On Tue, Apr 14, 2020 at 02:40:08PM -0500, Michael Catanzaro wrote:
On Tue, Apr 14, 2020 at 2:33 pm, Michael Cronenworth
<mike(a)cchtml.com>
wrote:
> Why wait?
>
> This is something I've been interested in and was interested in
> implementing in Fedora.
Caution mainly, so that we only make one major change at a time instead of
two. The goal is to do this without generating too many new bug reports for
the systemd developers all at the same time. My thinking was that if this
change goes smoothly in F33, then it should be possible to enable DNS over
TLS by default in F34.
Can you expand on what that means?
Does it mean:
a) systemd-resolved will use DNS over TLS if it detects that
the nameservers it is querying can do so (ie, it would do a query to
port 853 of the nameservers dhcp or static config gave it)
b) systemd-resolved will use DNS over TLS and always use some 'well
known' public dns servers for queries, ignoring locally configured
servers.
I'm very much in favor of a, but not in favor of b. :)
That said, there are not currently any known compatibility problems
with the
DNS over TLS support as far as I know, so I would *expect* it to go smoothly
regardless.
Of course, once systemd-resolved is enabled, then enabling or disabling DNS
over TLS will be a one-line config file change in
/etc/systemd/resolved.conf. :)
Is that going to be to set it to 'opportunistic' or 'true' ?
kevin