summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--man/resolved.conf.xml42
-rw-r--r--src/resolve/resolved-gperf.gperf1
-rw-r--r--src/resolve/resolved.conf.in1
3 files changed, 31 insertions, 13 deletions
diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml
index 786b096ef6..3c1e698d33 100644
--- a/man/resolved.conf.xml
+++ b/man/resolved.conf.xml
@@ -125,22 +125,38 @@
</varlistentry>
<varlistentry>
+ <term><varname>MulticastDNS=</varname></term>
+ <listitem><para>Takes a boolean argument or
+ <literal>resolve</literal>. Controls Multicast DNS support
+ (<ulink url="https://tools.ietf.org/html/rfc6762">RFC
+ 6762</ulink>) on the local host. If true, enables full
+ Multicast DNS responder and resolver support. If false,
+ disables both. If set to <literal>resolve</literal>, only
+ resolution support is enabled, but responding is
+ disabled. Note that
+ <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ also maintains per-interface Multicast DNS settings. Multicast
+ DNS will be enabled on an interface only if the per-interface
+ and the global setting is on.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><varname>DNSSEC=</varname></term>
<listitem><para>Takes a boolean argument or
<literal>downgrade-ok</literal>. If true all DNS lookups are
- DNSSEC-validated locally. If a response for a lookup request
- is detected invalid this is returned as lookup failure to
- applications. Note that this mode requires a DNS server that
- supports DNSSEC. If the DNS server does not properly support
- DNSSEC all validations will fail. If set to
- <literal>downgrade-ok</literal> DNSSEC validation is
- attempted, but if the server does not support DNSSEC properly,
- DNSSEC mode is automatically disabled. Note that this mode
- makes DNSSEC validation vulnerable to "downgrade" attacks,
- where an attacker might be able to trigger a downgrade to
- non-DNSSEC mode by synthesizing a DNS response that suggests
- DNSSEC was not supported. If set to false, DNS lookups are not
- DNSSEC validated.</para>
+ DNSSEC-validated locally (excluding LLMNR and Multicast
+ DNS). If a response for a lookup request is detected invalid
+ this is returned as lookup failure to applications. Note that
+ this mode requires a DNS server that supports DNSSEC. If the
+ DNS server does not properly support DNSSEC all validations
+ will fail. If set to <literal>downgrade-ok</literal> DNSSEC
+ validation is attempted, but if the server does not support
+ DNSSEC properly, DNSSEC mode is automatically disabled. Note
+ that this mode makes DNSSEC validation vulnerable to
+ "downgrade" attacks, where an attacker might be able to
+ trigger a downgrade to non-DNSSEC mode by synthesizing a DNS
+ response that suggests DNSSEC was not supported. If set to
+ false, DNS lookups are not DNSSEC validated.</para>
<para>Note that DNSSEC validation requires retrieval of
additional DNS data, and thus results in a small DNS look-up
diff --git a/src/resolve/resolved-gperf.gperf b/src/resolve/resolved-gperf.gperf
index 9bbf45454a..fb3fe9cfb1 100644
--- a/src/resolve/resolved-gperf.gperf
+++ b/src/resolve/resolved-gperf.gperf
@@ -18,4 +18,5 @@ Resolve.DNS, config_parse_dns_servers, DNS_SERVER_SYSTEM, 0
Resolve.FallbackDNS, config_parse_dns_servers, DNS_SERVER_FALLBACK, 0
Resolve.Domains, config_parse_search_domains, 0, 0
Resolve.LLMNR, config_parse_resolve_support,0, offsetof(Manager, llmnr_support)
+Resolve.MulticastDNS, config_parse_resolve_support,0, offsetof(Manager, mdns_support)
Resolve.DNSSEC, config_parse_dnssec, 0, 0
diff --git a/src/resolve/resolved.conf.in b/src/resolve/resolved.conf.in
index efc9c6733a..0ba572d113 100644
--- a/src/resolve/resolved.conf.in
+++ b/src/resolve/resolved.conf.in
@@ -16,4 +16,5 @@
#FallbackDNS=@DNS_SERVERS@
#Domains=
#LLMNR=yes
+#MulticastDNS=no
#DNSSEC=no