wrote:
>> So the upgrade WILL ignore current F32 state -- systemd-resolved
>> DISABLED + 'my' /etc/resolv.conf -- and enable + overwrite
>> (respectively) each, regardless of whether we're _using_
>> Networ
On Wed, Sep 30, 2020 at 9:54 am, PGNet Dev wrote:
So the upgrade WILL ignore current F32 state -- systemd-resolved
DISABLED + 'my' /etc/resolv.conf -- and enable + overwrite
(respectively) each, regardless of whether we're _using_
NetworkManager (afaict it's impossible to completely remove all
On 9/30/20 9:50 AM, Michael Catanzaro wrote:
> You'll need to manually disable systemd-resolved after upgrade, restore
> /etc/resolv.conf from the backup file that will be created during upgrade
So the upgrade WILL ignore current F32 state -- systemd-resolved DISABLED +
'my' /etc/resolv.conf -- a
On Wed, Sep 30, 2020 at 6:43 pm, Dominik 'Rathann' Mierzejewski
wrote:
What if I'm using NetworkManager and dnssec-trigger? This has been
working very well for me for the last couple of releases and I'd hate
to be forced to manually reconfigure things so that it starts working
again.
The upgra
On Wednesday, 30 September 2020 at 18:16, Neal Gompa wrote:
[...]
> If you're not using NetworkManager, this change has _zero_ impact.
What if I'm using NetworkManager and dnssec-trigger? This has been
working very well for me for the last couple of releases and I'd hate
to be forced to manually r
On 9/30/20 9:16 AM, Neal Gompa wrote:
> If you're not using NetworkManager, this change has _zero_ impact.
perfect.
clearly, i've missed or lost the obviousness of that incredibly useful tidbit
in this novella :-/
thx!
___
devel mailing list -- devel@
On Wed, Sep 30, 2020 at 12:15 PM PGNet Dev wrote:
>
> Reading along, it's _at_best_ unclear what the eventual 'resolution' of this^
> is.
>
> What _is_ clear is that there's significant disagreement -- which,
> unfortunately, has at times here become nasty & personal -- about needed vs
> planne
Reading along, it's _at_best_ unclear what the eventual 'resolution' of this^
is.
What _is_ clear is that there's significant disagreement -- which,
unfortunately, has at times here become nasty & personal -- about needed vs
planned functionality, and, of late, regulatory compliance.
And, iiuc
On Wed, Sep 30, 2020 at 10:05 am, Gerd Hoffmann
wrote:
Sorry, but that is not correct.
NetworkManager can handle split-dns just fine, by using dnsmasq and
reconfiguring it via dbus when vpn connections come and go. I can
easily add more servers + zones by dropping a config file snippet into
On Wed, Sep 30, 2020 at 3:14 pm, Graham Leggett
wrote:
Regulations like the GDPR exist, and ignorance of them is not a
defence.
I am required by these regulations and many other regulations in
multiple jurisdictions to make sure my users comply. If you have gone
out of your way to break se
On Wed, Sep 30, 2020 at 03:14:10PM +0200, Graham Leggett wrote:
> I am required by these regulations and many other regulations in
> multiple jurisdictions to make sure my users comply. If you have gone
> out of your way to break secure operation on Fedora, we will have to
> ban the use of Fedor
On 29 Sep 2020, at 23:44, Michael Catanzaro wrote:
> This is either a very strange misunderstanding, or trolling. I will assume
> positive intent. Internet RFCs are not regulatory requirements. If you're
> aware of some government regulation that requires us to forward RRSEC
> records, I would
Neal Gompa wrote:
> On Tue, Sep 29, 2020 at 7:48 AM Björn Persson wrote:
> >
> > Lennart Poettering wrote:
> > > On Mo, 28.09.20 22:54, Björn Persson (Bjorn@rombobjörn.se) wrote:
> > >
> > > > It can work in company-scope if the company has competent network
> > > > admins. My local DNS server
Am 30.09.20 um 10:05 schrieb Gerd Hoffmann:
>> So sending the requests to all available DNS servers in absence of
>> better routing info is a great enabler:
> I fail to see why sending queries to all servers is a good plan. The
> redhat vpn dns servers surely can't resolve the hostnames for my loc
Hi,
> For example, if I have my laptop in my home wifi, connected to RH VPN,
> then there are some names resolvable only via the local
> DNS. Specifically: my router's, my printer's and my NAS' address. And
> there are other names only resolvable via RH VPN. systemd-resolved for
> the first time
On 9/29/20 9:18 AM, Lennart Poettering wrote:
So let me ExecSum what I wrote here. For systemd-resolved to become
a high quality DNS solution:
1) Remove custom DNS/DNSSEC resolving code and use a well maintained
DNS library.
"Custom" is in the eye of the beholder. It appears to me you mean
On Tue, 2020-09-29 at 17:50 -0400, Neal Gompa wrote:
> On Tue, Sep 29, 2020 at 5:44 PM Michael Catanzaro
> wrote:
> > On Tue, Sep 29, 2020 at 11:33 pm, Graham Leggett
> > wrote:
> > > To step in here, regulatory compliance is a non optional requirement
> > > around the world.
> > >
> > > Regula
Am 29.09.20 um 14:38 schrieb Neal Gompa:
> If you're a remote employee, it absolutely is. And especially in this
> pandemic, this kind of thing is now the *default* experience.
Company network - check
Fedora 31 Laptops - check
VPN users - check
Androids - check
Windows Laptops - check
internal dns
On Tue, Sep 29, 2020 at 5:44 PM Michael Catanzaro wrote:
>
> On Tue, Sep 29, 2020 at 11:33 pm, Graham Leggett
> wrote:
> > To step in here, regulatory compliance is a non optional requirement
> > around the world.
> >
> > Regulatory compliance applies to everybody in a jurisdiction, there
> > is
On Tue, Sep 29, 2020 at 11:33 pm, Graham Leggett
wrote:
To step in here, regulatory compliance is a non optional requirement
around the world.
Regulatory compliance applies to everybody in a jurisdiction, there
is no such thing as a “specialized deployment” or environments
where it “will not
On 29 Sep 2020, at 22:04, Michael Catanzaro wrote:
> On Tue, Sep 29, 2020 at 4:51 pm, Petr Menšík wrote:
>> Anyway, we might forgive working dnssec validation. What we cannot
>> forgive is lack of DNSSEC information passtrough in 2020.
>
> I agree this should be fixed. See
> https://bugzilla.r
On Tue, Sep 29, 2020 at 10:58 pm, David Sommerseth
wrote:
Ubuntu 20.04 has also enabled systemd-resolved
by default, but it seems it has not gone as far as Fedora 33.
Ubuntu has enabled systemd-resolved by default since Ubuntu 16.10, but
it doesn't use nss-resolve, so getaddrinfo() uses tradi
On 29/09/2020 17:21, Paul Wouters wrote:
>
> For the VPN scenario, it is just a little bit more complicated.
>
> For those with proper standards, such as "Cisco IPsec", L2TP/IPsec",
> the VPN confiuration is dictated by the server to either send all or
> some traffic to the VPN server. If it is n
On Tue, Sep 29, 2020 at 8:01 pm, Lennart Poettering
wrote:
So, I defer to Michael here: I didn't actually check what NM opted
there. It might very well be that they default to configuring "." as
routing domain for VPNs.
Yes, this is what happens.
Qualification: it's what should happen, sans b
On 9/29/20 10:05 PM, Michael Catanzaro wrote:
>
>
> On Tue, Sep 29, 2020 at 4:28 pm, Petr Menšík wrote:
>> nss-dns is allright. All you need to have is dns server with domain
>> configurable servers.
>>
>> Those are:
>> - unbound (with dnssec-trigger autoconfigured)
>> - dnsmasq
>> - systemd-r
On Tue, Sep 29, 2020 at 6:32 pm, Petr Menšík
wrote:
Are you sure? Can it?
It cannot: https://bugzilla.redhat.com/show_bug.cgi?id=1879028
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedora
On 9/29/20 6:18 PM, Lennart Poettering wrote:
> On Di, 29.09.20 11:21, Paul Wouters (p...@nohats.ca) wrote:
>
>> No further magic should be needed. The user selects this once when
>> joining a new network.
>
> This is terrible UI. It was on Windows, and it would be on Linux.
>
> You shouldn't
On Tue, Sep 29, 2020 at 4:28 pm, Petr Menšík
wrote:
nss-dns is allright. All you need to have is dns server with domain
configurable servers.
Those are:
- unbound (with dnssec-trigger autoconfigured)
- dnsmasq
- systemd-resolved
- probably knot-resolver
- bind (not more difficult to reconfig
On Tue, Sep 29, 2020 at 4:51 pm, Petr Menšík
wrote:
Anyway, we might forgive working dnssec validation. What we cannot
forgive is lack of DNSSEC information passtrough in 2020.
I agree this should be fixed. See
https://bugzilla.redhat.com/show_bug.cgi?id=1879028.
However, since this only ma
On Tue, Sep 29, 2020 at 4:06 pm, Nikos Mavrogiannopoulos
wrote:
It is not an exotic one, but this behavior was in the past considered
a vulnerability (information disclosure) [0]. Are we re-introducing
it? I guess yes, and it can be that the benefits of it outweigh the
vulnerability, but we shou
On Tue, Sep 29, 2020 at 5:21 pm, Lennart Poettering
wrote:
Yes, I too would prefer if my regular, non-RH DNS traffic never goes
to RH servers while I am in the VPN, and I can easily configure things
that way. But if I am pretty sure the majority of people probably put
more emphasis "please pleas
On Tue, 2020-09-29 at 15:14 -0400, Simo Sorce wrote:
> On Tue, 2020-09-29 at 11:20 -0500, Dan Williams wrote:
> > On Mon, 2020-09-28 at 16:40 -0500, Michael Catanzaro wrote:
> > > On Mon, Sep 28, 2020 at 5:18 pm, Chuck Anderson > > >
> > > wrote:
> > > > I think the VPN plugin and VPN server has
On Tue, 2020-09-29 at 20:01 +0200, Lennart Poettering wrote:
> On Di, 29.09.20 13:56, Simo Sorce (s...@redhat.com) wrote:
>
> > On Tue, 2020-09-29 at 12:59 +0200, Lennart Poettering wrote:
> > > On Di, 29.09.20 03:49, John M. Harris Jr (joh...@splentity.com) wrote:
> > >
> > > > Search domains ha
On Tue, 2020-09-29 at 11:20 -0500, Dan Williams wrote:
> On Mon, 2020-09-28 at 16:40 -0500, Michael Catanzaro wrote:
> > On Mon, Sep 28, 2020 at 5:18 pm, Chuck Anderson
> > wrote:
> > > I think the VPN plugin and VPN server has some input, no? All the
> > > VPN
> > > servers I've used send route
On Tue, 2020-09-29 at 16:35 +, Zbigniew Jędrzejewski-Szmek wrote:
> On Mon, Sep 28, 2020 at 02:20:46PM -0400, Simo Sorce wrote:
> > On Mon, 2020-09-28 at 13:32 +, Zbigniew Jędrzejewski-Szmek wrote:
> > > On Mon, Sep 28, 2020 at 07:57:13AM -0500, Ian Pilcher wrote:
> > > > On 9/28/20 6:47 AM
On 9/29/20 5:21 PM, Lennart Poettering wrote:
> On Di, 29.09.20 16:03, Petr Menšík (pemen...@redhat.com) wrote:
>
>>> For example, if I have my laptop in my home wifi, connected to RH VPN,
>>> then there are some names resolvable only via the local
>>> DNS. Specifically: my router's, my printer'
On Tue, Sep 29, 2020 at 4:00 AM Lennart Poettering
wrote:
> On Di, 29.09.20 03:49, John M. Harris Jr (joh...@splentity.com) wrote:
>
> > Search domains have absolutely nothing to do with routing. Search
> domains are
> > specifically used for resolving non-FQDN to FQDN. This isn't a reliable
> wa
On Di, 29.09.20 13:56, Simo Sorce (s...@redhat.com) wrote:
> On Tue, 2020-09-29 at 12:59 +0200, Lennart Poettering wrote:
> > On Di, 29.09.20 03:49, John M. Harris Jr (joh...@splentity.com) wrote:
> >
> > > Search domains have absolutely nothing to do with routing. Search domains
> > > are
> > >
On Tue, 2020-09-29 at 12:59 +0200, Lennart Poettering wrote:
> On Di, 29.09.20 03:49, John M. Harris Jr (joh...@splentity.com) wrote:
>
> > Search domains have absolutely nothing to do with routing. Search domains
> > are
> > specifically used for resolving non-FQDN to FQDN. This isn't a reliable
On Tue, 2020-09-29 at 10:19 +0200, Lennart Poettering wrote:
> On Mo, 28.09.20 14:29, Simo Sorce (s...@redhat.com) wrote:
>
> > On Mon, 2020-09-28 at 16:02 +0100, Tom Hughes via devel wrote:
> > > On 28/09/2020 15:57, Marius Schwarz wrote:
> > > > Am 28.09.20 um 13:47 schrieb Zbigniew Jędrzejewski
Dne 28. 09. 20 v 18:03 Michael Catanzaro napsal(a):
> On Mon, Sep 28, 2020 at 10:51 am, Ian Pilcher
> wrote:
>> I anticipated this question. I don't have a good proposal for you ...
>> but I believe that it's up to the people advocating/implementing this
>> change to come up with that. If it is
On Tue, 29 Sep 2020, Lennart Poettering wrote:
"Custom" is in the eye of the beholder. It appears to me you mean that
in a derogatory way.
I went out of my way to compare the systemd-resolved team to te DNS teams
consisting of dozens of full time senior people working 20+ years on
DNS with ann
On Tue, Sep 29, 2020 at 07:27:37AM -0700, Kevin Fenzi wrote:
> On Mon, Sep 28, 2020 at 10:38:27AM -0700, Erich Eickmeyer wrote:
> >
> >
> > This entire discussion is generating enough emails per hour to be an IRC
> > discussion. Could we please move this discussion to #fedora-devel or
> > somepla
On Tue, 2020-09-29 at 09:18 -0700, John M. Harris Jr wrote:
> On Tuesday, September 29, 2020 5:13:48 AM MST Zbigniew Jędrzejewski-
> Szmek
> wrote:
> > On Mon, Sep 28, 2020 at 11:41:12PM -0700, John M. Harris Jr wrote:
> >
> > > On Monday, September 28, 2020 9:39:17 AM MST Michael Catanzaro
> > >
On Mon, Sep 28, 2020 at 02:20:46PM -0400, Simo Sorce wrote:
> On Mon, 2020-09-28 at 13:32 +, Zbigniew Jędrzejewski-Szmek wrote:
> > On Mon, Sep 28, 2020 at 07:57:13AM -0500, Ian Pilcher wrote:
> > > On 9/28/20 6:47 AM, Zbigniew Jędrzejewski-Szmek wrote:
> > > > Instructions were already posted
On 9/29/20 5:21 PM, Lennart Poettering wrote:
> On Di, 29.09.20 16:03, Petr Menšík (pemen...@redhat.com) wrote:
>
>>> For example, if I have my laptop in my home wifi, connected to RH VPN,
>>> then there are some names resolvable only via the local
>>> DNS. Specifically: my router's, my printer'
On 9/29/20 5:23 PM, Lennart Poettering wrote:
> On Di, 29.09.20 16:51, Petr Menšík (pemen...@redhat.com) wrote:
>
>>> I am just saying: Fedora cannot be focussed on just working for people
>>> who have a competent company admin and use their laptops in
>>> company networks only. We must have som
On Mon, 2020-09-28 at 16:40 -0500, Michael Catanzaro wrote:
> On Mon, Sep 28, 2020 at 5:18 pm, Chuck Anderson
> wrote:
> > I think the VPN plugin and VPN server has some input, no? All the
> > VPN
> > servers I've used send routes to the VPN client to determine which
> > traffic the client shoul
On Tuesday, September 29, 2020 5:13:48 AM MST Zbigniew Jędrzejewski-Szmek
wrote:
> On Mon, Sep 28, 2020 at 11:41:12PM -0700, John M. Harris Jr wrote:
>
> > On Monday, September 28, 2020 9:39:17 AM MST Michael Catanzaro wrote:
> >
> > > You can do this, but again, you need to use the command line
On Di, 29.09.20 11:21, Paul Wouters (p...@nohats.ca) wrote:
> No further magic should be needed. The user selects this once when
> joining a new network.
This is terrible UI. It was on Windows, and it would be on Linux.
You shouldn't ask questions people cannot possibly answer
correctly. There's
On Mon, 2020-09-28 at 23:37 -0700, John M. Harris Jr wrote:
> On Monday, September 28, 2020 12:42:32 PM MST Lennart Poettering
> wrote:
> > On Mo, 28.09.20 12:14, Paul Wouters (p...@nohats.ca) wrote:
> >
> >
> > > On Mon, 28 Sep 2020, Michael Catanzaro wrote:
> > >
> > >
> > >
> > > > I don't
On Tuesday, September 29, 2020 6:41:12 AM MST Lennart Poettering wrote:
> On Di, 29.09.20 04:03, John M. Harris Jr (joh...@splentity.com) wrote:
>
>
> > > Search domains on VPNs are an indicator that these domains are handled
> > > by the VPN, that's why we use them also as routing domains. But t
On Tue, 29 Sep 2020, Petr Menšík wrote:
is there any generic protocol exchanging what (sub)domains should be
targetted to specific DNS server?
The search domains are usually the only signal available and used for
this. RFC 7296 (IKEv2) and split-DNS (RFC 8598) defines the sent domain
name list
On Di, 29.09.20 16:51, Petr Menšík (pemen...@redhat.com) wrote:
> > I am just saying: Fedora cannot be focussed on just working for people
> > who have a competent company admin and use their laptops in
> > company networks only. We must have something that works well in
> > company networks, as i
On Di, 29.09.20 16:03, Petr Menšík (pemen...@redhat.com) wrote:
> > For example, if I have my laptop in my home wifi, connected to RH VPN,
> > then there are some names resolvable only via the local
> > DNS. Specifically: my router's, my printer's and my NAS' address. And
> > there are other names
On Tue, 29 Sep 2020, Lennart Poettering wrote:
Well, but how do you determine "local resources"?
This is not the proper question. The proper question is "what are you
trying to do". The .local domain discovery clearly is something meant
to be local.
I assume the real question is: How to conve
On 9/29/20 3:44 PM, Lennart Poettering wrote:
> On Di, 29.09.20 13:47, Björn Persson (Bjorn@rombobjörn.se) wrote:
>
>> Lennart Poettering wrote:
>>> On Mo, 28.09.20 22:54, Björn Persson (Bjorn@rombobjörn.se) wrote:
>>>
It can work in company-scope if the company has competent network
a
nss-dns is allright. All you need to have is dns server with domain
configurable servers.
Those are:
- unbound (with dnssec-trigger autoconfigured)
- dnsmasq
- systemd-resolved
- probably knot-resolver
- bind (not more difficult to reconfigure runtime)
Maybe more. It is not about nss, because /et
On Mon, Sep 28, 2020 at 10:38:27AM -0700, Erich Eickmeyer wrote:
>
>
> This entire discussion is generating enough emails per hour to be an IRC
> discussion. Could we please move this discussion to #fedora-devel or
> someplace more appropriate?
Well, not everyone is on IRC, and email is sometime
On Tue, Sep 29, 2020 at 3:43 PM Lennart Poettering wrote:
>
> On Di, 29.09.20 04:03, John M. Harris Jr (joh...@splentity.com) wrote:
>
> > > Search domains on VPNs are an indicator that these domains are handled
> > > by the VPN, that's why we use them also as routing domains. But this
> > > doesn
Hi Lennart,
more below...
On 9/29/20 3:41 PM, Lennart Poettering wrote:
> On Di, 29.09.20 04:03, John M. Harris Jr (joh...@splentity.com) wrote:
>
>>> Search domains on VPNs are an indicator that these domains are handled
>>> by the VPN, that's why we use them also as routing domains. But this
>
On 9/29/20 10:01 AM, Lennart Poettering wrote:
> On Mo, 28.09.20 23:37, John M. Harris Jr (joh...@splentity.com) wrote:
>
>>> Configure "." as "routing domain" on a specific iface and the lookups
>>> wil go there preferably. If you put that on your VPN iface this means
>>> DNS traffic goes there
On Di, 29.09.20 13:47, Björn Persson (Bjorn@rombobjörn.se) wrote:
> Lennart Poettering wrote:
> > On Mo, 28.09.20 22:54, Björn Persson (Bjorn@rombobjörn.se) wrote:
> >
> > > It can work in company-scope if the company has competent network
> > > admins. My local DNS server at home resolves local h
On Di, 29.09.20 04:03, John M. Harris Jr (joh...@splentity.com) wrote:
> > Search domains on VPNs are an indicator that these domains are handled
> > by the VPN, that's why we use them also as routing domains. But this
> > doesn't mean it's the *only* routing domains we use. We use the ones
> > yo
On Tue, Sep 29, 2020 at 7:48 AM Björn Persson wrote:
>
> Lennart Poettering wrote:
> > On Mo, 28.09.20 22:54, Björn Persson (Bjorn@rombobjörn.se) wrote:
> >
> > > It can work in company-scope if the company has competent network
> > > admins. My local DNS server at home resolves local hostnames to
On Tue, Sep 29, 2020 at 10:27:37AM +0200, Florian Weimer wrote:
> * Zbigniew Jędrzejewski-Szmek:
>
> > https://www.iab.org/documents/correspondence-reports-documents/2013-2/iab-statement-dotless-domains-considered-harmful/
> > in this particular case.
>
> I looked at this extensively a couple of
Hi,
> NetworkManager pushes DNS server configuration (and associated bits like
> domain
> search and routing domains) over dbus to resolved. That way it "[tells
> resolved how
> to] split DNS according to routing". Of course, after the name has been
> resolved
> to an IP address, the packets to
On Mon, Sep 28, 2020 at 11:41:12PM -0700, John M. Harris Jr wrote:
> On Monday, September 28, 2020 9:39:17 AM MST Michael Catanzaro wrote:
> > You can do this, but again, you need to use the command line. E.g.
> > 'resolvectl dns tun0 8.8.8.8'
> >
> > We're actually no longer debating how systemd
Lennart Poettering wrote:
> On Mo, 28.09.20 22:54, Björn Persson (Bjorn@rombobjörn.se) wrote:
>
> > It can work in company-scope if the company has competent network
> > admins. My local DNS server at home resolves local hostnames to private
> > IPv4 addresses in the 192.168/16 block. Clients on t
Hi Paul,
is there any generic protocol exchanging what (sub)domains should be
targetted to specific DNS server? I know dnssec-trigger/unbound is able
to send queries only to specified search domains received by DHCP server.
Are you aware of any implementation independent way to store domains for
On Tuesday, September 29, 2020 3:59:14 AM MST Lennart Poettering wrote:
> On Di, 29.09.20 03:49, John M. Harris Jr (joh...@splentity.com) wrote:
>
>
> > Search domains have absolutely nothing to do with routing. Search domains
> > are specifically used for resolving non-FQDN to FQDN. This isn't a
On Di, 29.09.20 03:49, John M. Harris Jr (joh...@splentity.com) wrote:
> Search domains have absolutely nothing to do with routing. Search domains are
> specifically used for resolving non-FQDN to FQDN. This isn't a reliable way to
> see what domains are handled by a VPN, or by any DNS server.
>
>
Le 2020-09-29 12:37, Lennart Poettering a écrit :
This is not the reality I live in though. New-style high level
programming languages tend to avoid being just a wrapper around C
APIs. And thus they implement minimal DNS clients themselves, ignoring
the LLMNR, mDNS and so on.
Not just for DNS.
On Tuesday, September 29, 2020 1:01:23 AM MST Lennart Poettering wrote:
> On Mo, 28.09.20 23:37, John M. Harris Jr (joh...@splentity.com) wrote:
>
>
> > > Configure "." as "routing domain" on a specific iface and the lookups
> > > wil go there preferably. If you put that on your VPN iface this me
On Mo, 28.09.20 20:52, Björn Persson (Bjorn@rombobjörn.se) wrote:
> Zbigniew Jędrzejewski-Szmek skrev:
> >On Mon, Sep 28, 2020 at 01:15:36PM -0400, Stephen John Smoogen wrote:
> >> Hey for those of us in the peanuts gallery watching this play out.. could
> >> each of you point out which standards
On Mo, 28.09.20 11:10, Andrew Lutomirski (l...@mit.edu) wrote:
> > If the other big OSes would enable DNSSEC client-side by default
> > things might change, but neither Windows nor MacOS or Android do.
> >
> >
> The old unbound-resolveconf actually worked quite well when I played with
> it. The o
1 - 100 of 200 matches
Mail list logo
