diff options
| author | Lennart Poettering <lennart@poettering.net> | 2016-01-05 14:20:27 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2016-01-05 14:20:27 +0100 |
| commit | b5a8703fdb8e16f760bfb730df64f07173bb881d (patch) | |
| tree | 70e5c31980045dd552ea3b8cb89454426f8ac691 /man/resolved.conf.xml | |
| parent | d76f90f1711e55d23ee6c8c0957fa3db17927327 (diff) | |
man: add documentation for dnssec-trust-anchors.d(5)
Diffstat (limited to 'man/resolved.conf.xml')
| -rw-r--r-- | man/resolved.conf.xml | 21 |
1 files changed, 12 insertions, 9 deletions
diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml index 857a93b653..8473bbe5c9 100644 --- a/man/resolved.conf.xml +++ b/man/resolved.conf.xml @@ -148,15 +148,17 @@ <para>DNSSEC requires knowledge of "trust anchors" to prove data integrity. The trust anchor for the Internet root domain - is built into the resolver. However, trust anchors may change - in regular intervals, and old trust anchors may be revoked. In - such a case DNSSEC validation is not possible until new trust - anchors are configured locally or the resolver software - package is updated with the new root trust anchor. In effect, - when the built-in trust anchor is revoked and - <varname>DNSSEC=</varname> is true, all further lookups will - fail, as it cannot be proved anymore whether lookups are - correctly signed, or validly unsigned. If + is built into the resolver, additional trust anchors may be + defined with + <citerefentry><refentrytitle>dnssec-trust-anchors.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>. + Trust anchors may change in regular intervals, and old trust + anchors may be revoked. In such a case DNSSEC validation is + not possible until new trust anchors are configured locally or + the resolver software package is updated with the new root + trust anchor. In effect, when the built-in trust anchor is + revoked and <varname>DNSSEC=</varname> is true, all further + lookups will fail, as it cannot be proved anymore whether + lookups are correctly signed, or validly unsigned. If <varname>DNSSEC=</varname> is set to <literal>downgrade-ok</literal> the resolver will automatically turn of DNSSEC validation in such a case.</para> @@ -188,6 +190,7 @@ <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry><refentrytitle>dnssec-trust-anchors.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, <citerefentry><refentrytitle>resolv.conf</refentrytitle><manvolnum>4</manvolnum></citerefentry> </para> </refsect1> |