Open pemensik opened 5 hours ago
Then thing is, we may want connection marked trusted to specify redhat.com
, but we may not want the same domain provided by public networks on train or airports or hotel.
Another draft reference: https://datatracker.ietf.org/doc/draft-ietf-dnsop-domain-verification-techniques/
We have a python module in Fedora: python3-publicsuffix2.noarch
In modes where we allow redirection of sub-domains to network provided DNS servers, we may want to restrict what domains are accepted. Currently there is no simple way to trust just some kinds of domains or authenticate them in a some way.
query.publicsuffic.zone
provides such data even in form of DNS.connection.zone
property from NMRight now we would allow anything to be redirected, which might not be safe. That were main reason, why dnssec-trigger did not add such domains into search in resolv.conf.
We may want to differentiate between routing-domains provided by trusted administrator, who write them into connection specified. At all times, they should be considered secured. But domains received by DHCP or router advertisement should not be trusted the same way. Now we have no way to differentiate between user-specified and network-received domains from NM.