Add the DNS-over-TLS enhancement initial draft #987
Conversation
brandisher
force-pushed
the
NE-750-forward-dns-over-tls-proposal
branch
from
641459a
to
a3cd6b2
Compare
openshift-ci
bot
requested review from
candita,
frobware,
knobunc,
Miciah and
rfredette
|
/uncc @russellb @JoelSpeed |
brandisher
changed the title
brandisher
force-pushed
the
NE-750-forward-dns-over-tls-proposal
branch
from
af75e85
to
f6db4ef
Compare
brandisher
force-pushed
the
NE-750-forward-dns-over-tls-proposal
branch
5 times, most recently
from
b7f875d
to
923373f
Compare
brandisher
force-pushed
the
NE-750-forward-dns-over-tls-proposal
branch
3 times, most recently
from
2aae734
to
8986a06
Compare
brandisher
force-pushed
the
NE-750-forward-dns-over-tls-proposal
branch
3 times, most recently
from
72ce808
to
3c28aad
Compare
|
https://github.com/openshift/enhancements/pull/987/files#r813350736 looks like a blocker. If I want TLS connections, I'm not going to be happy if my secure configuration actually uses an insecure connection. |
Totally agree. I'll adjust this as it'd require a workaround on our part to cater to the failed TLS connection so this makes the work simpler and the end result more secure. |
brandisher
force-pushed
the
NE-750-forward-dns-over-tls-proposal
branch
from
3c28aad
to
febad75
Compare
|
Inactive enhancement proposals go stale after 28d of inactivity. See https://github.com/openshift/enhancements#life-cycle for details. Mark the proposal as fresh by commenting If this proposal is safe to close now please do so with /lifecycle stale |
openshift-ci
bot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
openshift-ci
bot
removed
the
lifecycle/stale
brandisher
force-pushed
the
NE-750-forward-dns-over-tls-proposal
branch
from
febad75
to
cffc110
Compare
brandisher
force-pushed
the
NE-750-forward-dns-over-tls-proposal
branch
from
862e650
to
daa4fea
Compare
- Address PR feedback for initial proposal - Add the json annotation for the ServerName member - Update the non-goals section to be more clear - Add note about TLS impacting support procedures since packet captures will be encrypted - Update the servername validation to use a pattern - Expand on the ServerName use case - Remove TLSecurityProfile for CoreDNS compatibility - Switch EnableTLS to Transport - Narrow Transport validation and add examples - Note that DNS-over-TLS will stop working post-downgrade - Fix casing of serverName and caBundle - Expand the support statement with packet capture details - Add the answer to the open question about cert storage - Drop Transport for Upstream type as it can't manifest in a Corefile - Update the API and YAML references
brandisher
force-pushed
the
NE-750-forward-dns-over-tls-proposal
branch
from
daa4fea
to
7ef1256
Compare
|
Excellent! Thanks! openshift/kubernetes#1247 might warrant a follow-up update to the enhancement. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Miciah The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
The linter has a new requirement: The requirement wasn't there when the PR was posted, and you do provide a user story and plenty of detail, so I'll override the linter CI job. /override ci/prow/markdownlint |
|
@Miciah: Overrode contexts on behalf of Miciah: ci/prow/markdownlint In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@brandisher: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
No description provided.