On Mon, Sep 28, 2020 at 04:59:17PM +0000, Zbigniew Jędrzejewski-Szmek wrote:
> On Mon, Sep 28, 2020 at 06:36:02PM +0200, Florian Weimer wrote:
> > * Andrew Lutomirski:
> >
> > > Paul may well have been mixing different things here, but I don't
> > > think you answered the one that seems like the most severe problem:
> > > systemd-resolved removed perfectly valid DNSSEC records that were
> > > supplied by the upstream server. One might reasonably debate whether
> > > Fedora's default DNS resolver configuration should validate DNSSEC,
> > > but I think it should honor the DO bit in client requests and return
> > > DNSSEC data.
> >
> > FWIW, this is <
https://bugzilla.redhat.com/show_bug.cgi?id=1879028>.
>
> In an ideal world, we would just implement this missing functionality.
> It's definitely on the TODO list, and there has been some preparatory
> work done, but so far nobody found the time. If this is judged necessary,
> we'll raise the priority of that work. Nevertheless, I don't think it is
> such high priority — the number of people using DNSSEC is not too large,
> and they are generally power-users who understand how to specify a different
> server. So while definitely annoying, I didn't consider this a deal-breaker.
DNSSEC is not meant for power-users, and it doesn't require specifying
"a different server".
I thought Fedora was supposed to be First? How can it be if Fedora
chooses to use/configure software by default that is missing critical
DNSSEC functionality and breaks DNS standards?
DNSSEC is broken by design for most users. For example, I literally
cannot use it because my corporate VPN does not provide DNSSEC support
because the DNS server software doesn't support it. If I didn't know
what to look for, I'd just say Fedora is broken. Same goes for DoT and
DoH.
--
真実はいつも一つ!/ Always, there's only one truth!