For the 2014-05-07 meeting as the Change Proposal was announced on devel-announce list on 2014-04-29.
To install a local DNS resolver trusted for the DNSSEC validation running on 127.0.0.1:53. This must be the only name server entry in /etc/resolv.conf.
The automatic name server entries received via dhcp/vpn/wireless configurations should be stored separately, as transitory name servers to be used by the trusted local resolver. In all cases, DNSSEC validation will be done locally.
'''This is F22 Change Proposal - sorry for confusion/mistake in the announcement. I talked to Change owners and they really want to target F22 as default, even initial implementation should be available in F21 for wider testing.'''
From the list:
{{{ Ops, I was just pinged by Pavlix that the team planned this Change for F22 time- frame but I still live in the flood of F21 Changes and missed it.
So the current state is - this Change targets Fedora 22 but most of the development should land into Fedora 21 - not enabled by default - to get test coverage. To make sure this Change is in the state it could be shipped in the release as default, corner cases has to be identified and worked on, there's also NetworkManager integration that has to happen. }}}
Given that, I think the feature name/description needs some rework to be approved as an F21 change. Or we could discuss it as a F22 change.
(Please disregard, wrong edit.)
AGREED: FESCo doesn’t have significant objections to the idea as such, or its use on physical machines and VMs (+7)
AGREED: Deferring appproval of the change for a plan that explicitly describes what, if anything, will be done for containers, Docker in particular (+7)
Has there been any progress on updating the Change?
Replying to [comment:5 toshio]:
The Change is proposed for Fedora 22. When do you expect to have it updated?
Before the f22 change deadline. ;)
Please let us know when the change is ready to resubmit...
Change was updated with requested additions, reopening and marking it for FESCo meeting.
Replying to [comment:8 jreznik]:
Change was updated with requested additions, Amounting to Docker and containers could be able to use host's DNSSEC resolver via a dedicated interface and iptables(8) rules. Though such configurations need to be investigated for their feasibility. Please see -> https://www.piratepad.ca/p/dnssec-requisites-configurations
“could be able to” doesn’t sound like “has been implemented”; is this happening for F22, considering the “testable” checkpoint is Feb 24?
And in general, what is the implementation status? The two “how to test” scenarios are 1) marked “experimental” and 2) very manual. Is at least the “syntax and semantics for new configuration parameters/files.” defined now? OTOH the contingency mechanism seems plausible enough that this question is not a blocker.
AFAICT there is one unaccounted-for scenario in the contingency plan: NM is updated to work with the new configuration format, but docker isn’t, resulting in broken containers. How can we avoid this or plan for this?
Change is approved.
AGREED: Default Local DNS Resolver accepted for F22 (+7/0/0)
Login to comment on this ticket.