Re: [RFC] support for trusted validating resolver configuration

["Carlos O'Donell" <carlos at redhat dot com>]

On 06/11/2015 11:08 AM, Petr Spacek wrote:
> On 11.6.2015 16:28, Carlos O'Donell wrote:
>> On 11/18/2014 07:40 AM, Pavel Simerda wrote:
>>>  * A new file to look into for DNS configuration.
>>
>> This is such a major disadvantage that I feel the proposal
>> should be expanded to consider other alternatives that take
>> into account whole-system integration issues e.g. local
>> validating resolver, and how this will work with the variety
>> of virtualization and isolation technology being employed
>> today. What will network manager do? How do you define your
>> policies?
> 
> Do I understand correctly that you are okay with the basic principle but the
> configuration format should be improved?

No. I think an additional configuration file should be the last
recourse if we can find no other way to solve this problem.
I would like to see other avenues explored or at the very least
an explanation of why other choices were deemed unacceptable.
Adding yet-another configuration file is the naive and easy choice
that comes with all sorts of other problems, from education,
configuration, and social e.g. network manager might just start
writing duplicate data into /etc/resolv-secure.conf anyway. How
do you plan to stop that? With policy and discussions upstream.

> The format and if it should be a separate file (or somewhere else) is
> definitely an open question - ideas are more than welcome!

At the very least I might conceede a security `options` flag to
/etc/resolf.conf with entirely disables DNS secuirty related pass
through e.g. option insecure-dns.

> I'm happy to discuss this with all interested parties. Should we move
> system-wide discussion to fedora-devel list?

Yes.

Cheers,
Carlos.