On Tue, 13 Jan 2015, Neal Becker wrote:

How will this impact the following (common) situation?

I carry my linux laptop between home and work.  When at work, I need to use my
employer's dns to lookup names of (non-public) local machines.

When connecting to work, dnssec-trigger will probe the DHCP obtained
resolver and use it when it works (well enough to support DNSSEC)

If your work's public DNS view is unsigned, then your
corporate DNS server can lie all it want and we'll believe it.

If your work's public DNS view is signed, then your internal view better
be signed with that key too, or else we'll mis-detect it as an attack.

If you connect via VPN to your work, the VPN client should receive the
domain and nameservers via the VPN options, and configure a forward
inside your resolver. (libreswan IPsec supports this and I use it daily
when connecting to the RedHat VPN :)

NetworkManager should allow for a connection property based on network
identification where you can configure overrides.

DNSSEC in general will make split view DNS much harder to maintain. We
are not introducing this problem - we just have to try and cope with it.

Paul
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Reply via email to