Control: tags -1 wontfix
Control: close -1

On Tue, 22 Aug 2023 11:04:22 +0200 Michael Biebl <[email protected]>
wrote:
> Am 19.03.23 um 12:53 schrieb Bastian Blank:
> > Upstream changed the default for the DNSSEC option to "allow-
downgrade"
> > and that is whats everywhere is documented.  Debian overrides it to
> > "no".
> 
> See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959996
> 
> Both, Ubuntu and Fedora, which use resolved more extensively, have 
> disabled DNSSEC by default, since it caused too many issues.
> 
> If the situation has significantly nowadays, I can't tell, but it
would 
> probably be a good idea to get input from those downstreams.

dnssec is way too flaky as a concept to enable by default, it breaks
just too often due to the random variance in the quality of service
provided by default dns servers you get from random ISPs around the
world, and it's really difficult to debug due to this inherently local
variance.

Hence it's disabled by default, intentionally - one can always
trivially enable it locally if their ISP/choice of DNS is known to
behave reasonably well. But it would cause too many unactionable bug
reports to enable by default distro-wide I'm afraid, hence closing.

-- 
Kind regards,
Luca Boccassi

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to