On Mon, Sep 28, 2020 at 04:59:17PM +0000, Zbigniew Jędrzejewski-Szmek wrote:
On Mon, Sep 28, 2020 at 06:36:02PM +0200, Florian Weimer wrote:
> * Andrew Lutomirski:
>
> > Paul may well have been mixing different things here, but I don't
> > think you answered the one that seems like the most severe problem:
> > systemd-resolved removed perfectly valid DNSSEC records that were
> > supplied by the upstream server. One might reasonably debate whether
> > Fedora's default DNS resolver configuration should validate DNSSEC,
> > but I think it should honor the DO bit in client requests and return
> > DNSSEC data.
>
> FWIW, this is <
https://bugzilla.redhat.com/show_bug.cgi?id=1879028>.
In an ideal world, we would just implement this missing functionality.
It's definitely on the TODO list, and there has been some preparatory
work done, but so far nobody found the time. If this is judged necessary,
we'll raise the priority of that work. Nevertheless, I don't think it is
such high priority — the number of people using DNSSEC is not too large,
and they are generally power-users who understand how to specify a different
server. So while definitely annoying, I didn't consider this a deal-breaker.
DNSSEC is not meant for power-users, and it doesn't require specifying
"a different server".
I thought Fedora was supposed to be First? How can it be if Fedora
chooses to use/configure software by default that is missing critical
DNSSEC functionality and breaks DNS standards?