diff options
author | Lennart Poettering <lennart@poettering.net> | 2016-07-22 20:17:23 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2016-07-22 20:17:23 +0200 |
commit | 5bd7342617d2f351136aff349e8fb066035353c8 (patch) | |
tree | 9ef32f3b64e338d82a7a2f9bb1322730e58ea0a0 /man/resolved.conf.xml | |
parent | 1137c73b4067ce40d3c22a023650f6f683dd6798 (diff) |
man: rework resolved.conf's Cache= documentation
Let's not mention the supposed security benefit of turning off caching. It is
really questionnable, and I#d rather not create the impression that we actually
believed turning off caching would be a good idea.
Instead, mention that Cache=no is implicit if a DNS server on the local host is
used.
Diffstat (limited to 'man/resolved.conf.xml')
-rw-r--r-- | man/resolved.conf.xml | 20 |
1 files changed, 7 insertions, 13 deletions
diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml index 024ad6a9c1..7556c6ff31 100644 --- a/man/resolved.conf.xml +++ b/man/resolved.conf.xml @@ -204,19 +204,13 @@ <varlistentry> <term><varname>Cache=</varname></term> - <listitem><para>Takes a boolean argument. If "yes" (the default), - resolving a domain name which already got queried earlier will re-use - the previous result as long as that is still valid, and thus does not - need to do an actual network request.</para> - - <para>However, local caching slightly increases the chance of a - successful DNS poisoning attack, and might also be a privacy problem in - some environments: By measuring the time it takes to resolve a - particular network name, a user can determine whether any other user on - the same machine recently visited that name. If either of these is a - concern, you may disable the local caching. Be aware that this comes at - a performance cost, which is <emphasis>very</emphasis> high with DNSSEC. - </para></listitem> + <listitem><para>Takes a boolean argument. If "yes" (the default), resolving a domain name which already got + queried earlier will return the previous result as long as it is still valid, and thus does not result in a new + network request. Be aware that that turning off caching comes at a performance penalty, which is particularly + high when DNSSEC is used.</para> + + <para>Note that caching is turned off implicitly if the configured DNS server is on a host-local IP address + (such as 127.0.0.1 or ::1), in order to avoid duplicate local caching.</para></listitem> </varlistentry> </variablelist> |