On Thu, 2019-11-07 at 21:25 +0100, Nicolas Mailhot via devel wrote:
Le jeudi 07 novembre 2019 à 18:32 +0100, Sheogorath via devel a
écrit
:
> The talk is right on many points, but I think it dismisses the most
> essential point DoH does right: DNS is a decision of the device
> owner.
And the owner should be able to delegate this decision to the network
manager.
Then let's talk on how we properly implement this delegation process
instead of asking ourselves whenever we want DoH or DoT or not.
Let's find a DHCP/RA option that indicates a DoT or DoH service is
available or something similar. Simply stating "encrypted DNS is
pointless" is nothing I consider a valid solution.
Suggesting static config is good enough outside the enterprise is a
joke. Count the number of networked things in the modern home, it
grows
every years. A lot of those roam, either because they are designed to
roam (smartphones) or because people vacation, because they like to
share their stuff with friends and families, because they like to
show
of. A lot of those are cheap-ass gadgets that will revert (reset) to
factory settings at the slightest problem (sometimes, just because
the
battery is dead, the juice was cut, and settings are kept in memory).
And how are those devices related to Fedora? I mean, our goal here
should be to do things right or at least better. When we take those IoT
devices as our standards, then we can throw away SELinux, run stone-age
kernels and we can also ignore the existence of updates for our
systems. We are Fedora, we want to lead tech towards a better
standards, not stay around in the status quo where everyone else
already is.
Ansible or puppet are not designed to solve such generic situations.
Network management is no longer an enterprise-only concern.
Treating it as a sysadmin problem does not work.
The network happened. And not only internet side.
I really hope for more IPv6 to happen (properly), so pretty much
everything becomes the internet. It makes so many things a lot easier
and a lot less security through obscurity.
--
Signed
Sheogorath
OpenPGP:
https://shivering-isles.com/openpgp/0xFCB98C2A3EC6F601.txt