[Dnssec-trigger] dnssec-trigger-script patches

Pavel Simerda psimerda at redhat.com
Wed May 7 15:48:25 UTC 2014

----- Original Message -----
> From: "Paul Wouters" <paul at nohats.ca>
> To: "Pavel Simerda" <psimerda at redhat.com>
> Cc: "W.C.A. Wijngaards" <wouter at NLnetLabs.nl>, "Petr Spacek" <pspacek at redhat.com>, dnssec-trigger at NLnetLabs.nl
> Sent: Wednesday, May 7, 2014 5:25:38 PM
> Subject: Re: [Dnssec-trigger] dnssec-trigger-script patches
> On Wed, 7 May 2014, Pavel Simerda wrote:
> >>> Thanks, applied.  Does this finish up the items you wanted to do, or
> >>> are you still working your way through the bugzilla list?
> >>
> >> Hi Wouter,
> >>
> >> There's one item that I would like to solve soon and that's basically
> >> described in bugzilla comment:
> >>
> >> https://bugzilla.redhat.com/show_bug.cgi?id=1089910#c6
> >>
> >> It could look like:
> >>
> >> flush_global_zone=yes|negative-only|no
> >>
> >> Any suggestions regarding the name of the option and of negative-only
> >> value?
> >> That
> >> would be the last thing for the release. Or, if we are in hurry, we can
> >> leave
> >> it
> >> for the next release.
> >
> > There's no consensus on this, yet, so we can keep the current
> > implementation for
> > now.
> While not everyone might want to use the feature, I think there is
> consensus that it does no harm for those who want it? There are clear
> privacy advantages to not flushing your entire cache upon every network
> switch.

Hi Paul,

See https://bugzilla.redhat.com/show_bug.cgi?id=1089910

According to the above Fedora bug report, there is a privacy leak as well, and
our colleagues are also calling for keeping the dnssec.conf as simple as
possible. Those are the reasons why I'm not posting a last minute fix to the
upcoming release. I also think the patch will be fairly simple comparing to
the patches I wanted to get there in time.

I think we can use that bugzilla to discuss the balance between the two possible
privicy issues, one caused by not flushing non-negative items, the other by
doing it.



More information about the dnssec-trigger mailing list