resolved,networkd: add a per-interface DNSSEC setting

This adds a DNSSEC= setting to .network files, and makes resolved honour
them.

2 files changed, 28 insertions, 0 deletions

diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml
index c2c277b606..3209f73bc1 100644
--- a/man/resolved.conf.xml
+++ b/man/resolved.conf.xml
@@ -194,6 +194,16 @@
         happen regularly. On other systems it is recommended to set
         <varname>DNSSEC=</varname> to
         <literal>allow-downgrade</literal>.</para>
+
+        <para>In addition to this global DNSSEC setting
+        <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+        also maintains per-interface DNSSEC settings. For system DNS
+        servers (see above), only the global DNSSEC setting is in
+        effect. For per-interface DNS servers the per-interface
+        setting is in effect, unless it is unset in which case the
+        global setting is used instead.</para>
+
+        <para>Defaults to off.</para>
         </listitem>
       </varlistentry>
 
diff --git a/man/systemd.network.xml b/man/systemd.network.xml
index 36172ae8b5..1dfa559c8b 100644
--- a/man/systemd.network.xml
+++ b/man/systemd.network.xml
@@ -301,6 +301,24 @@
           </listitem>
         </varlistentry>
         <varlistentry>
+          <term><varname>DNSSEC=</varname></term>
+          <listitem>
+            <para>A boolean or
+            <literal>allow-downgrade</literal>. When true, enables
+            <ulink
+            url="https://tools.ietf.org/html/rfc4033">DNSSEC</ulink>
+            DNS validation support on the link. When set to
+            <literal>allow-downgrade</literal>, compatibility with
+            non-DNSSEC capable networks is increased, by automatically
+            turning off DNSEC in this case. This option defines a
+            per-interface setting for
+            <citerefentry><refentrytitle>resolved.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>'s
+            global <varname>DNSSEC=</varname> option. Defaults to
+            false. This setting is read by
+            <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
           <term><varname>LLDP=</varname></term>
           <listitem>
             <para>A boolean. When true, enables LLDP link receive support.