On 06/12/2015 12:53 PM, Dan Williams wrote: >> b) Broken networks: >> Some networks are so broken that even without captive portal they are not >> able >> to deliver DNSSEC data to the clients. >> >> In that case will try tunnel to other DNS servers on the Internet (Fedora >> Infra or public DNS root) and use them. Naturally, local/internal domains >> need >> to be available. > > While I don't actually care, this might well be a sticking point for > many people since their DNS information is going to an untrusted (to > them) DNS server. Yeah, I tend to trust Fedora, but not everyone will. > Can the tunnel be turned off, or the broken servers whitelisted, or is > the answer here to just "dnf remove dnssec-trigger"?
The fallbacks are configured in /etc/dnssec-trigger/dnssec-triggerd.conf # Provided by fedoraproject.org, #fedora-admin # It is provided on a best effort basis, with no service guarantee. ssl443: 140.211.169.201 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2 tcp80: 140.211.169.201 ssl443: 66.35.62.163 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2 tcp80: 66.35.62.163 ssl443: 152.19.134.150 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2 tcp80: 152.19.134.150 ssl443: 2610:28:3090:3001:dead:beef:cafe:fed9 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64 :AA:87:E6:F2 tcp80: 2610:28:3090:3001:dead:beef:cafe:fed9 >> Can we integrate on one place (e.g. by calling into dnssec-trigger) instead >> overwriting /etc/resolv.conf independently? > > This is the real issue. It sounds like What you're proposing is to make > dnssec-trigger into the "DNS broker". The previous solutions > (resolvconf, NetworkManager, etc) have all failed for various reasons. > Touching/changing something so fundamental to the system, as you've > probably discovered, can be hard... But it must be done for security reasons. > systemd-resolved might have a chance here, since it's small and pretty > simple, but they don't have an external API and don't seem interested in > creating one any time soon which severely limits it's usefulness. And last I looked it did not support DNSSEC. I'm also weary about systemd-resolved basically marshalling DNS via DBUS. > If this is indeed what you're proposing, then lets have a discussion > about dnssec-trigger+unbound in that context, I do have some thoughts to > contribute here. I believe we selected dnssec-trigger because it was the UI/daemon that worked. A better native integration into either NM or Gnome would be preferred. Paul -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
