On Mo, 28.09.20 18:36, Florian Weimer (fwei...@redhat.com) wrote:
> * Andrew Lutomirski:
>
> > Paul may well have been mixing different things here, but I don't
> > think you answered the one that seems like the most severe problem:
> > systemd-resolved removed perfectly valid DNSSEC records that
On Mo, 28.09.20 13:20, Chuck Anderson (c...@alum.wpi.edu) wrote:
> On Mon, Sep 28, 2020 at 04:59:17PM +, Zbigniew Jędrzejewski-Szmek wrote:
> > On Mon, Sep 28, 2020 at 06:36:02PM +0200, Florian Weimer wrote:
> > > * Andrew Lutomirski:
> > >
> > > > Paul may well have been mixing different thin
On Mon, Sep 28, 2020 at 11:04 AM Lennart Poettering
wrote:
> On Mo, 28.09.20 18:36, Florian Weimer (fwei...@redhat.com) wrote:
>
> > * Andrew Lutomirski:
> >
> > > Paul may well have been mixing different things here, but I don't
> > > think you answered the one that seems like the most severe pr
On Mon, Sep 28, 2020 at 10:05 AM Zbigniew Jędrzejewski-Szmek <
zbys...@in.waw.pl> wrote:
> On Mon, Sep 28, 2020 at 09:44:13AM -0700, Andrew Lutomirski wrote:
> > After reading https://github.com/systemd/systemd/issues/8967, I really
> > don't think that systemd-resolved's benefits outweigh its har
On Mon, Sep 28, 2020 at 11:07 AM Lennart Poettering
wrote:
> On Mo, 28.09.20 13:20, Chuck Anderson (c...@alum.wpi.edu) wrote:
>
> > On Mon, Sep 28, 2020 at 04:59:17PM +, Zbigniew Jędrzejewski-Szmek
> wrote:
> > > On Mon, Sep 28, 2020 at 06:36:02PM +0200, Florian Weimer wrote:
> > > > * Andrew
On Mon, 28 Sep 2020, Michael Catanzaro wrote:
Well, let's amend that to "first when it's smart to be first." We can't ever
*require* DNSSEC validation, because Windows and macOS are not going to do
so.
https://tools.ietf.org/id/draft-pauly-add-resolver-discovery-01.html
That draft has a Micr
On Mo, 28.09.20 19:51, Fedora Development ML (devel@lists.fedoraproject.org)
wrote:
> On 28.09.2020 18:11, Michael Catanzaro wrote:
> > Similarly, system-resolved will allow us to enable DNS over TLS (DoT)
> > systemwide for supported providers. That's not enabled in F33, but I
> > think we shoul
On Mon, 28 Sep 2020, Marius Schwarz wrote:
It's always a bad idea for a programm to do the dns itself, instead of
using the dns anyone on the host does. You get a inconsistent behaviour
at best, and a security nightmare at worse. DOx in a browser or any other
programm is wrong anyhow.
The soft
On 9/28/20 11:03 AM, Lennart Poettering wrote:
> I have the strong suspicion that the same people who are
> able to deploy working DNSSEC client side and are educated enough in
> DNSSEC to know what that even means are also capable of replacing that
> one symlink in /etc.
i'll start with: i'm gen
On Mon, 2020-09-28 at 13:32 +, Zbigniew Jędrzejewski-Szmek wrote:
> On Mon, Sep 28, 2020 at 07:57:13AM -0500, Ian Pilcher wrote:
> > On 9/28/20 6:47 AM, Zbigniew Jędrzejewski-Szmek wrote:
> > > Instructions were already posted by Vitaly, so I won't repeat that here.
> > > I'll just note that th
On Mon, Sep 28, 2020 at 11:19 AM PGNet Dev wrote:
> On 9/28/20 11:03 AM, Lennart Poettering wrote:
> > I have the strong suspicion that the same people who are
> > able to deploy working DNSSEC client side and are educated enough in
> > DNSSEC to know what that even means are also capable of repl
On Mo, 28.09.20 11:06, Andrew Lutomirski (l...@mit.edu) wrote:
> Indeed, the problem you're trying to solve is hard.
>
> > systemd-resolved is not supposed to be a real DNS *server*. It's
> > supposed to be a good, combined client for the popular name resolution
> > protocols, and the fact that we
On Mon, 28 Sep 2020 17:58:58 +0200, Jakub Jelinek wrote:
> On Mon, Sep 28, 2020 at 05:46:08PM +0200, Jan Kratochvil wrote:
> > https://whova.com/embedded/session/llvm_202010/1193947/
>
> If you do it on the compiler side, you'll get a lot of those pesky partial
> units you so hate on the lldb
On Mon, 2020-09-28 at 16:02 +0100, Tom Hughes via devel wrote:
> On 28/09/2020 15:57, Marius Schwarz wrote:
> > Am 28.09.20 um 13:47 schrieb Zbigniew Jędrzejewski-Szmek:
> > > DNSSEC support in resolved can be enabled through resolved.conf.
> > Why isn't that the default, if this resolver can do it
On Mon, Sep 28, 2020 at 7:51 pm, Vitaly Zaitsev via devel
wrote:
Btw, Russian Federation is going to completely block DoT and DoH.
Forcing these technologies to end users will disrupt Internet access
for
people from such countries.
We can't require it, because most ISPs don't offer it, and W
On Sunday, September 27, 2020 9:44:13 PM MST Paul Wouters wrote:
> > Subject: Re: Fedora 33 System-Wide Change proposal: systemd-resolved
>
>
> I was just hit by the first bug in systemd-resolved 4 days after I
> upgraded to fedora33. I will file a bug report for that, but I wanted
> to discuss s
On Mon, 28 Sep 2020, Lennart Poettering wrote:
stuff that doesn't come from classic Internet DNS cannot
possibly be DNSSEC validated.
This statement is incorrect. Please read RFC 8598 and perhaps
read up on the handling of Special Use Domain Names and DNSSEC
validation. No one expects .local t
On Mon, 2020-09-28 at 10:51 -0500, Michael Catanzaro wrote:
> I don't think my description is misleading
>
> On Mon, Sep 28, 2020 at 5:28 pm, Florian Weimer
> wrote:
> > * The change disables protection mechanisms built into corporate VPNs
> > that require them to observe all DNS traffic.
Zbigniew Jędrzejewski-Szmek skrev:
>On Mon, Sep 28, 2020 at 01:15:36PM -0400, Stephen John Smoogen wrote:
>> Hey for those of us in the peanuts gallery watching this play out.. could
>> each of you point out which standards and RFC you are complying too. There
>> are a lot of ones and funny enough.
On 9/28/20 11:21 AM, Andrew Lutomirski wrote:
> I would have expected NetworkManager to handle this kind of setup just fine.
> What went wrong?
getting offtopic, but ... a laundry list.
including broken routes, missed existing unit-file interface dependencies
particularly once bridges get invo
On 9/28/20 11:03 AM, Lennart Poettering wrote:
So far we side-step the DO issue by returning a clean error when
clients set DO: "not implemented", plus a log message in syslog with
more info. I'd argue that for the vast majority of users this is
perfectly enough. Because IRL client-side DNSSEC do
On Mon, 2020-09-28 at 16:59 +, Zbigniew Jędrzejewski-Szmek wrote:
> On Mon, Sep 28, 2020 at 06:36:02PM +0200, Florian Weimer wrote:
> > * Andrew Lutomirski:
> >
> > > Paul may well have been mixing different things here, but I don't
> > > think you answered the one that seems like the most sev
On Mon, Sep 28, 2020 at 08:29:21PM +0200, Jan Kratochvil wrote:
> On Mon, 28 Sep 2020 17:58:58 +0200, Jakub Jelinek wrote:
> > On Mon, Sep 28, 2020 at 05:46:08PM +0200, Jan Kratochvil wrote:
> > > https://whova.com/embedded/session/llvm_202010/1193947/
> >
> > If you do it on the compiler side,
On Mon, 2020-09-28 at 12:30 -0500, Michael Catanzaro wrote:
> On Mon, Sep 28, 2020 at 1:20 pm, Chuck Anderson
> wrote:
> > I thought Fedora was supposed to be First? How can it be if Fedora
> > chooses to use/configure software by default that is missing critical
> > DNSSEC functionality and bre
On 9/28/20 6:52 AM, qmail wrote:
at an init 3 stance, which has NetworkManager active, i start an init 5.
when all is said and done, NetworkManager has been deactivated, IE not
restarted bec of the settings in NetworkManager.service .
So I have to manually restart NetworkManager.
Why is thi
On Mo, 28.09.20 16:39, Florian Weimer (fwei...@redhat.com) wrote:
> * Michael Catanzaro:
>
> > If you're running mail servers or VPN servers, you can probably
> > configure the DNS to your liking, right? Either enable DNSSEC support
> > in systemd-resolved, or disable systemd-resolved. I'm not too
On Mo, 28.09.20 12:14, Paul Wouters (p...@nohats.ca) wrote:
> On Mon, 28 Sep 2020, Michael Catanzaro wrote:
>
> > I don't think it would be smart for employees to voluntarily opt-in to
> > sending all DNS to their employer anyway... there's little benefit to
> > the employee, and a lot of downside
On Mo, 28.09.20 10:28, Paul Wouters (p...@nohats.ca) wrote:
> This is better thant it was five years ago. I'm glad some things were
> at least successfully conveyed in the Brno meeting. However, this still
> leaks queries meant for the LAN or VPN onto the wide internet and is
Classic resolv.conf
On Mon, Sep 28, 2020 09:37:03 -0700, Fernando Lopez-Lezcano wrote:
> On 9/28/20 1:51 AM, Ankur Sinha wrote:
> > Hi Fernando,
>
> Hi Ankur,
>
> > I'm a packager sponsor. I'm happy to take over qjackctl and sponsor
> > Christoph as a co-maintainer to help look after it.
> >
> > Could you please gi
On Mon, Sep 28, 2020 at 2:44 pm, Simo Sorce wrote:
No, this is wrong, DNS and traffic routing are absolutely disjoint
hitngs, and you cannot assume that DNS ought to work as traffic
routing, because it never did.
Hi Simo,
Apologies for a long reply, but I wanted to try to address at least
m
Lennart Poettering wrote:
>On Mo, 28.09.20 18:36, Florian Weimer (fwei...@redhat.com) wrote:
>
>> * Andrew Lutomirski:
>>
>> > Paul may well have been mixing different things here, but I don't
>> > think you answered the one that seems like the most severe problem:
>> > systemd-resolved removed p
I was able to start a build after installing the updated package, but
running rpkg by itself still produces the same confusing output:
$ rpkg
'Namespace' object has no attribute 'command'
Thanks,
Richard
___
devel mailing list -- devel@lists.fedoraproje
On Mon, Sep 28, 2020 at 03:51:51PM -0500, Michael Catanzaro wrote:
> That's still the case. All this discussion about split DNS is only
> relevant to the case where the user checks the box "use this connection
> only for resources on its network" (or imports a VPN profile that
> selects that aut
On Mon, Sep 28, 2020 at 5:18 pm, Chuck Anderson
wrote:
I think the VPN plugin and VPN server has some input, no? All the VPN
servers I've used send routes to the VPN client to determine which
traffic the client should send via the VPN. How does that interact
with "use this connection only for
On Mon, 28 Sep 2020 at 23:03, Richard Shaw wrote:
>
> I was able to start a build after installing the updated package, but running
> rpkg by itself still produces the same confusing output:
>
> $ rpkg
> 'Namespace' object has no attribute 'command'
Yes, thank you. I plan to have this fixed for
On Monday, September 28, 2020 12:42:32 PM MST Lennart Poettering wrote:
> On Mo, 28.09.20 12:14, Paul Wouters (p...@nohats.ca) wrote:
>
>
> > On Mon, 28 Sep 2020, Michael Catanzaro wrote:
> >
> >
> >
> > > I don't think it would be smart for employees to voluntarily opt-in to
> > > sending all DN
On Monday, September 28, 2020 9:39:17 AM MST Michael Catanzaro wrote:
> You can do this, but again, you need to use the command line. E.g.
> 'resolvectl dns tun0 8.8.8.8'
>
> We're actually no longer debating how systemd-resolved works; rather,
> we're now debating how NetworkManager chooses to
* Michael Catanzaro:
> Of course, this problem is avoidable by unchecking "use this
> connection only for resources on its network" if you use only one
> VPN. And failing that: at least the situation is not worse than it was
> before.
Have you actually tried this with a corporate VPN recently?
I
101 - 138 of 138 matches
Mail list logo
