DNSSEC in Fedora-11: Enable or Disable?
Gregory Maxwell
gmaxwell at gmail.com
Thu Mar 5 04:22:28 UTC 2009
On Wed, Mar 4, 2009 at 11:20 PM, Paul Wouters <paul at xelerance.com> wrote:
[snip]
> - DNSSEC requires EDNS0 and stupid firewall administrators might be blocking
> TCP port 53 and UDP packets > 512 bytes, possibly causing DNS problems if
> these are located in front of DNSSEC capable resolvers.
> - Some NAT router brands drop DNS packets with DNSSEC options enabled. If
> using a cheap NAT router as forwarder for your DNSSEC enabled Fedora
> machine, DNS connectivity might cause intermittent problems.
These two will never change until something breaks in response to them.
The only reasons to defer with respect to these issues that I can think of are:
(1) DNSSEC might never happen and Fedora could just skip the feature
(2) Deferring could allow coordinated adoption with other operating
systems; which would make the problem more clearly a nat/firewall
issue rather than a Fedora issue.
Neither of these are realistic, so I don't think those problems should
be considered blocking.
More information about the fedora-devel-list
mailing list