summaryrefslogtreecommitdiff
path: root/man/resolved.conf.xml
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2016-01-05 14:20:27 +0100
committerLennart Poettering <lennart@poettering.net>2016-01-05 14:20:27 +0100
commitb5a8703fdb8e16f760bfb730df64f07173bb881d (patch)
tree70e5c31980045dd552ea3b8cb89454426f8ac691 /man/resolved.conf.xml
parentd76f90f1711e55d23ee6c8c0957fa3db17927327 (diff)
man: add documentation for dnssec-trust-anchors.d(5)
Diffstat (limited to 'man/resolved.conf.xml')
-rw-r--r--man/resolved.conf.xml21
1 files changed, 12 insertions, 9 deletions
diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml
index 857a93b653..8473bbe5c9 100644
--- a/man/resolved.conf.xml
+++ b/man/resolved.conf.xml
@@ -148,15 +148,17 @@
<para>DNSSEC requires knowledge of "trust anchors" to prove
data integrity. The trust anchor for the Internet root domain
- is built into the resolver. However, trust anchors may change
- in regular intervals, and old trust anchors may be revoked. In
- such a case DNSSEC validation is not possible until new trust
- anchors are configured locally or the resolver software
- package is updated with the new root trust anchor. In effect,
- when the built-in trust anchor is revoked and
- <varname>DNSSEC=</varname> is true, all further lookups will
- fail, as it cannot be proved anymore whether lookups are
- correctly signed, or validly unsigned. If
+ is built into the resolver, additional trust anchors may be
+ defined with
+ <citerefentry><refentrytitle>dnssec-trust-anchors.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ Trust anchors may change in regular intervals, and old trust
+ anchors may be revoked. In such a case DNSSEC validation is
+ not possible until new trust anchors are configured locally or
+ the resolver software package is updated with the new root
+ trust anchor. In effect, when the built-in trust anchor is
+ revoked and <varname>DNSSEC=</varname> is true, all further
+ lookups will fail, as it cannot be proved anymore whether
+ lookups are correctly signed, or validly unsigned. If
<varname>DNSSEC=</varname> is set to
<literal>downgrade-ok</literal> the resolver will
automatically turn of DNSSEC validation in such a case.</para>
@@ -188,6 +190,7 @@
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>dnssec-trust-anchors.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>resolv.conf</refentrytitle><manvolnum>4</manvolnum></citerefentry>
</para>
</refsect1>