linux-from-scratch/lfs-buildscripts
1
0
Fork 0
mirror of https://github.com/YellowJacketLinux/lfs-buildscripts.git synced 2025-01-23 14:32:20 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

adjust doc, minor script adjustments

Browse Source
This commit is contained in:
YellowJacketLinux 2024-10-12 12:57:39 -07:00
parent 8075cc71ca
commit 76100ad8e3
4 changed files with 25 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1 +1,2 @@
incoming/
*.bak

2
CH9Config/01-NetworkConfig.sh
View File

@ -47,6 +47,6 @@ EOF
else
# bootable USB thumb drive
echo "lfsusb" > /etc/hostname
#systemctl disable systemd-networkd-wait-online
systemctl disable systemd-networkd-wait-online
systemctl disable systemd-networkd
fi

0
CH9Config/01-USBFlash.sh → CH9Config/99-USBFlash.sh
View File

23
SECURE_DNS.md
View File

@ -184,6 +184,29 @@ When I am confident that `systemd-resolved` works well and smoothly in DNSSEC
enforcing mode, that will be the enabled default. I will *not* enable DoT by
default but users will be told how to enable it in opportunistic mode.
It appears that the default at compile time is `DNSSEC=allow-downgrade` and I
probably should leave that simply because a lot of people now look at man pages
online even when the man page is available locally, so to have a different
compile-time default could cause confusion.
However the file `/etc/system.d/resolved.conf` could be created by default to
override some compile time defaults, as the man page specifies that file as a
place to look.
What I would like to see happen is `DNSSEC=yes` set in that file, and the Google
public DNS servers set as the backup DNS servers. The default DNS servers would
still be retrieved from DHCP (or manually configured by the user) and in the
event that the DNS server retrieved from DHCP does not support DHCP, the
`systemd-resolved` service would failover to using the Google public DNS servers
rather than downgrading DNSSEC support.
There may be some networks where the DNS server assigned by the DHCP server does
not support DNSSEC *and* the network blocks DNS requests outside the network. In
such cases, DNS resolution would be broken but *hopefully* the user could then
configure `DNSSEC=allow-downgrade` for that connection which, if WiFi, hopefully
could be done by SSID so that `DNSSEC=allow-downgrade` only applies to that
SSID.
Until `systemd-resolved` works well and smoothly in DNSSEC enforcing mode, I
will disable it by default. Users who want it of course can enable it. I really
do not want YJL to be a distribution that pushes technology not quite ready for