112 files changed, 3560 insertions, 961 deletions

diff --git a/Makefile.am b/Makefile.am
index 3c13acf28d..2206b70c95 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -125,6 +125,7 @@ dist_systemunit_DATA_busnames =
 dist_sysusers_DATA =
 check_PROGRAMS =
 check_DATA =
+dist_rootlibexec_DATA =
 tests=
 manual_tests =
 TEST_EXTENSIONS = .py
@@ -836,8 +837,6 @@ libbasic_la_SOURCES = \
 	src/basic/ordered-set.c \
 	src/basic/bitmap.c \
 	src/basic/bitmap.h \
-	src/basic/fdset.c \
-	src/basic/fdset.h \
 	src/basic/prioq.c \
 	src/basic/prioq.h \
 	src/basic/web-util.c \
@@ -1050,7 +1049,9 @@ libshared_la_SOURCES = \
 	src/shared/vlan-util.h \
 	src/shared/vlan-util.c \
 	src/shared/tests.h \
-	src/shared/tests.c
+	src/shared/tests.c \
+	src/shared/fdset.c \
+	src/shared/fdset.h
 
 if HAVE_UTMP
 libshared_la_SOURCES += \
@@ -4143,7 +4144,7 @@ test_catalog_SOURCES = \
 
 test_catalog_CPPFLAGS = \
 	$(AM_CPPFLAGS) \
-	-DCATALOG_DIR=\"$(abs_top_srcdir)/catalog\"
+	-DCATALOG_DIR=\"$(abs_top_builddir)/catalog\"
 
 test_catalog_LDADD = \
 	libjournal-core.la
@@ -4342,7 +4343,7 @@ nodist_systemunit_DATA += \
 dist_pkgsysconf_DATA += \
 	src/journal/journald.conf
 
-dist_catalog_DATA = \
+nodist_catalog_DATA = \
 	catalog/systemd.bg.catalog \
 	catalog/systemd.be.catalog \
 	catalog/systemd.be@latin.catalog \
@@ -4355,6 +4356,16 @@ dist_catalog_DATA = \
 	catalog/systemd.zh_TW.catalog \
 	catalog/systemd.catalog
 
+EXTRA_DIST += \
+	$(nodist_catalog_DATA:.catalog=.catalog.in)
+
+# Note that we don't use @@ for replacement markers here, but %%. This is
+# because the catalog uses @@ already for its runtime replacement handling and
+# we don't want to conflict with that.
+catalog/%.catalog: catalog/%.catalog.in
+	$(AM_V_GEN)$(MKDIR_P) $(dir $@) && \
+	$(SED) -e 's~%SUPPORT_URL%~$(SUPPORT_URL)~' < $< > $@
+
 SOCKETS_TARGET_WANTS += \
 	systemd-journald.socket \
 	systemd-journald-dev-log.socket \
@@ -5147,7 +5158,7 @@ systemd_export_LDADD = \
 	$(ZLIB_LIBS) \
 	-lbz2
 
-dist_rootlibexec_DATA = \
+dist_rootlibexec_DATA += \
 	src/import/import-pubring.gpg
 
 nodist_systemunit_DATA += \
@@ -5259,6 +5270,8 @@ systemd_resolved_SOURCES = \
 	src/resolve/resolved-dns-stream.c \
 	src/resolve/resolved-dns-trust-anchor.h \
 	src/resolve/resolved-dns-trust-anchor.c \
+	src/resolve/resolved-dns-stub.h \
+	src/resolve/resolved-dns-stub.c \
 	src/resolve/resolved-etc-hosts.h \
 	src/resolve/resolved-etc-hosts.c \
 	src/shared/gcrypt-util.c \
@@ -5411,6 +5424,9 @@ EXTRA_DIST += \
 	units/systemd-resolved.service.m4.in \
 	src/resolve/resolved.conf.in
 
+dist_rootlibexec_DATA += \
+	src/resolve/resolv.conf
+
 # ------------------------------------------------------------------------------
 if ENABLE_NETWORKD
 rootlibexec_PROGRAMS += \
diff --git a/NEWS b/NEWS
index 788fb33853..e4efb476c6 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,27 @@
 systemd System and Service Manager
 
+CHANGES WITH 231:
+
+        * When using systemd's default tmp.mount for /tmp, this will now be
+          mounted with the "nosuid" and "nodev" options. This avoids
+          privilege escalation attacks that put traps and exploits into /tmp.
+          However, this might cause some problems if you e. g. put container
+          images or overlays into /tmp; if you need this, override tmp.mount's
+          "Options=" with a drop-in, or mount /tmp from /etc/fstab with your
+          desired options.
+
+        * systemd-resolved gained a new "Cache=" option in resolved.conf.
+          Local caching makes DNS poisoning attacks slightly easier and allows
+          a local user to detect whether any other user on the same machine has
+          recently visited a given DNS name (privacy). If that is a concern,
+          you can disable local caching with this option at the cost of slower
+          DNS resolution (which is particularly expensive with DNSSEC). The
+          default continues to be "yes" (i. e.  caching is enabled).
+
+        Contributions from: ...
+
+        — Somewhere, 2016-XX-XX
+
 CHANGES WITH 230:
 
         * DNSSEC is now turned on by default in systemd-resolved (in
diff --git a/TODO b/TODO
index 8de1029b9b..ea359c3768 100644
--- a/TODO
+++ b/TODO
@@ -33,8 +33,6 @@ Janitorial Clean-ups:
 
 Features:
 
-* resolved: maybe add a switch to disable any local caching
-
 * ProtectKernelLogs= (drops CAP_SYSLOG, add seccomp for syslog() syscall, and DeviceAllow to /dev/kmsg) in service files
 
 * ProtectClock= (drops CAP_SYS_TIMES, adds seecomp filters for settimeofday, adjtimex), sets DeviceAllow o /dev/rtc
@@ -47,8 +45,6 @@ Features:
 
 * RestrictNamespaces= or so in services (taking away the ability to create namespaces, with setns, unshare, clone)
 
-* RestrictRealtime= which takes aware ability to create realtime processes
-
 * nspawn: make /proc/sys/net writable?
 
 * make sure the ratelimit object can deal with USEC_INFINITY as way to turn off things
@@ -66,8 +62,6 @@ Features:
 * transient units: don't bother with actually setting unit properties, we
   reload the unit file anyway
 
-* make sure resolved can be restarted without losing pushed-in dns config
-
 * journald: sigbus API via a signal-handler safe function that people may call
   from the SIGBUS handler
 
@@ -79,9 +73,6 @@ Features:
 
 * resolved: when routing queries, make sure only look for the *longest* suffix...
 
-* resolved: maybe, after all, implement local listening for DNS packets on port
-  127.0.0.53:53.
-
 * delay activation of logind until somebody logs in, or when /dev/tty0 pulls it
   in or lingering is on (so that containers don't bother with it until PAM is used). also exit-on-idle
 
@@ -115,8 +106,6 @@ Features:
 
 * man: document that unless you use StandardError=null the shell >/dev/stderr won't work in shell scripts in services
 
-* install: include generator dirs in unit file search paths
-
 * fstab-generator: default to tmpfs-as-root if only usr= is specified on the kernel cmdline
 
 * docs: bring http://www.freedesktop.org/wiki/Software/systemd/MyServiceCantGetRealtime up to date
@@ -197,9 +186,7 @@ Features:
 
 * systemctl: if some operation fails, show log output?
 
-* systemctl edit:
-- allow creation of units from scratch
-- use equvalent of cat() to insert existing config as a comment, prepended with #.
+* systemctl edit: use equvalent of cat() to insert existing config as a comment, prepended with #.
   Upon editor exit, lines with one # are removed, lines with two # are left with one #, etc.
 
 * exponential backoff in timesyncd when we cannot reach a server
@@ -228,6 +215,7 @@ Features:
     names, so that for the container case we can establish the same name
     (maybe "host") for referencing the server, everywhere.
   - allow clients to request DNSSEC for a single lookup even if DNSSEC is off (?)
+  - hook up resolved with machined-based address resolution
 
 * refcounting in sd-resolve is borked
 
diff --git a/catalog/.gitignore b/catalog/.gitignore
new file mode 100644
index 0000000000..ff695342e3
--- /dev/null
+++ b/catalog/.gitignore
@@ -0,0 +1 @@
+*.catalog
diff --git a/catalog/systemd.be.catalog b/catalog/systemd.be.catalog.in
index cd62d9786e..5b237f0558 100644
--- a/catalog/systemd.be.catalog
+++ b/catalog/systemd.be.catalog.in
@@ -27,7 +27,7 @@
 -- f77379a8490b408bbe5f6940505a777b
 Subject: С�рві� журнал�ванн� запу�ціў��
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Прац�� �і�т�мнага журнал�ванн� запу�ціў��, адкрыў файлы дл�
 запі�у і гатовы апрацоўваць запыты.
@@ -35,14 +35,14 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- d93fb3c9c24d451a97cea615ce59c00b
 Subject: С�рві� журнал�ванн� �пыніў��
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Прац�� �і�т�мнага журнал�ванн� �пыніў�� і закрыў у�е файлы.
 
 -- ec387f577b844b8fa948f33cad9a75e6
 Subject: Ды�кавае ме�ца, зан�тае ча�опі�ам
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 @JOURNAL_NAME@ (@JOURNAL_PATH@) ц�пер займае @CURRENT_USE_PRETTY@.
 Мак�імальна дазволены памер �кладае @MAX_USE_PRETTY@.
@@ -58,7 +58,7 @@ SystemMaxFileSize=, RuntimeMaxUse=, RuntimeKeepFree=, RuntimeMaxFileSize= у
 -- a596d6fe7bfa4994828e72309e95d61e
 Subject: Паведамленні з ��рві�у адкінуты
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:journald.conf(5)
 
 С�рві� адправіў занадта штат паведамленн�ў за кароткі прамежак ча�у.
@@ -74,7 +74,7 @@ RateLimitIntervalSec= і RateLimitBurst= у файле /etc/systemd/journald.con
 -- e9bf28e6e834481bb6f48f548ad13606
 Subject: Паведамленні �трачаны
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Паведамленні �дра былі �трачаны, так �к �і�т�ма журнал�ванн� не па�пела
 іх апрацаваць.
@@ -82,7 +82,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- fc2e22bc6ee647b6b90729ab34a250b1
 Subject: Прац�� @COREDUMP_PID@ (@COREDUMP_COMM@) �кінуў дамп пам�ці
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:core(5)
 
 Прац�� @COREDUMP_PID@ (@COREDUMP_COMM@) разбіў�� і �кінуў дамп пам�ці.
@@ -93,7 +93,7 @@ Documentation: man:core(5)
 -- 8d45620c1a4348dbb17410da57c60c66
 Subject: �ова� �е�і� № @SESSION_ID@ �творана дл� кары�тальніка @USER_ID@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 �ова� �е�і� з № @SESSION_ID@ �творана дл� кары�тальніка @USER_ID@.
@@ -103,7 +103,7 @@ Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 -- 3354939424b4456d9802ca8333ed424a
 Subject: Се�і� № @SESSION_ID@ �пынена
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 Се�і� № @SESSION_ID@ �пынена.
@@ -111,7 +111,7 @@ Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 -- fcbefc5da23d428093f97c82a9290f7b
 Subject: Да�тупна новае працоўнае ме�ца № @SEAT_ID@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 �овае працоўнае ме�ца № @SEAT_ID@ наладжана і да�тупна дл� выкары�танн�.
@@ -119,7 +119,7 @@ Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 -- e7852bfe46784ed0accde04bc864c2d5
 Subject: Працоўнае ме�ца № @SEAT_ID@ выдалена
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 Працоўнае ме�ца № @SEAT_ID@ выдалена і больш не да�тупна.
@@ -127,21 +127,21 @@ Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 -- c7a787079b354eaaa9e77b371893cd27
 Subject: Ча� зменены
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Сі�т�мны гадзіннік зменены на @REALTIME@ мікра�екунд ад 1 �тудзен� 1970.
 
 -- 45f82f4aef7a4bbf942ce861d1f20990
 Subject: Ча�авы по�� зменены на @TIMEZONE@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Сі�т�мны ча�авы по�� зменены на @TIMEZONE@.
 
 -- b07a249cd024414a82dd00cd181378ff
 Subject: Запу�к �і�т�мы зав�ршыў��
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 У�е �і�т�мны� ��рві�ы, неабходны� дл� загрузкі �і�т�мы, па�п�хова
 запу�цілі��. Майце на ўвазе, што г�та не значыць, што машына нічога не
@@ -156,21 +156,21 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 6bbd95ee977941e497c48be27c254128
 Subject: Сі�т�ма перайшла ў �тан �ну @SLEEP@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Ц�пер �і�т�ма перайшла у �тан �ну @SLEEP@.
 
 -- 8811e6df2a8e40f58a94cea26f8ebf14
 Subject: Сі�т�ма выйшла �а �тана �ну @SLEEP@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Ц�пер �і�т�ма выйшла �а �тана �ну @SLEEP@.
 
 -- 98268866d1d54a499c4e98921d93bc40
 Subject: Сі�т�ма зав�ршае работу
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Пачаў�� прац�� выключ�нн� �і�т�мы.
 Спын�юцца ў�е �і�т�мны� ��рві�ы і д�мантуюцца файлавы� �і�т�мы.
@@ -178,14 +178,14 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 7d4958e842da4a758f6c1cdc7b36dcc5
 Subject: Юніт @UNIT@ запу�каецца
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Пачаў�� прац�� запу�ку юніта @UNIT@.
 
 -- 39f53479d3a045ac8e11786248231fbf
 Subject: Юніт @UNIT@ запу�ціў��
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Прац�� запу�ку юніта @UNIT@ завершаны.
 
@@ -194,21 +194,21 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- de5b426a63be47a7b6ac3eaac82e2f6f
 Subject: Юніт @UNIT@ �пын�ецца
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Пачаў�� прац�� �пыненн� юніта @UNIT@.
 
 -- 9d1aaa27d60140bd96365438aad20286
 Subject: Юніт @UNIT@ �пынены
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Прац�� �пыненн� юніта @UNIT@ завершаны.
 
 -- be02cf6855d2428ba40df7e9d022f03d
 Subject: Збой юніта @UNIT@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Збой юніта @UNIT@.
 
@@ -217,14 +217,14 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- d34d037fff1847e6ae669a370e694725
 Subject: Юніт @UNIT@ перачытвае �ваю канфігурацыю
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Юніт @UNIT@ пачаў перачытваць �ваю канфігурацыю.
 
 -- 7b05ebc668384222baa8881179cfda54
 Subject: Юніт @UNIT@ перачытаў �ваю канфігурацыю
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Юніт @UNIT@ перачытаў �ваю канфігурацыю.
 
@@ -233,7 +233,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 641257651c1b4ec9a8624d7a40a9e1e7
 Subject: Прац�� @EXECUTABLE@ не можа быць выкананы
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Прац�� @EXECUTABLE@ не можа быць выкананы ў выніку збою.
 
@@ -242,7 +242,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 0027229ca0644181a76c4e92458afa2e
 Sibject: �дно ці больш паведамленн�ў не былі накіраваны ў syslog
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 �дно ці больш паведамленн�ў не былі накіраваны ў syslog ��рві�, �кі
 выконваецца паралельна з journald. Звычайна г�та значыць, што
@@ -252,7 +252,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 1dee0369c7fc4736b7099b38ecb46ee7
 Subject: Кропка мантаванн� не пу�та�
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Каталог @WHERE@ указаны �к кропка мантаванн� (другое поле ў /etc/fstab ці
 Where= поле ў файле юніта systemd) і не пу�ты. Г�та не перашкаджае
@@ -262,7 +262,7 @@ Where= поле Ñž файле юніта systemd) Ñ– не пуÑ�Ñ‚Ñ‹. ГÑ�та Ð
 -- 24d8d4452573402496068381a6312df2
 Subject: Віртуальна� машына або кант�йнер запу�ціў��
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Віртуальна� машына @NAME@ з лідарам № @LEADER@ запу�ціла�� і
 гатова дл� выкары�танн�.
@@ -270,14 +270,14 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 58432bd3bace477cb514b56381b8a758
 Subject: Віртуальна� машына або кант�йнер �пынены
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Віртуальна� машына @NAME@ з лідарам № @LEADER@ �пынена.
 
 -- 36db2dfa5a9045e1bd4af5f93e1cf057
-Subject: Механізм DNSSEC адключаны, бо �ервер не падтымлівае �го 
+Subject: Механізм DNSSEC адключаны, бо �ервер не падтымлівае �го
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:systemd-resolved.service(8) resolved.conf(5)
 
 С�рві� вызнач�нн� імён (systemd-resolved.service) вызначыў, што DNS-�ервер
@@ -296,7 +296,7 @@ Documentation: man:systemd-resolved.service(8) resolved.conf(5)
 -- 1675d7f172174098b1108bf8c7dc8f5d
 Subject: Збой пры праверцы DNSSEC
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:systemd-resolved.service(8)
 
 DNS-запыт або р��ур�ны запі� не прайшоў праверку DNSSEC.
@@ -305,7 +305,7 @@ DNS-запыт або р��ур�ны запі� не прайшоў праве
 -- 4d4408cfd0d144859184d1e65d7c8a65
 Subject: Давераны ключ DNSSEC быў анул�ваны
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:systemd-resolved.service(8)
 
 Давераны ключ DNSSEC быў анул�ваны. �еабходна наладзіць новы давераны ключ
diff --git a/catalog/systemd.be@latin.catalog b/catalog/systemd.be@latin.catalog.in
index a9dce88377..fc9f7cad16 100644
--- a/catalog/systemd.be@latin.catalog
+++ b/catalog/systemd.be@latin.catalog.in
@@ -27,7 +27,7 @@
 -- f77379a8490b408bbe5f6940505a777b
 Subject: Servis žurnaliavannia zapusciŭsia
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Praces sistemnaha žurnaliavannia zapusciŭsia, adkryŭ fajly dlia
 zapisu i hatovy apracoŭvać zapyty.
@@ -35,14 +35,14 @@ zapisu i hatovy apracoŭvać zapyty.
 -- d93fb3c9c24d451a97cea615ce59c00b
 Subject: Servis žurnaliavannia spyniŭsia
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Praces sistemnaha žurnaliavannia spyniŭsia i zakryŭ usie fajly.
 
 -- ec387f577b844b8fa948f33cad9a75e6
 Subject: dyskavaje miesca, zaniataje �asopisam
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 @JOURNAL_NAME@ (@JOURNAL_PATH@) ciapier zajmaje @CURRENT_USE_PRETTY@.
 Maksimaĺna dazvolieny pamier skladaje @MAX_USE_PRETTY@.
@@ -59,7 +59,7 @@ detaliej.
 -- a596d6fe7bfa4994828e72309e95d61e
 Subject: Paviedamlienni z servisu adkinuty
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:journald.conf(5)
 
 Servis adpraviŭ zanadta štat paviedamlienniaŭ za karotki pramiežak �asu.
@@ -75,7 +75,7 @@ Hliadzicie journald.conf(5) dlia detaliej.
 -- e9bf28e6e834481bb6f48f548ad13606
 Subject: Paviedamlienni stra�any
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Paviedamlienni jadra byli stra�any, tak jak sistema žurnaliavannia nie
 paspiela ich apracavać.
@@ -83,7 +83,7 @@ paspiela ich apracavać.
 -- fc2e22bc6ee647b6b90729ab34a250b1
 Subject: Praces @COREDUMP_PID@ (@COREDUMP_COMM@) skinuÅ­ damp pamiaci
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:core(5)
 
 Praces @COREDUMP_PID@ (@COREDUMP_COMM@) razbiÅ­sia i skinuÅ­ damp pamiaci.
@@ -94,7 +94,7 @@ Rekamiendujecca paviedamić ab hetym raspracoŭnikam.
 -- 8d45620c1a4348dbb17410da57c60c66
 Subject: Novaja siesija № @SESSION_ID@ stvorana dlia karystaĺnika @USER_ID@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 Novaja siesija z № @SESSION_ID@ stvorana dlia karystaĺnika @USER_ID@.
@@ -104,7 +104,7 @@ Lidar hetaj siesii pad â„– @LEADER@.
 -- 3354939424b4456d9802ca8333ed424a
 Subject: Siesija â„– @SESSION_ID@ spyniena
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 Siesija â„– @SESSION_ID@ spyniena.
@@ -112,7 +112,7 @@ Siesija â„– @SESSION_ID@ spyniena.
 -- fcbefc5da23d428093f97c82a9290f7b
 Subject: Dastupna novaje pracoÅ­naje miesca â„– @SEAT_ID@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 Novaje pracoŭnaje miesca № @SEAT_ID@ naladžana i dastupna dlia
@@ -121,7 +121,7 @@ vykarystannia.
 -- e7852bfe46784ed0accde04bc864c2d5
 Subject: PracoÅ­naje miesca â„– @SEAT_ID@ vydaliena
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 Pracoŭnaje miesca № @SEAT_ID@ vydaliena i boĺš nie dastupna.
@@ -129,7 +129,7 @@ Pracoŭnaje miesca № @SEAT_ID@ vydaliena i boĺš nie dastupna.
 -- c7a787079b354eaaa9e77b371893cd27
 Subject: ÄŒas zmienieny
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Sistemny hadzinnik zmienieny na @REALTIME@ mikrasiekund ad 1 studzienia
 1970.
@@ -137,14 +137,14 @@ Sistemny hadzinnik zmienieny na @REALTIME@ mikrasiekund ad 1 studzienia
 -- 45f82f4aef7a4bbf942ce861d1f20990
 Subject: ÄŒasavy pojas zmienieny na @TIMEZONE@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Sistemny �asavy pojas zmienieny na @TIMEZONE@.
 
 -- b07a249cd024414a82dd00cd181378ff
 Subject: Zapusk sistemy zaviaršyŭsia
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Usie sistemnyja servisy, nieabchodnyja dlia zahruzki sistemy, paspiachova
 zapuscilisia. Majcie na ŭvazie, što heta nie zna�yć, što mašyna ni�oha nie
@@ -159,21 +159,21 @@ Na zapusk sistemnych servisaÅ­ spatrebilasia @USERSPACE_USEC@ mikrasiekund.
 -- 6bbd95ee977941e497c48be27c254128
 Subject: Sistema pierajšla ŭ stan snu @SLEEP@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Ciapier sistema pierajšla u stan snu @SLEEP@.
 
 -- 8811e6df2a8e40f58a94cea26f8ebf14
 Subject: Sistema vyjšla sa stana snu @SLEEP@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Ciapier sistema vyjšla sa stana snu @SLEEP@.
 
 -- 98268866d1d54a499c4e98921d93bc40
 Subject: Sistema zaviaršaje rabotu
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Pa�aŭsia praces vykliu�ennia sistemy.
 Spyniajucca Å­sie sistemnyja servisy i demantujucca fajlavyja sistemy.
@@ -181,14 +181,14 @@ Spyniajucca Å­sie sistemnyja servisy i demantujucca fajlavyja sistemy.
 -- 7d4958e842da4a758f6c1cdc7b36dcc5
 Subject: Junit @UNIT@ zapuskajecca
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Pa�aŭsia praces zapusku junita @UNIT@.
 
 -- 39f53479d3a045ac8e11786248231fbf
 Subject: Junit @UNIT@ zapusciÅ­sia
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Praces zapusku junita @UNIT@ zavieršany.
 
@@ -197,21 +197,21 @@ Vynik: @RESULT@.
 -- de5b426a63be47a7b6ac3eaac82e2f6f
 Subject: Junit @UNIT@ spyniajecca
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Pa�aŭsia praces spyniennia junita @UNIT@.
 
 -- 9d1aaa27d60140bd96365438aad20286
 Subject: Junit @UNIT@ spynieny
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Praces spyniennia junita @UNIT@ zavieršany.
 
 -- be02cf6855d2428ba40df7e9d022f03d
 Subject: Zboj junita @UNIT@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Zboj junita @UNIT@.
 
@@ -220,14 +220,14 @@ Vynik: @RESULT@.
 -- d34d037fff1847e6ae669a370e694725
 Subject: Junit @UNIT@ piera�ytvaje svaju kanfihuracyju
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Junit @UNIT@ pa�aŭ piera�ytvać svaju kanfihuracyju.
 
 -- 7b05ebc668384222baa8881179cfda54
 Subject: Junit @UNIT@ piera�ytaŭ svaju kanfihuracyju
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Junit @UNIT@ piera�ytaŭ svaju kanfihuracyju.
 
@@ -236,7 +236,7 @@ Vynik: @RESULT@.
 -- 641257651c1b4ec9a8624d7a40a9e1e7
 Subject: Praces @EXECUTABLE@ nie moža być vykanany
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Praces @EXECUTABLE@ nie moža być vykanany ŭ vyniku zboju.
 
@@ -245,7 +245,7 @@ Jon viarnuÅ­ pamylku numar @ERRNO@.
 -- 0027229ca0644181a76c4e92458afa2e
 Sibject: Adno ci boĺš paviedamlienniaŭ nie byli nakiravany ŭ syslog
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Adno ci boĺš paviedamlienniaŭ nie byli nakiravany ŭ syslog servis, jaki
 vykonvajecca paralieĺna z journald. Zvy�ajna heta zna�yć, što
@@ -255,7 +255,7 @@ chutkasciu.
 -- 1dee0369c7fc4736b7099b38ecb46ee7
 Subject: Kropka mantavannia nie pustaja
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Kataloh @WHERE@ ukazany jak kropka mantavannia (druhoje polie Å­ /etc/fstab
 ci Where= polie ŭ fajlie junita systemd) i nie pusty. Heta nie pieraškadžaje
@@ -265,7 +265,7 @@ ich, kali laska, zmantujcie hetuju fajlavuju sistemu ŭ inšaje miesca.
 -- 24d8d4452573402496068381a6312df2
 Subject: Virtuaĺnaja mašyna abo kantejnier zapusciŭsia
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Virtuaĺnaja mašyna @NAME@ z lidaram № @LEADER@ zapuscilasia i
 hatova dlia vykarystannia.
@@ -273,14 +273,14 @@ hatova dlia vykarystannia.
 -- 58432bd3bace477cb514b56381b8a758
 Subject: Virtuaĺnaja mašyna abo kantejnier spynieny
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Virtuaĺnaja mašyna @NAME@ z lidaram № @LEADER@ spyniena.
 
 -- 36db2dfa5a9045e1bd4af5f93e1cf057
-Subject: Miechanizm DNSSEC adkliu�any, bo siervier nie padtrymlivaje jaho 
+Subject: Miechanizm DNSSEC adkliu�any, bo siervier nie padtrymlivaje jaho
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:systemd-resolved.service(8) resolved.conf(5)
 
 Servis vyzna�ennia imion (systemd-resolved.service) vyzna�yŭ, što
@@ -301,7 +301,7 @@ ataku pa adkliu�enniu DNSSEC.
 -- 1675d7f172174098b1108bf8c7dc8f5d
 Subject: Zboj pry praviercy DNSSEC
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:systemd-resolved.service(8)
 
 DNS-zapyt abo resursny zapis nie prajšoŭ pravierku DNSSEC.
@@ -310,7 +310,7 @@ Jak pravila, heta pakazvaje na zniešniaje ŭzdziejannie na kanal suviazi.
 -- 4d4408cfd0d144859184d1e65d7c8a65
 Subject: Davierany kliu� DNSSEC byŭ anuliavany
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:systemd-resolved.service(8)
 
 Davierany kliu� DNSSEC byŭ anuliavany. Nieabchodna naladzić novy davierany
diff --git a/catalog/systemd.bg.catalog b/catalog/systemd.bg.catalog.in
index 30246c0bbe..76b0ce8f17 100644
--- a/catalog/systemd.bg.catalog
+++ b/catalog/systemd.bg.catalog.in
@@ -26,7 +26,7 @@
 -- f77379a8490b408bbe5f6940505a777b
 Subject: Журнални�т проце� е пу�нат
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Журнални�т проце� на �и�темата е �тартирал, отворил е журналните файлове
 за запи� и може да приема за�вки.
@@ -34,7 +34,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- d93fb3c9c24d451a97cea615ce59c00b
 Subject: Журнални�т проце� е �пр�н
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Журнални�т проце� на �и�темата е �пр�н, затворени �а в�ички отворени
 журнални файлове.
@@ -42,7 +42,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- ec387f577b844b8fa948f33cad9a75e6
 Subject: Про�тран�твото върху ди�ка заето от журналните файлове
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 @JOURNAL_NAME@ (@JOURNAL_PATH@) в момента заема @CURRENT_USE_PRETTY@.
 Мак�имални�т зададен размер е @MAX_USE_PRETTY@.
@@ -58,7 +58,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- a596d6fe7bfa4994828e72309e95d61e
 Subject: Съобщени�та от н�ко� у�луга не �а допу�нати
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:journald.conf(5)
 
 ��ко� у�луга генерира прекалено много �ъобщени� за кратък период.
@@ -74,7 +74,7 @@ Documentation: man:journald.conf(5)
 -- e9bf28e6e834481bb6f48f548ad13606
 Subject: Пропу�нати журнални �ъобщени�
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 ��кои от �ъобщени�та на �дрото може и да �а пропу�нати, защото �и�темата не
 �могваше да ги обработи до�татъчно бързо.
@@ -82,7 +82,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- fc2e22bc6ee647b6b90729ab34a250b1
 Subject: Проце� № @COREDUMP_PID@ (@COREDUMP_COMM@) запази о�вободената памет
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:core(5)
 
 Проце� № @COREDUMP_PID@ (@COREDUMP_COMM@) заби, пред�тав�нето му в паметта
@@ -94,7 +94,7 @@ Documentation: man:core(5)
 -- 8d45620c1a4348dbb17410da57c60c66
 Subject: Създадена е нова �е�и� № @SESSION_ID@ за потребител� „@USER_ID@“
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 За потребител� „@USER_ID@“ е �ъздадена нова �е�и� № @SESSION_ID@.
@@ -104,7 +104,7 @@ Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 -- 3354939424b4456d9802ca8333ed424a
 Subject: Се�и� № @SESSION_ID@ приключи
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 Се�и� № @SESSION_ID@ приключи работа.
@@ -112,7 +112,7 @@ Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 -- fcbefc5da23d428093f97c82a9290f7b
 Subject: �алично е ново работно м��то № @SEAT_ID@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 �овото работно м��то № @SEAT_ID@ е на�троено и готово за работа.
@@ -120,7 +120,7 @@ Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 -- e7852bfe46784ed0accde04bc864c2d5
 Subject: Работното м��то № @SEAT_ID@ е премахнато
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 Работното м��то № @SEAT_ID@ вече не е налично.
@@ -128,7 +128,7 @@ Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 -- c7a787079b354eaaa9e77b371893cd27
 Subject: См�на на �и�темното време
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Ча�овникът на �и�темата е �верен да �очи @REALTIME@ микро�екунди �лед
 1 �нуари 1970.
@@ -136,14 +136,14 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 45f82f4aef7a4bbf942ce861d1f20990
 Subject: См�на на ча�ови� по�� да е „@TIMEZONE@“
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Ча�ови�т по�� на �и�темата е �менен на „@TIMEZONE@“.
 
 -- b07a249cd024414a82dd00cd181378ff
 Subject: Стартирането на �и�темата завърши
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 У�пешно �а �тартирали в�ички у�луги, които �а по�очени за задей�тване при
 �тартиране на �и�темата. Това не означава, че �и�темата бездей�тва, защото
@@ -159,21 +159,21 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 6bbd95ee977941e497c48be27c254128
 Subject: Си�темата е при�пана на ниво „@SLEEP@“
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Си�темата премина в �ъ�то�ние на при�пиване „@SLEEP@“.
 
 -- 8811e6df2a8e40f58a94cea26f8ebf14
 Subject: Си�темата �е �ъбуди �лед при�пиване на ниво„@SLEEP@“
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Си�темата �е �ъбуди от �ъ�то�ние на при�пиване „@SLEEP@“.
 
 -- 98268866d1d54a499c4e98921d93bc40
 Subject: Започна процедура на �пиране на �и�темата
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Започна процедурата на Systemd за �пиране на �и�темата. В�ички проце�и и
 у�луги �е �пират, в�ички файлови �и�теми �е демонтират.
@@ -181,14 +181,14 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 7d4958e842da4a758f6c1cdc7b36dcc5
 Subject: Модул „@UNIT@“ �е �тартира
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Модулът „@UNIT@“ �е �тартира в момента
 
 -- 39f53479d3a045ac8e11786248231fbf
 Subject: Модул „@UNIT@“ вече е �тартиран
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Стартирането на модул „@UNIT@“ завърши.
 
@@ -197,21 +197,21 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- de5b426a63be47a7b6ac3eaac82e2f6f
 Subject: Модул „@UNIT@“ �е �пира
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Модулът „@UNIT@“ �е �пира в момента.
 
 -- 9d1aaa27d60140bd96365438aad20286
 Subject: Модул „@UNIT@“ вече е �пр�н
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Спирането на модул „@UNIT@“ завърши.
 
 -- be02cf6855d2428ba40df7e9d022f03d
 Subject: Модулът „@UNIT@“ не у�п� да �тартира
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Модулът „@UNIT@“ не у�п� да �тартира.
 
@@ -220,14 +220,14 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- d34d037fff1847e6ae669a370e694725
 Subject: Модулът „@UNIT@“ започна презареждане на на�тройките �и
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Модулът „@UNIT@“ започна презареждане на на�тройките �и.
 
 -- 7b05ebc668384222baa8881179cfda54
 Subject: Модулът „@UNIT@“ завърши презареждането на на�тройките �и
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Модулът „@UNIT@“ завърши презареждането на на�тройките �и.
 
@@ -236,7 +236,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 641257651c1b4ec9a8624d7a40a9e1e7
 Subject: Програмата „@EXECUTABLE@“ не у�п� да �е �тартира
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Програмата „@EXECUTABLE@“ не у�п� да �е �тартира.
 
@@ -245,7 +245,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 0027229ca0644181a76c4e92458afa2e
 Subject: Поне едно �ъобщение не бе препратено към syslog
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Поне едно �ъобщение не бе препратено към журналната у�луга syslog, ко�то
 работи у�поредно � journald.
@@ -256,7 +256,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 1dee0369c7fc4736b7099b38ecb46ee7
 Subject: Точката за монтиране не е празна
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Директори�та „@WHERE@“ не е празна.
 
@@ -271,7 +271,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 24d8d4452573402496068381a6312df2
 Subject: Стартирана е виртуална машина или контейнер
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Виртуалната машина „@NAME@“ � идентификатор на водещи� проце� @LEADER@
 е �тартирана и готова за работа.
@@ -279,7 +279,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 58432bd3bace477cb514b56381b8a758
 Subject: Спр�на е виртуална машина или контейнер
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Виртуалната машина „@NAME@“ � идентификатор на водещи� проце� @LEADER@
 е �пр�на.
@@ -287,7 +287,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 36db2dfa5a9045e1bd4af5f93e1cf057
 Subject: Режимът DNSSEC е изключен, защото �ървърът не го поддържа
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:systemd-resolved.service(8) resolved.conf(5)
 
 Локалната у�луга за имена (systemd-resolved.service) у�танови, че
@@ -306,7 +306,7 @@ Documentation: man:systemd-resolved.service(8) resolved.conf(5)
 -- 1675d7f172174098b1108bf8c7dc8f5d
 Subject: �еу�пешна проверка на DNSSEC
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:systemd-resolved.service(8)
 
 За�вка или запи� в DNS не издържа проверка � DNSSEC.
@@ -316,7 +316,7 @@ Documentation: man:systemd-resolved.service(8)
 -- 4d4408cfd0d144859184d1e65d7c8a65
 Subject: �нулирана доверена котва в DNSSEC
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:systemd-resolved.service(8)
 
 �нулирана е доверена котва за DNSSEC и тр�бва да на�троите нова.
diff --git a/catalog/systemd.catalog b/catalog/systemd.catalog.in
index 90929bca6d..8de8597fe9 100644
--- a/catalog/systemd.catalog
+++ b/catalog/systemd.catalog.in
@@ -25,7 +25,7 @@
 -- f77379a8490b408bbe5f6940505a777b
 Subject: The journal has been started
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 The system journal process has started up, opened the journal
 files for writing and is now ready to process requests.
@@ -33,7 +33,7 @@ files for writing and is now ready to process requests.
 -- d93fb3c9c24d451a97cea615ce59c00b
 Subject: The journal has been stopped
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 The system journal process has shut down and closed all currently
 active journal files.
@@ -41,7 +41,7 @@ active journal files.
 -- ec387f577b844b8fa948f33cad9a75e6
 Subject: Disk space used by the journal
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 @JOURNAL_NAME@ (@JOURNAL_PATH@) is currently using @CURRENT_USE_PRETTY@.
 Maximum allowed usage is set to @MAX_USE_PRETTY@.
@@ -56,7 +56,7 @@ RuntimeMaxUse=, RuntimeKeepFree=, RuntimeMaxFileSize= settings in
 -- a596d6fe7bfa4994828e72309e95d61e
 Subject: Messages from a service have been suppressed
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:journald.conf(5)
 
 A service has logged too many messages within a time period. Messages
@@ -72,7 +72,7 @@ with RateLimitIntervalSec= and RateLimitBurst= in
 -- e9bf28e6e834481bb6f48f548ad13606
 Subject: Journal messages have been missed
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Kernel messages have been lost as the journal system has been unable
 to process them quickly enough.
@@ -80,7 +80,7 @@ to process them quickly enough.
 -- fc2e22bc6ee647b6b90729ab34a250b1
 Subject: Process @COREDUMP_PID@ (@COREDUMP_COMM@) dumped core
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:core(5)
 
 Process @COREDUMP_PID@ (@COREDUMP_COMM@) crashed and dumped core.
@@ -91,7 +91,7 @@ should be reported to its vendor as a bug.
 -- fc2e22bc6ee647b6b90729ab34a250b1 de
 Subject: Speicherabbild für Prozess @COREDUMP_PID@ (@COREDUMP_COMM) generiert
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:core(5)
 
 Prozess @COREDUMP_PID@ (@COREDUMP_COMM@) ist abgebrochen worden und
@@ -103,7 +103,7 @@ als Fehler dem jeweiligen Hersteller gemeldet werden.
 -- 8d45620c1a4348dbb17410da57c60c66
 Subject: A new session @SESSION_ID@ has been created for user @USER_ID@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 A new session with the ID @SESSION_ID@ has been created for the user @USER_ID@.
@@ -113,7 +113,7 @@ The leading process of the session is @LEADER@.
 -- 3354939424b4456d9802ca8333ed424a
 Subject: Session @SESSION_ID@ has been terminated
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 A session with the ID @SESSION_ID@ has been terminated.
@@ -121,7 +121,7 @@ A session with the ID @SESSION_ID@ has been terminated.
 -- fcbefc5da23d428093f97c82a9290f7b
 Subject: A new seat @SEAT_ID@ is now available
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 A new seat @SEAT_ID@ has been configured and is now available.
@@ -129,7 +129,7 @@ A new seat @SEAT_ID@ has been configured and is now available.
 -- e7852bfe46784ed0accde04bc864c2d5
 Subject: Seat @SEAT_ID@ has now been removed
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 A seat @SEAT_ID@ has been removed and is no longer available.
@@ -137,28 +137,28 @@ A seat @SEAT_ID@ has been removed and is no longer available.
 -- c7a787079b354eaaa9e77b371893cd27
 Subject: Time change
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 The system clock has been changed to @REALTIME@ microseconds after January 1st, 1970.
 
 -- c7a787079b354eaaa9e77b371893cd27 de
 Subject: Zeitänderung
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Die System-Zeit wurde geändert auf @REALTIME@ Mikrosekunden nach dem 1. Januar 1970.
 
 -- 45f82f4aef7a4bbf942ce861d1f20990
 Subject: Time zone change to @TIMEZONE@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 The system timezone has been changed to @TIMEZONE@.
 
 -- b07a249cd024414a82dd00cd181378ff
 Subject: System start-up is now complete
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 All system services necessary queued for starting at boot have been
 successfully started. Note that this does not mean that the machine is
@@ -173,21 +173,21 @@ Userspace start-up required @USERSPACE_USEC@ microseconds.
 -- 6bbd95ee977941e497c48be27c254128
 Subject: System sleep state @SLEEP@ entered
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 The system has now entered the @SLEEP@ sleep state.
 
 -- 8811e6df2a8e40f58a94cea26f8ebf14
 Subject: System sleep state @SLEEP@ left
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 The system has now left the @SLEEP@ sleep state.
 
 -- 98268866d1d54a499c4e98921d93bc40
 Subject: System shutdown initiated
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Systemd shutdown has been initiated. The shutdown has now begun and
 all system services are terminated and all file systems unmounted.
@@ -195,14 +195,14 @@ all system services are terminated and all file systems unmounted.
 -- 7d4958e842da4a758f6c1cdc7b36dcc5
 Subject: Unit @UNIT@ has begun start-up
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Unit @UNIT@ has begun starting up.
 
 -- 39f53479d3a045ac8e11786248231fbf
 Subject: Unit @UNIT@ has finished start-up
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Unit @UNIT@ has finished starting up.
 
@@ -211,21 +211,21 @@ The start-up result is @RESULT@.
 -- de5b426a63be47a7b6ac3eaac82e2f6f
 Subject: Unit @UNIT@ has begun shutting down
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Unit @UNIT@ has begun shutting down.
 
 -- 9d1aaa27d60140bd96365438aad20286
 Subject: Unit @UNIT@ has finished shutting down
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Unit @UNIT@ has finished shutting down.
 
 -- be02cf6855d2428ba40df7e9d022f03d
 Subject: Unit @UNIT@ has failed
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Unit @UNIT@ has failed.
 
@@ -234,14 +234,14 @@ The result is @RESULT@.
 -- d34d037fff1847e6ae669a370e694725
 Subject: Unit @UNIT@ has begun reloading its configuration
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Unit @UNIT@ has begun reloading its configuration
 
 -- 7b05ebc668384222baa8881179cfda54
 Subject: Unit @UNIT@ has finished reloading its configuration
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Unit @UNIT@ has finished reloading its configuration
 
@@ -250,7 +250,7 @@ The result is @RESULT@.
 -- 641257651c1b4ec9a8624d7a40a9e1e7
 Subject: Process @EXECUTABLE@ could not be executed
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 The process @EXECUTABLE@ could not be executed and failed.
 
@@ -259,7 +259,7 @@ The error number returned by this process is @ERRNO@.
 -- 0027229ca0644181a76c4e92458afa2e
 Subject: One or more messages could not be forwarded to syslog
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 One or more messages could not be forwarded to the syslog service
 running side-by-side with journald. This usually indicates that the
@@ -269,7 +269,7 @@ messages queued.
 -- 1dee0369c7fc4736b7099b38ecb46ee7
 Subject: Mount point is not empty
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 The directory @WHERE@ is specified as the mount point (second field in
 /etc/fstab or Where= field in systemd unit file) and is not empty.
@@ -281,7 +281,7 @@ location.
 -- 24d8d4452573402496068381a6312df2
 Subject: A virtual machine or container has been started
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 The virtual machine @NAME@ with its leader PID @LEADER@ has been
 started is now ready to use.
@@ -289,7 +289,7 @@ started is now ready to use.
 -- 58432bd3bace477cb514b56381b8a758
 Subject: A virtual machine or container has been terminated
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 The virtual machine @NAME@ with its leader PID @LEADER@ has been
 shut down.
@@ -297,7 +297,7 @@ shut down.
 -- 36db2dfa5a9045e1bd4af5f93e1cf057
 Subject: DNSSEC mode has been turned off, as server doesn't support it
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:systemd-resolved.service(8) resolved.conf(5)
 
 The resolver service (systemd-resolved.service) has detected that the
@@ -317,7 +317,7 @@ attack.
 -- 1675d7f172174098b1108bf8c7dc8f5d
 Subject: DNSSEC validation failed
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:systemd-resolved.service(8)
 
 A DNS query or resource record set failed DNSSEC validation. This is usually
@@ -326,7 +326,7 @@ indication that the communication channel used was tampered with.
 -- 4d4408cfd0d144859184d1e65d7c8a65
 Subject: A DNSSEC trust anchor has been revoked
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:systemd-resolved.service(8)
 
 A DNSSEC trust anchor has been revoked. A new trust anchor has to be
diff --git a/catalog/systemd.da.catalog b/catalog/systemd.da.catalog.in
index 093e8139da..bc7d94476f 100644
--- a/catalog/systemd.da.catalog
+++ b/catalog/systemd.da.catalog.in
@@ -26,7 +26,7 @@
 -- f77379a8490b408bbe5f6940505a777b
 Subject: Journalen er blevet startet
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 System-journal processen har startet op, åbnet journal filerne for
 tilskrivning og er nu klar til at modtage anmodninger.
@@ -34,7 +34,7 @@ tilskrivning og er nu klar til at modtage anmodninger.
 -- d93fb3c9c24d451a97cea615ce59c00b
 Subject: Journalen er blevet stoppet
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 System-journal processen er stoppet og har lukket alle aktive journal
 filer.
@@ -42,7 +42,7 @@ filer.
 -- a596d6fe7bfa4994828e72309e95d61e
 Subject: Beskeder fra en service er blevet undertrykt
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:journald.conf(5)
 
 En service har logget for mange beskeder inden for en given tidsperiode.
@@ -58,7 +58,7 @@ med RateLimitIntervalSec= og RateLimitBurst= i
 -- e9bf28e6e834481bb6f48f548ad13606
 Subject: Journal beskeder er gået tabt
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Kernel beskeder er gået tabt da journal systemet ikke har været i stand
 til at håndtere dem hurtigt nok.
@@ -66,7 +66,7 @@ til at håndtere dem hurtigt nok.
 -- fc2e22bc6ee647b6b90729ab34a250b1
 Subject: Fejl-fil genereret for process @COREDUMP_PID@ (@COREDUMP_COMM@)
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:core(5)
 
 Process @COREDUMP_PID@ (@COREDUMP_COMM@) har lukket ned og genereret en
@@ -78,7 +78,7 @@ og burde blive reporteret som en bug til folkene bag
 -- 8d45620c1a4348dbb17410da57c60c66
 Subject: En ny session @SESSION_ID@ er blevet lavet for bruger @USER_ID@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 En ny session med ID @SESSION_ID@ er blevet lavet for brugeren @USER_ID@.
@@ -88,7 +88,7 @@ Den ledende process for sessionen er @LEADER@.
 -- 3354939424b4456d9802ca8333ed424a
 Subject: Session @SESSION_ID@ er blevet lukket ned
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 En session med ID @SESSION_ID@ er blevet lukket ned.
@@ -96,7 +96,7 @@ En session med ID @SESSION_ID@ er blevet lukket ned.
 -- fcbefc5da23d428093f97c82a9290f7b
 Subject: En ny arbejdsstation $SEAT_ID@ er nu tilgængelig
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 En ny arbejdsstation @SEAT_ID@ er blevet konfigureret og er nu tilgængelig.
@@ -104,7 +104,7 @@ En ny arbejdsstation @SEAT_ID@ er blevet konfigureret og er nu tilgængelig.
 -- e7852bfe46784ed0accde04bc864c2d5
 Subject: Arbejdsstation @SEAT_ID@ er nu blevet fjernet
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 En arbejdsstation @SEAT_ID@ er blevet fjernet og er ikke længere tilgængelig.
@@ -112,21 +112,21 @@ En arbejdsstation @SEAT_ID@ er blevet fjernet og er ikke længere tilgængelig.
 -- c7a787079b354eaaa9e77b371893cd27
 Subject: Tidsændring
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Systemtiden er blevet ændret til @REALTIME@ mikrosekunder efter d. 1. Januar 1970.
 
 -- 45f82f4aef7a4bbf942ce861d1f20990
 Subject: Tidszoneændring til @TIMEZONE@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Tidszonen for systemet er blevet ændret til @TIMEZONE@.
 
 -- b07a249cd024414a82dd00cd181378ff
 Subject: Opstart af systemet er nu fuldført
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Alle system services i kø til at køre ved opstart, er blevet startet
 med success. Bemærk at dette ikke betyder at maskinen er i dvale, da
@@ -141,21 +141,21 @@ Opstart af userspace tog @USERSPACE_USEC@ mikrosekunder.
 -- 6bbd95ee977941e497c48be27c254128
 Subject: System slumretilstand @SLEEP@ trådt i kraft
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 System er nu gået i @SLEEP@ slumretilstand.
 
 -- 8811e6df2a8e40f58a94cea26f8ebf14
 Subject: System slumretilstand @SLEEP@ forladt
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Systemet har nu forladt @SLEEP@ slumretilstand.
 
 -- 98268866d1d54a499c4e98921d93bc40
 Subject: Systemnedlukning påbegyndt
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Systemnedlukning er blevet påbegyndt. Nedlukningen er nu begyndt og
 alle system services er blevet afbrudt og alle filsystemer afmonteret.
@@ -163,14 +163,14 @@ alle system services er blevet afbrudt og alle filsystemer afmonteret.
 -- 7d4958e842da4a758f6c1cdc7b36dcc5
 Subject: Enhed @UNIT@ har påbegyndt opstart
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Enhed @UNIT@ er begyndt at starte op.
 
 -- 39f53479d3a045ac8e11786248231fbf
 Subject: Enhed @UNIT har færdiggjort opstart
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Enhed @UNIT@ er færdig med at starte op.
 
@@ -179,21 +179,21 @@ Resultat for opstart er @RESULT@.
 -- de5b426a63be47a7b6ac3eaac82e2f6f
 Subject: Enhed @UNIT@ har påbegyndt nedlukning
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Enhed @UNIT@ har påbegyndt nedlukning.
 
 -- 9d1aaa27d60140bd96365438aad20286
 Subject: Enhed @UNIT@ har færdiggjort nedlukning
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Enhed @UNIT@ har færdiggjort nedlukning.
 
 -- be02cf6855d2428ba40df7e9d022f03d
 Subject: Enhed @UNIT@ har fejlet
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Enhed @UNIT@ har fejlet.
 
@@ -202,14 +202,14 @@ Resultatet er @RESULT@
 -- d34d037fff1847e6ae669a370e694725
 Subject: Enhed @UNIT@ har påbegyndt genindlæsning af sin konfiguration
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Enhed @UNIT@ er begyndt at genindlæse sin konfiguration
 
 -- 7b05ebc668384222baa8881179cfda54
 Subject: Enhed @UNIT@ har færdiggjort genindlæsning af sin konfiguration
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Enhed @UNIT@ er færdig med at genindlæse sin konfiguration
 
@@ -218,7 +218,7 @@ Resultatet er: @RESULT@.
 -- 641257651c1b4ec9a8624d7a40a9e1e7
 Subject: Process @EXECUTABLE@ kunne ikke eksekveres
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Processen @EXECUTABLE@ kunne ikke eksekveres og fejlede.
 
@@ -227,7 +227,7 @@ Processens returnerede fejlkode er @ERRNO@.
 -- 0027229ca0644181a76c4e92458afa2e
 Subject: Èn eller flere beskeder kunne ikke videresendes til syslog
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Èn eller flere beskeder kunne ikke videresendes til syslog servicen
 der kører side-om-side med journald. Dette indikerer typisk at syslog
@@ -236,7 +236,7 @@ implementationen ikke har kunnet følge med mængden af ventende beskeder.
 -- 1dee0369c7fc4736b7099b38ecb46ee7
 Subject: Monteringspunkt er ikke tomt
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Folderen @WHERE@ er specificeret som monteringspunkt (andet felt i
 /etc/fstab eller Where= feltet i systemd enhedsfil) men er ikke tom.
@@ -247,7 +247,7 @@ underlæggende filsystem til en anden lokation.
 -- 24d8d4452573402496068381a6312df2
 Subject: En virtuel maskine eller container er blevet startet
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Den virtuelle maskine @NAME@ med dens leder PID @LEADER@ er blevet
 startet og er klar til brug.
@@ -255,7 +255,7 @@ startet og er klar til brug.
 -- 58432bd3bace477cb514b56381b8a758
 Subject: En virtuel maskine eller container er blevet afbrudt
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Den virtuelle maskine @NAME@ med dens leder PID @LEADER@ er blevet
 nedlukket.
diff --git a/catalog/systemd.fr.catalog b/catalog/systemd.fr.catalog.in
index 0cea629c31..573b288e74 100644
--- a/catalog/systemd.fr.catalog
+++ b/catalog/systemd.fr.catalog.in
@@ -25,7 +25,7 @@
 -- f77379a8490b408bbe5f6940505a777b
 Subject: Le journal a été démarré
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Le processus du journal système a démarré, ouvert ses fichiers en écriture
 et est prêt à traiter les requêtes.
@@ -33,7 +33,7 @@ et est prêt à traiter les requêtes.
 -- d93fb3c9c24d451a97cea615ce59c00b
 Subject: Le journal a été arrêté
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Le processus du journal système a été arrêté et tous ses fichiers actifs
 ont été fermés.
@@ -41,7 +41,7 @@ ont été fermés.
 -- ec387f577b844b8fa948f33cad9a75e6
 Subject: Espace disque utilisé par le journal
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:journald.conf(5)
 
 @JOURNAL_NAME@ (@JOURNAL_PATH@) utilise actuellement @CURRENT_USE_PRETTY@.
@@ -60,7 +60,7 @@ Voir journald.conf(5) pour plus de détails.
 -- a596d6fe7bfa4994828e72309e95d61e
 Subject: Des messages d'un service ont été supprimés
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:journald.conf(5)
 
 Un service a essayé d'enregistrer un trop grand nombre de messages sur un
@@ -76,7 +76,7 @@ paramètres RateLimitIntervalSec= et RateLimitBurst= dans le fichier
 -- e9bf28e6e834481bb6f48f548ad13606
 Subject: Des messages du journal ont été manqués
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Des messages du noyau ont été manqués car le journal système n'a pas été
 capable de les traiter suffisamment vite.
@@ -84,7 +84,7 @@ capable de les traiter suffisamment vite.
 -- fc2e22bc6ee647b6b90729ab34a250b1
 Subject: Le processus @COREDUMP_PID@ (@COREDUMP_COMM@) a généré un fichier « core »
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:core(5)
 
 Le processus @COREDUMP_PID@ (@COREDUMP_COMM@) a planté et généré un fichier « core ».
@@ -95,7 +95,7 @@ incriminé, et cela devrait être notifié à son concepteur comme un défaut (b
 -- 8d45620c1a4348dbb17410da57c60c66
 Subject: Une nouvelle session @SESSION_ID@ a été créée pour l'utilisateur @USER_ID@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 Une nouvelle session a été créée pour l'utilisateur @USER_ID@ avec
@@ -106,7 +106,7 @@ Le processus maître de la session est @LEADER@.
 -- 3354939424b4456d9802ca8333ed424a
 Subject: La session @SESSION_ID@ s'est terminée
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 La session d'identifiant (ID) @SESSION_ID@ s'est terminée.
@@ -114,7 +114,7 @@ La session d'identifiant (ID) @SESSION_ID@ s'est terminée.
 -- fcbefc5da23d428093f97c82a9290f7b
 Subject: Un nouveau poste (seat) @SEAT_ID@ est disponible
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 Un nouveau poste (seat) @SEAT_ID@ a été configuré et est maintenant
@@ -123,7 +123,7 @@ disponible.
 -- e7852bfe46784ed0accde04bc864c2d5
 Subject: Le poste (seat) @SEAT_ID@ a été retiré
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 Le poste (seat) @SEAT_ID@ a été retiré et n'est plus disponible.
@@ -131,7 +131,7 @@ Le poste (seat) @SEAT_ID@ a été retiré et n'est plus disponible.
 -- c7a787079b354eaaa9e77b371893cd27
 Subject: Changement d'heure
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 L'horloge système a été modifiée et positionnée à @REALTIME@ microsecondes
 après le 1er janvier 1970.
@@ -139,14 +139,14 @@ après le 1er janvier 1970.
 -- 45f82f4aef7a4bbf942ce861d1f20990
 Subject: Fuseau horaire modifié en @TIMEZONE@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Le fuseau horaire du système a été modifié et positionné à @TIMEZONE@.
 
 -- b07a249cd024414a82dd00cd181378ff
 Subject: Le démarrage du système est terminé
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Tous les services nécessaires au démarrage du système ont été lancés avec
 succès. Notez que cela ne signifie pas que le système est maintenant au
@@ -162,21 +162,21 @@ Le chargement de l'espace utilisateur a nécessité @USERSPACE_USEC@ microsecond
 -- 6bbd95ee977941e497c48be27c254128
 Subject: Le système entre dans l'état de repos (sleep state) @SLEEP@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Le système est maintenant à l'état de repos (sleep state) @SLEEP@.
 
 -- 8811e6df2a8e40f58a94cea26f8ebf14
 Subject: Le système sorti de l'état de repos (sleep state) @SLEEP@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Le système est maintenant sorti de l'état de repos (sleep state) @SLEEP@.
 
 -- 98268866d1d54a499c4e98921d93bc40
 Subject: Arrêt du système amorcé
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 L'arrêt du système a été amorcé. L'arrêt a maintenant commencé, tous les
 services du système sont terminés et tous les systèmes de fichiers sont
@@ -185,49 +185,49 @@ démontés.
 -- 7d4958e842da4a758f6c1cdc7b36dcc5
 Subject: L'unité (unit) @UNIT@ a commencé à démarrer
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 L'unité (unit) @UNIT@ a commencé à démarrer.
 
 -- 39f53479d3a045ac8e11786248231fbf
 Subject: L'unité (unit) @UNIT@ a terminé son démarrage
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 L'unité (unit) @UNIT@ a terminé son démarrage, avec le résultat @RESULT@.
 
 -- de5b426a63be47a7b6ac3eaac82e2f6f
 Subject: L'unité (unit) @UNIT@ a commencé à s'arrêter
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 L'unité (unit) @UNIT@ a commencé à s'arrêter.
 
 -- 9d1aaa27d60140bd96365438aad20286
 Subject: L'unité (unit) @UNIT@ a terminé son arrêt
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 L'unité (unit) @UNIT@ a terminé son arrêt.
 
 -- be02cf6855d2428ba40df7e9d022f03d
 Subject: L'unité (unit) @UNIT@ a échoué
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 L'unité (unit) @UNIT@ a échoué, avec le résultat @RESULT@.
 
 -- d34d037fff1847e6ae669a370e694725
 Subject: L'unité (unit) @UNIT@ a commencé à recharger sa configuration
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 L'unité (unit) @UNIT@ a commencé à recharger sa configuration.
 
 -- 7b05ebc668384222baa8881179cfda54
 Subject: L'unité (unit) @UNIT@ a terminé de recharger configuration
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 L'unité (unit) @UNIT@ a terminé de recharger configuration,
 avec le résultat @RESULT@.
@@ -235,7 +235,7 @@ avec le résultat @RESULT@.
 -- 641257651c1b4ec9a8624d7a40a9e1e7
 Subject: Le processus @EXECUTABLE@ n'a pas pu être exécuté
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Le processus @EXECUTABLE@ n'a pas pu être exécuté, et a donc échoué.
 
@@ -244,7 +244,7 @@ Le code d'erreur renvoyé est @ERRNO@.
 -- 0027229ca0644181a76c4e92458afa2e
 Subject: Un ou plusieurs messages n'ont pas pu être transmis à syslog
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Un ou plusieurs messages n'ont pas pu être transmis au service syslog
 s'exécutant conjointement avec journald. Cela indique généralement que
@@ -254,7 +254,7 @@ la cadence du flux de messages.
 -- 1dee0369c7fc4736b7099b38ecb46ee7
 Subject: Le point de montage n'est pas vide
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Le répertoire @WHERE@ est spécifié comme point de montage (second champ du
 fichier /etc/fstab, ou champ Where= dans une unité (unit) systemd) et n'est
@@ -267,7 +267,7 @@ fichiers sous-jacent à un autre emplacement.
 -- 24d8d4452573402496068381a6312df2
 Subject: Une machine virtuelle ou un conteneur (container) a été démarré
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 La machine virtuelle @NAME@ a été démarrée avec le PID maître @LEADER@,
 et est maintenant prête à l'emploi.
@@ -275,14 +275,14 @@ et est maintenant prête à l'emploi.
 -- 58432bd3bace477cb514b56381b8a758
 Subject: Une machine virtuelle ou un conteneur (container) a été arrêté
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 La machine virtuelle @NAME@ avec le PID maître @LEADER@ a été arrêtée.
 
 -- 36db2dfa5a9045e1bd4af5f93e1cf057
 Subject: Le mode DNSSEC a été désactivé, car il n'est pas supporté par le serveur
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:systemd-resolved.service(8) resolved.conf(5)
 
 Le service de résolution (systemd-resolved.service) a détecté que le serveur
@@ -302,7 +302,7 @@ DNSSEC, ou qu'un attaquant a peut-être conduit une telle attaque avec succès.
 -- 1675d7f172174098b1108bf8c7dc8f5d
 Subject: La validation DNSSEC a échoué
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:systemd-resolved.service(8)
 
 Une requête ou une ressource DNS n'a pas passé la validation DNSSEC.
@@ -312,7 +312,7 @@ altéré.
 -- 4d4408cfd0d144859184d1e65d7c8a65
 Subject: Une ancre de confiance DNSSEC a été révoquée
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:systemd-resolved.service(8)
 
 Une ancre de confiance DNSSEC a été révoquée. Une nouvelle ancre de
diff --git a/catalog/systemd.hr.catalog b/catalog/systemd.hr.catalog.in
index 350988dd87..7502aed741 100644
--- a/catalog/systemd.hr.catalog
+++ b/catalog/systemd.hr.catalog.in
@@ -26,7 +26,7 @@
 -- f77379a8490b408bbe5f6940505a777b
 Subject: journal je pokrenut
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Journal proces sustava se pokrenuo, otvorio je journal
  datoteke za upis i spreman je za obradu zahtjeva.
@@ -34,7 +34,7 @@ Journal proces sustava se pokrenuo, otvorio je journal
 -- d93fb3c9c24d451a97cea615ce59c00b
 Subject: journal je zaustavljen
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Journal proces sustava je isklju�io i zatvorio sve trenutno
 aktivne journal datoteke.
@@ -42,7 +42,7 @@ aktivne journal datoteke.
 -- ec387f577b844b8fa948f33cad9a75e6
 Subject: Diskovni prostor koji koristi journal
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 @JOURNAL_NAME@ (@JOURNAL_PATH@) trenutno koristi @CURRENT_USE_PRETTY@.
 Najveća dopuštena upotreba je postavljena na @MAX_USE_PRETTY@.
@@ -57,7 +57,7 @@ RuntimeMaxUse=, RuntimeKeepFree=, RuntimeMaxFileSize= settings u
 -- a596d6fe7bfa4994828e72309e95d61e
 Subject: Poruka iz usluge je potisnuta
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:journald.conf(5)
 
 Usluga je prijavila previše poruka u određenom vremenskom razdoblju. Poruke
@@ -73,7 +73,7 @@ sa RateLimitIntervalSec= i RateLimitBurst= u
 -- e9bf28e6e834481bb6f48f548ad13606
 Subject: Journal poruka je propuštena
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Kernel poruka je izgubljena zato jer ih journal sustav nije mogao
 dovoljno brzo obraditi.
@@ -81,7 +81,7 @@ dovoljno brzo obraditi.
 -- fc2e22bc6ee647b6b90729ab34a250b1
 Subject: Proces @COREDUMP_PID@ (@COREDUMP_COMM@) je izbacio jezgru
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:core(5)
 
 Proces @COREDUMP_PID@ (@COREDUMP_COMM@) se srušio i izbacio jezgru.
@@ -92,7 +92,7 @@ trebalo bi se prijaviti razvijatelju kao greška.
 -- 8d45620c1a4348dbb17410da57c60c66
 Subject: Nova sesija @SESSION_ID@ je stvorena za korisnika @USER_ID@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 Nova sesija sa ID @SESSION_ID@ je stvorena za korisnika @USER_ID@.
@@ -102,7 +102,7 @@ Glavni proces sesije je @LEADER@.
 -- 3354939424b4456d9802ca8333ed424a
 Subject: Sesija @SESSION_ID@ je prekinuta
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 Sesija sa ID @SESSION_ID@ je prekinuta.
@@ -110,7 +110,7 @@ Sesija sa ID @SESSION_ID@ je prekinuta.
 -- fcbefc5da23d428093f97c82a9290f7b
 Subject: Novo sjedište @SEAT_ID@ je sada dostupno
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 Novo sjedište @SEAT_ID@ je podešeno i sada je dostupno.
@@ -118,7 +118,7 @@ Novo sjedište @SEAT_ID@ je podešeno i sada je dostupno.
 -- e7852bfe46784ed0accde04bc864c2d5
 Subject: Sjedište @SEAT_ID@ je sada uklonjeno
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 Sjedište @SEAT_ID@ je uklonjeno i više nije dostupno.
@@ -126,21 +126,21 @@ Sjedište @SEAT_ID@ je uklonjeno i više nije dostupno.
 -- c7a787079b354eaaa9e77b371893cd27
 Subject: Vrijeme promjene
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Sat sustava je promijenjen na @REALTIME@ microsekundi nakon 1. Sije�nja, 1970 godine.
 
 -- 45f82f4aef7a4bbf942ce861d1f20990
 Subject: Vremenska zona je promijenjena u @TIMEZONE@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Vremenska zona je promijenjena u @TIMEZONE@.
 
 -- b07a249cd024414a82dd00cd181378ff
 Subject: Pokretanje sustava je sada završeno
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Sve usluge sustava koje su zadane za pokretanje pri pokretanju sustava
 su uspješno pokrenute. Zapamtite da ovo ne zna�i da sada ra�unalo
@@ -155,21 +155,21 @@ Pokretanje prostora korisnika zahtijeva @USERSPACE_USEC@ mikrosekundi.
 -- 6bbd95ee977941e497c48be27c254128
 Subject: Pokrenuto je stanje spavanja @SLEEP@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Sustav je sada pokrenuo stanje spavanja @SLEEP@
 
 -- 8811e6df2a8e40f58a94cea26f8ebf14
 Subject: Završeno je stanje spavanja @SLEEP@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Sustav je sada završio stanje spavanja @SLEEP@
 
 -- 98268866d1d54a499c4e98921d93bc40
 Subject: Pokrenuto je isklju�ivanje sustava
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Pokrenuto je isklju�ivanje sustava. Isklju�ivanje je sada pokrenuto,
 sve usluge sustava su prekinute i svi datote�ni sustavi su odmontirani.
@@ -177,14 +177,14 @@ sve usluge sustava su prekinute i svi datote�ni sustavi su odmontirani.
 -- 7d4958e842da4a758f6c1cdc7b36dcc5
 Subject: Jedinica @UNIT@ je zapo�ela pokretanje
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Jedinica @UNIT@ je zapo�ela pokretanje.
 
 -- 39f53479d3a045ac8e11786248231fbf
 Subject: Jedinica @UNIT@ je završila pokretanje
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Jedinica @UNIT@ je završila pokretanje.
 
@@ -193,21 +193,21 @@ Rezultat pokretanja je @RESULT@.
 -- de5b426a63be47a7b6ac3eaac82e2f6f
 Subject: Jedinica @UNIT@ je zapo�ela isklju�ivanje
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Jedinica @UNIT@ je zapo�ela isklju�ivanje.
 
 -- 9d1aaa27d60140bd96365438aad20286
 Subject: Jedinica @UNIT@ je završila isklju�ivanje
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Jedinica @UNIT@ je završila isklju�ivanje.
 
 -- be02cf6855d2428ba40df7e9d022f03d
 Subject: Jedinica @UNIT@ nije uspjela
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Jedinica @UNIT@ nije uspjela.
 
@@ -216,14 +216,14 @@ Rezultat je @RESULT@.
 -- d34d037fff1847e6ae669a370e694725
 Subject: Jedinica @UNIT@ je zapo�ela ponovno u�itavati podešavanja
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Jedinica @UNIT@ je zapo�ela ponovno u�itavati podešavanja
 
 -- 7b05ebc668384222baa8881179cfda54
 Subject: Jedinica @UNIT@ je završila ponovno u�itavati podešavanja
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Jedinica @UNIT@ je završila ponovno u�itavati podešavanja
 
@@ -232,7 +232,7 @@ Rezultat je @RESULT@.
 -- 641257651c1b4ec9a8624d7a40a9e1e7
 Subject: Proces @EXECUTABLE@ se ne može pokrenuti
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Proces @EXECUTABLE@ se ne može pokrenuti i nije uspio.
 
@@ -241,7 +241,7 @@ Broj greške vraćen ovim procesom je @ERRNO@.
 -- 0027229ca0644181a76c4e92458afa2e
 Subject: Jedna ili više poruka se ne mogu proslijediti u dnevnik sustava
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Jedna ili više poruka se ne mogu proslijediti u dnevnik sustava, usluge
 su pokrenute istovremeno s journalom. Ovo uobi�ajeno ozna�ava da
@@ -251,7 +251,7 @@ zahtjeva poruka.
 -- 1dee0369c7fc4736b7099b38ecb46ee7
 Subject: To�ka montiranja nije prazna
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Direktorij @WHERE@ je određen za to�ku montiranja (drugi redak u
 /etc/fstab ili Where= redak u datoteci systemd jedinice) i nije prazan.
@@ -262,7 +262,7 @@ ru�no montirajte osnovni datote�ni sustav na drugu lokaciju.
 -- 24d8d4452573402496068381a6312df2
 Subject: Virtualni stroj ili spremnik su pokrenuti
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Virtualni stroj @NAME@ sa vodećim @LEADER@ PID-om je
 pokrenut i spreman je za korištenje.
@@ -270,7 +270,7 @@ pokrenut i spreman je za korištenje.
 -- 58432bd3bace477cb514b56381b8a758
 Subject: Virtualni stroj ili spremnik su isklju�eni
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Virtualni stroj @NAME@ sa vodećim PID-om @LEADER@ je
 isklju�en.
@@ -278,7 +278,7 @@ isklju�en.
 -- 36db2dfa5a9045e1bd4af5f93e1cf057
 Subject: DNSSEC na�in je isklju�en, jer ga poslužitelj ne podržava
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:systemd-resolved.service(8) resolved.conf(5)
 
 Usluga razrješavanja (systemd-resolved.service) je otkrila da
@@ -297,7 +297,7 @@ DNSSEC ili da je napada� uspješno izvršio takav napad.
 -- 1675d7f172174098b1108bf8c7dc8f5d
 Subject: DNSSEC provjera neuspješna
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:systemd-resolved.service(8)
 
 DNS zahtjev ili snimak resursa nije prošao DNSSEC provjeru. To uobi�ajeno
@@ -306,7 +306,7 @@ ozna�ava da je komunikacijski kanal mijenjan.
 -- 4d4408cfd0d144859184d1e65d7c8a65
 Subject: DNSSEC pouzdano sidro je opozvano
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:systemd-resolved.service(8)
 
 A DNSSEC trust anchor has been revoked. A new trust anchor has to be
diff --git a/catalog/systemd.hu.catalog b/catalog/systemd.hu.catalog.in
index 68e8c2572e..f538b7f958 100644
--- a/catalog/systemd.hu.catalog
+++ b/catalog/systemd.hu.catalog.in
@@ -26,7 +26,7 @@
 -- f77379a8490b408bbe5f6940505a777b
 Subject: A napló elindult
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 A rendszernapló folyamat elindult, megnyitotta írásra a naplófájlokat,
 és most készen áll kérések feldolgozására.
@@ -34,21 +34,21 @@ A rendszernapló folyamat elindult, megnyitotta írásra a naplófájlokat,
 -- d93fb3c9c24d451a97cea615ce59c00b
 Subject: A napló leállt
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 A rendszernapló folyamat leállt, és bezárt minden jelenleg aktív naplófájlt.
 
 -- a596d6fe7bfa4994828e72309e95d61e
 Subject: Egy szolgáltatás üzenetei elnémítva
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:journald.conf(5)
 
-Egy szolgáltatás túl sok üzenetet naplózott adott idő alatt. A 
+Egy szolgáltatás túl sok üzenetet naplózott adott idő alatt. A
 szolgáltatástól származó üzenetek eldobásra kerültek.
 
 Ne feledje, hogy csak a kérdéses szolgáltatás üzenetei kerültek eldobásra,
- más szolgáltatások üzeneteit ez nem befolyásolja. 
+ más szolgáltatások üzeneteit ez nem befolyásolja.
 
 Az üzenetek eldobását vezérlő korlátok az /etc/systemd/journald.conf
 RateLimitIntervalSec= és RateLimitBurst= beállításaival adhatók meg.
@@ -57,7 +57,7 @@ Részletekért lásd a journald.conf(5) man oldalt.
 -- e9bf28e6e834481bb6f48f548ad13606
 Subject: Naplóüzenetek vesztek el
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Kernelüzenetek vesztek el, mert a naplózó rendszer nem tudta elég gyorsan
 feldolgozni azokat.
@@ -65,19 +65,19 @@ feldolgozni azokat.
 -- fc2e22bc6ee647b6b90729ab34a250b1
 Subject: Egy folyamat összeomlott: @COREDUMP_PID@ (@COREDUMP_COMM@)
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:core(5)
 
 Ez a folyamat: @COREDUMP_PID@ (@COREDUMP_COMM@) összeomlott, és core fájlt
  írt ki.
 
-Ez általában programozási hibát jelez az összeomló programban, és 
+Ez általában programozási hibát jelez az összeomló programban, és
 a szállítója felé kell bejelenteni.
 
 -- 8d45620c1a4348dbb17410da57c60c66
 Subject: Új munkamenet (@SESSION_ID@) létrehozva, felhasználója: @USER_ID@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 Létrejött egy új munkamenet @SESSION_ID@ azonosítóval ezen felhasználóhoz:
@@ -88,7 +88,7 @@ A munkamenet vezető folyamata: @LEADER@.
 -- 3354939424b4456d9802ca8333ed424a
 Subject: Munkamenet (@SESSION_ID@) befejezve
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 A következő azonosítójú munkamenet befejeződött: @SESSION_ID@.
@@ -96,7 +96,7 @@ A következő azonosítójú munkamenet befejeződött: @SESSION_ID@.
 -- fcbefc5da23d428093f97c82a9290f7b
 Subject: Elérhető egy új munkaállomás: @SEAT_ID@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 Beállításra kerül és használható egy új munkaállomás: @SEAT_ID@.
@@ -104,7 +104,7 @@ Beállításra kerül és használható egy új munkaállomás: @SEAT_ID@.
 -- e7852bfe46784ed0accde04bc864c2d5
 Subject: A munkaállomás eltávolítva: @SEAT_ID@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 A munkaállomás el lett távolítva, és már nem érhető el: @SEAT_ID@
@@ -112,25 +112,25 @@ A munkaállomás el lett távolítva, és már nem érhető el: @SEAT_ID@
 -- c7a787079b354eaaa9e77b371893cd27
 Subject: Időmódosítás
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 A rendszeróra beállítva @REALTIME@ ezredmásodpercre 1970. január 1. után.
 
 -- 45f82f4aef7a4bbf942ce861d1f20990
 Subject: Időzóna-módosítás erre: @TIMEZONE@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 A rendszer időzónája módosítva lett erre: @TIMEZONE@.
 
 -- b07a249cd024414a82dd00cd181378ff
 Subject: A rendszer indítása kész
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
-A rendszerindításkor szükséges indításhoz sorba állított összes 
-rendszerszolgáltatás elindult. Ne feledje, hogy ez nem jelenti, hogy a 
-gép üresjáratban van, mivel egyes szolgáltatások még az indítás 
+A rendszerindításkor szükséges indításhoz sorba állított összes
+rendszerszolgáltatás elindult. Ne feledje, hogy ez nem jelenti, hogy a
+gép üresjáratban van, mivel egyes szolgáltatások még az indítás
 befejezésével lehetnek elfoglalva.
 
 A kernel indítása @KERNEL_USEC@ ezredmásodpercet igényelt.
@@ -142,21 +142,21 @@ A felhasználói programok indítása @USERSPACE_USEC@ ezredmásodpercet igénye
 -- 6bbd95ee977941e497c48be27c254128
 Subject: A rendszer „@SLEEP@� alvási állapotba lépett
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 A rendszer belépett ebbe az alvási állapotba: @SLEEP@.
 
 -- 8811e6df2a8e40f58a94cea26f8ebf14
 Subject: A rendszer „@SLEEP@� alvási állapotból kilépett
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 A rendszer kilépett ebből az alvási állapotból: @SLEEP@.
 
 -- 98268866d1d54a499c4e98921d93bc40
 Subject: Rendszer leállítása kezdeményezve
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 A systemd leállítása kezdeményezve. A leállítás megkezdődött, minden
 rendszerszolgáltatás befejeződik, minden fájlrendszer leválasztásra kerül.
@@ -164,14 +164,14 @@ rendszerszolgáltatás befejeződik, minden fájlrendszer leválasztásra kerül
 -- 7d4958e842da4a758f6c1cdc7b36dcc5
 Subject: A(z) @UNIT@ egység indítása megkezdődött
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 A(z) @UNIT@ egység megkezdte az indulást.
 
 -- 39f53479d3a045ac8e11786248231fbf
 Subject: A(z) @UNIT@ egység befejezte az indulást
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 A(z) @UNIT@ egység befejezte az indulást
 
@@ -180,21 +180,21 @@ Az indítás eredménye: @RESULT@.
 -- de5b426a63be47a7b6ac3eaac82e2f6f
 Subject: A(z) @UNIT@ egység megkezdte a leállást
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 A(z) @UNIT@ egység megkezdte a leállást.
 
 -- 9d1aaa27d60140bd96365438aad20286
 Subject: A(z) @UNIT@ egység befejezte a leállást
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 A(z) @UNIT@ egység befejezte a leállást.
 
 -- be02cf6855d2428ba40df7e9d022f03d
 Subject: A(z) @UNIT@ egység hibát jelzett
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 A(z) @UNIT@ egység hibát jelzett.
 
@@ -203,14 +203,14 @@ Az eredmény: @RESULT@.
 -- d34d037fff1847e6ae669a370e694725
 Subject: A(z) @UNIT@ egység megkezdte a beállításainak újratöltését
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 A(z) @UNIT@ egység megkezdte a beállításainak újratöltését.
 
 -- 7b05ebc668384222baa8881179cfda54
 Subject: A(z) @UNIT@ egység befejezte a beállításainak újratöltését
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 A(z) @UNIT@ egység befejezte a beállításainak újratöltését.
 
@@ -219,7 +219,7 @@ Az eredmény: @RESULT@.
 -- 641257651c1b4ec9a8624d7a40a9e1e7
 Subject: A folyamat végrehajtása sikertelen: @EXECUTABLE@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 A folyamat végrehajtása sikertelen volt, és hibát jelzett: @EXECUTABLE@.
 
@@ -228,7 +228,7 @@ A folyamat által visszaadott hibaszám: @ERRNO@.
 -- 0027229ca0644181a76c4e92458afa2e
 Subject: Legalább egy üzenet nem továbbítható a rendszernaplónak
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Legalább egy üzenet nem volt továbbítható a journald-vel párhuzamosan futó
 syslog szolgáltatásnak. Ez általában azt jelenti, hogy a syslog
@@ -238,25 +238,25 @@ megvalósítás nem volt képes lépést tartani a sorba állított
 -- 1dee0369c7fc4736b7099b38ecb46ee7
 Subject: A csatolási pont nem üres
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 A csatolási pontként megadott @WHERE@ könyvtár (második mező az /etc/fstab
 fájlban, vagy a Where= sor a systemd egységfájlban) nem üres. Ez nem
 akadályozza meg a csatolást, de a könyvtárban már meglévő fájlok
 elérhetetlenné válnak. A fájlok láthatóvá tételéhez csatolja
-az azokat tartalmazó fájlrendszert egy másodlagos helyre. 
+az azokat tartalmazó fájlrendszert egy másodlagos helyre.
 
 -- 24d8d4452573402496068381a6312df2
 Subject: Egy virtuális gép vagy konténer elindult
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
-A(z) @NAME@ nevű virtuális gép (vezető PID: @LEADER@) elindult, és 
+A(z) @NAME@ nevű virtuális gép (vezető PID: @LEADER@) elindult, és
 használatra kész.
 
 -- 58432bd3bace477cb514b56381b8a758
 Subject: Egy virtuális gép vagy konténer befejeződött
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 A(z) @NAME@ nevű virtuális gép (vezető PID: @LEADER@) leállt.
diff --git a/catalog/systemd.it.catalog b/catalog/systemd.it.catalog.in
index b6fca48221..86e44a604d 100644
--- a/catalog/systemd.it.catalog
+++ b/catalog/systemd.it.catalog.in
@@ -20,7 +20,7 @@
 -- f77379a8490b408bbe5f6940505a777b
 Subject: Il registro è stato avviato
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Il processo relativo al registro di sistema è stato avviato, ha aperto i
 file in scrittura ed è ora pronto a gestire richieste.
@@ -28,7 +28,7 @@ file in scrittura ed è ora pronto a gestire richieste.
 -- d93fb3c9c24d451a97cea615ce59c00b
 Subject: Il registro è stato terminato
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Il processo relativo al registro di sistema è stato terminato e ha chiuso
 tutti i file attivi.
@@ -36,7 +36,7 @@ tutti i file attivi.
 -- a596d6fe7bfa4994828e72309e95d61e
 Subject: I messaggi di un servizio sono stati soppressi
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:journald.conf(5)
 
 Un servizio ha registrato troppi messaggi in un dato periodo di tempo.
@@ -52,7 +52,7 @@ con RateLimitIntervalSec= e RateLimitBurst= in
 -- e9bf28e6e834481bb6f48f548ad13606
 Subject: I messaggi di un servizio sono stati perduti
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 I messaggi del kernel sono stati perduti perché, il registro di sistema
 non è stato in grado di gestirli abbastanza velocemente.
@@ -60,7 +60,7 @@ non è stato in grado di gestirli abbastanza velocemente.
 -- fc2e22bc6ee647b6b90729ab34a250b1
 Subject: Il processo @COREDUMP_PID@ (@COREDUMP_COMM@) ha generato un dump.
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:core(5)
 
 Il processo @COREDUMP_PID@ (@COREDUMP_COMM@) si è bloccato generando un dump.
@@ -71,7 +71,7 @@ dovrebbe essere segnalato al vendor come un bug.
 -- 8d45620c1a4348dbb17410da57c60c66
 Subject: La nuova sessione @SESSION_ID@ è stata creata per l'utente @USER_ID@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 Una nuova sessione con ID @SESSION_ID@ è stata creata per l'utente @USER_ID@.
@@ -81,7 +81,7 @@ Il processo primario della sessione è @LEADER@.
 -- 3354939424b4456d9802ca8333ed424a
 Subject: La sessione @SESSION_ID@ è terminata
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 La sessione con ID @SESSION_ID@ è terminata.
@@ -89,7 +89,7 @@ La sessione con ID @SESSION_ID@ è terminata.
 -- fcbefc5da23d428093f97c82a9290f7b
 Subject: La nuova postazione @SEAT_ID@ è ora disponibile
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 La nuova postazione @SEAT_ID@ è stata configurata ed è ora disponibile.
@@ -97,7 +97,7 @@ La nuova postazione @SEAT_ID@ è stata configurata ed è ora disponibile.
 -- e7852bfe46784ed0accde04bc864c2d5
 Subject: La postazione @SEAT_ID@ è stata rimossa
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 La postazione @SEAT_ID@ è stata rimossa e non è più disponibile.
@@ -105,21 +105,21 @@ La postazione @SEAT_ID@ è stata rimossa e non è più disponibile.
 -- c7a787079b354eaaa9e77b371893cd27
 Subject: Cambio d'orario
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 L'orologio di sistema è cambiato in @REALTIME@ microsecondi dal 1 gennaio, 1970.
 
 -- 45f82f4aef7a4bbf942ce861d1f20990
 Subject: Il fuso orario è cambiato in @TIMEZONE@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Il fuso orario di sistema è cambiato in @TIMEZONE@.
 
 -- b07a249cd024414a82dd00cd181378ff
 Subject: Avvio del sistema completato.
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Tutti i servizi di sistema richiesti per la fase di avvio sono stati eseguiti
 con successo. Nota che la macchina potrebbe non essere ancora pronta in quanto
@@ -134,21 +134,21 @@ L'avvio dello userspace ha richiesto @USERSPACE_USEC@ microsecondi.
 -- 6bbd95ee977941e497c48be27c254128
 Subject: Il sistema è entrato in fase di pausa @SLEEP@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Il sistema è entrato nello stato di pausa @SLEEP@.
 
 -- 8811e6df2a8e40f58a94cea26f8ebf14
 Subject: Il sistema è uscito dalla fase di pausa @SLEEP@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Il sistema è uscito dallo stato di pausa @SLEEP@.
 
 -- 98268866d1d54a499c4e98921d93bc40
 Subject: Il sistema è in fase di spegnimento
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Systemd è in fase di spegnimento. Tutti i servizi di sistema
 saranno terminati e tutti i file systems smontati.
@@ -156,14 +156,14 @@ saranno terminati e tutti i file systems smontati.
 -- 7d4958e842da4a758f6c1cdc7b36dcc5
 Subject: L'unità @UNIT@ inizia la fase di avvio
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 L'unità @UNIT@ ha iniziato la fase di avvio.
 
 -- 39f53479d3a045ac8e11786248231fbf
 Subject: L'unità @UNIT@ termina la fase di avvio
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 L'unità @UNIT@ ha terminato la fase di avvio.
 
@@ -172,21 +172,21 @@ La fase di avvio è @RESULT@.
 -- de5b426a63be47a7b6ac3eaac82e2f6f
 Subject: L'unità @UNIT@ inizia la fase di spegnimento
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 L'unità @UNIT@ ha iniziato la fase di spegnimento.
 
 -- 9d1aaa27d60140bd96365438aad20286
 Subject: L'unità @UNIT@ termina la fase di spegnimento
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 L'unità @UNIT@ ha terminato la fase di spegnimento.
 
 -- be02cf6855d2428ba40df7e9d022f03d
 Subject: L'unità @UNIT@ è fallita
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 L'unità @UNIT@ è fallita.
 
@@ -195,14 +195,14 @@ Il risultato è @RESULT@.
 -- d34d037fff1847e6ae669a370e694725
 Subject: L'unità @UNIT@ inizia a caricare la propria configurazione
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 L'unità @UNIT@ è iniziata ricaricando la propria configurazione
 
 -- 7b05ebc668384222baa8881179cfda54
 Subject: L'unità @UNIT@ termina il caricamento della propria configurazione
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 L'unità @UNIT@ è terminata ricaricando la propria configurazione
 
@@ -211,7 +211,7 @@ Il risultato è @RESULT@.
 -- 641257651c1b4ec9a8624d7a40a9e1e7
 Subject: Il processo @EXECUTABLE@ non può essere eseguito
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Il processo @EXECUTABLE@ non può essere eseguito e termina.
 
@@ -220,7 +220,7 @@ Il numero di errore restituito durante l'esecuzione del processo è @ERRNO@.
 -- 0027229ca0644181a76c4e92458afa2e
 Subject: Uno o più messaggi non possono essere inoltrati a syslog
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Uno o più messaggi non possono essere inviati al servizio syslog
 eseguito in parallelo a journald. Questo di solito capita perché,
@@ -230,7 +230,7 @@ velocità dei messaggi accodati.
 -- 1dee0369c7fc4736b7099b38ecb46ee7
 Subject: Il punto di montaggio non è vuoto
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 La directory @WHERE@ è specificata come punto di montaggio (secondo campo
 in /etc/fstab o nel campo Where= del file unità di systemd) e non è vuoto.
@@ -241,7 +241,7 @@ di montare manualmente il file system indicato in una posizione secondaria.
 -- 24d8d4452573402496068381a6312df2
 Subject: Avviata macchina virtuale o container
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 La macchina virtuale @NAME@ con PID primario @LEADER@ è stata
 avviata ed è pronta all'uso.
@@ -249,6 +249,6 @@ avviata ed è pronta all'uso.
 -- 58432bd3bace477cb514b56381b8a758
 Subject: Terminata macchina virtuale o container
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 La macchina virtuale @NAME@ con PID primario @LEADER@ è stata spenta.
diff --git a/catalog/systemd.ko.catalog b/catalog/systemd.ko.catalog.in
index 2fc6b60b1b..8a053254ee 100644
--- a/catalog/systemd.ko.catalog
+++ b/catalog/systemd.ko.catalog.in
@@ -29,7 +29,7 @@
 -- f77379a8490b408bbe5f6940505a777b
 Subject: 저� 시작
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 시스템 저� 프로세스를 시작했고 기�목�으로 저� 파�� 열었으며,
 프로세스 요청� 기다리고 있습니다.
@@ -37,7 +37,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- d93fb3c9c24d451a97cea615ce59c00b
 Subject: 저� 멈춤
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 시스템 저� 프로세스를 �고 현재 활성화 중� 저� 파�� 모�
 닫았습니다.
@@ -45,7 +45,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- a596d6fe7bfa4994828e72309e95d61e
 Subject: 서비스� 메시지를 거절함
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:journald.conf(5)
 
 �정 시간�안 서비스�서 너무 많� 메시지를 기�했습니다.
@@ -61,7 +61,7 @@ RateLimitIntervalSec= 변수와 RateLimitBurst= 변수로 설정합니다.
 -- e9bf28e6e834481bb6f48f548ad13606
 Subject: 저� 메시지 놓침
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 저� 시스템�서 커� 메시지를 충분히 빠르게 처리할 수 없어 커�
  메시지를 잃었습니다.
@@ -69,7 +69,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- fc2e22bc6ee647b6b90729ab34a250b1
 Subject: 프로세스 @COREDUMP_PID@번 코어 �프(@COREDUMP_COMM@) �성함
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:core(5)
 
 프로세스 @COREDUMP_PID@번 (@COREDUMP_COMM@)� 비정��으로 �나
@@ -81,7 +81,7 @@ Documentation: man:core(5)
 -- 8d45620c1a4348dbb17410da57c60c66
 Subject: @USER_ID@ 사용�� 새 @SESSION_ID@ 세션 만듦
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 @USER_ID@ 사용�� 새 @SESSION_ID@ 세션� 만들었습니다.
@@ -91,7 +91,7 @@ Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 -- 3354939424b4456d9802ca8333ed424a
 Subject: @SESSION_ID@ 세션 마침
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 @SESSION_ID@ 세션� �냈습니다.
@@ -99,7 +99,7 @@ Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 -- fcbefc5da23d428093f97c82a9290f7b
 Subject: 새 @SEAT_ID@ 시트 사용할 수 있�
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 새 @SEAT_ID@ 시트를 설정했고 사용할 수 있습니다.
@@ -107,7 +107,7 @@ Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 -- e7852bfe46784ed0accde04bc864c2d5
 Subject: @SEAT_ID@ 시트 제거함
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 @SEAT_ID@ 시트를 제거했으며 ��� 사용할 수 없습니다.
@@ -115,7 +115,7 @@ Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 -- c7a787079b354eaaa9e77b371893cd27
 Subject: 시간 바꿈
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 시스템 시계를 1970년 1월 1� �후로 @REALTIME@ 마��로초 지난 값으로
 설정했습니다.
@@ -123,14 +123,14 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 45f82f4aef7a4bbf942ce861d1f20990
 Subject: @TIMEZONE@ 시간대로 시간대 바꿈
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 시스템 시간대를 @TIMEZONE@ 시간대로 바꾸었습니다.
 
 -- b07a249cd024414a82dd00cd181378ff
 Subject: 시스템 시� 마침
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 부팅 과정� 시작하려고 준비한 모든 시스템 서비스를 성공�으로
  시작했습니다. 머신� 서비스처럼 대기중��는 �미는 아니며
@@ -145,21 +145,21 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 6bbd95ee977941e497c48be27c254128
 Subject: @SLEEP@ 대기 �태 진입
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 @SLEEP@ 대기 �태로 진입했습니다.
 
 -- 8811e6df2a8e40f58a94cea26f8ebf14
 Subject: @SLEEP@ 대기 �태 마침
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 @SLEEP@ 대기 �태를 마쳤습니다.
 
 -- 98268866d1d54a499c4e98921d93bc40
 Subject: 컴퓨터 �기 시작
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 컴퓨터 �기 �작� 시작했습니다. 모든 시스템 �작� 멈추고
 모든 파� 시스템� 마운트를 해제합니다.
@@ -167,14 +167,14 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 7d4958e842da4a758f6c1cdc7b36dcc5
 Subject: @UNIT@ 유닛 시작
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 @UNIT@ 유닛� 시작했습니다.
 
 -- 39f53479d3a045ac8e11786248231fbf
 Subject: @UNIT@ 유닛 시� 마침
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 @UNIT@ 유닛 시�� 마쳤습니다.
 
@@ -183,21 +183,21 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- de5b426a63be47a7b6ac3eaac82e2f6f
 Subject: @UNIT@ 유닛 �내기 �작 시작
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 @UNIT@ 유닛 �내기 �작� 시작했습니다.
 
 -- 9d1aaa27d60140bd96365438aad20286
 Subject: @UNIT@ 유닛 �내기 �작 마침
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 @UNIT@ 유닛 �내기 �작� 마쳤습니다.
 
 -- be02cf6855d2428ba40df7e9d022f03d
 Subject: @UNIT@ 유닛 �작 실패
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 @UNIT@ 유닛 �작� 실패했습니다.
 
@@ -206,14 +206,14 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- d34d037fff1847e6ae669a370e694725
 Subject: @UNIT@ 유닛 설정 다시 �기 시작
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 @UNIT@ 유닛� 설정 다시 �기를 시작했습니다
 
 -- 7b05ebc668384222baa8881179cfda54
 Subject: @UNIT@ 유닛 설정 다시 �기 완료
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 @UNIT@ 유닛� 설정 다시 �기 �작� �냈습니다.
 
@@ -222,7 +222,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 641257651c1b4ec9a8624d7a40a9e1e7
 Subject: @EXECUTABLE@ 프로세스 시작할 수 없�
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 @EXECUTABLE@ 프로세스를 시작할 수 없어 실행� 실패했습니다.
 
@@ -231,7 +231,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 0027229ca0644181a76c4e92458afa2e
 Subject: 하나 ��� 메시지를 syslog� 전달할 수 없�
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 journald 서비스와 �시� 실행중� syslog 서비스� 하나 ��� 메시지를
 전달할 수 없습니다. 보통 순차�으로 오는 메시지� ��를 syslog 구현체가
@@ -240,7 +240,7 @@ journald 서비스와 ë�™ì‹œì—� 실행중ì�¸ syslog 서비스ì—� 하나 ì�´ìƒ�ì�
 -- 1dee0369c7fc4736b7099b38ecb46ee7
 Subject: 마운트 지� 비어있지 않�
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 @WHERE@ 디렉터리를 마운트 지�으로 지정했으며 (/etc/fstab 파��
  �번째 필드 �는 systemd 유닛 파�� Where= 필드) 비어있지 않습니다.
@@ -251,7 +251,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 24d8d4452573402496068381a6312df2
 Subject: 가� 머신 �는 컨테�너 시작
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 @LEADER@ 프로세스 ID로 �작하는 @NAME@ 가� 머신� 시작했으며,
 �제부터 사용할 수 있습니다.
@@ -259,6 +259,6 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 58432bd3bace477cb514b56381b8a758
 Subject: 가� 머신 �는 컨테�너 마침
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 @LEADER@ 프로세스 ID로 �작하는 @NAME@ 가� 머신� �습니다.
diff --git a/catalog/systemd.pl.catalog b/catalog/systemd.pl.catalog.in
index d8059e93cd..33c2122974 100644
--- a/catalog/systemd.pl.catalog
+++ b/catalog/systemd.pl.catalog.in
@@ -27,7 +27,7 @@
 -- f77379a8490b408bbe5f6940505a777b
 Subject: Uruchomiono dziennik
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Systemowy proces dziennika został uruchomiony, otworzył pliki dziennika do
 zapisu i jest gotowy do przetwarzania żądań.
@@ -35,7 +35,7 @@ zapisu i jest gotowy do przetwarzania żądań.
 -- d93fb3c9c24d451a97cea615ce59c00b
 Subject: Zatrzymano dziennik
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Systemowy proces dziennika został wyłączony i zamknął wszystkie obecnie
 aktywne pliki dziennika.
@@ -43,7 +43,7 @@ aktywne pliki dziennika.
 -- ec387f577b844b8fa948f33cad9a75e6
 Subject: Miejsce na dysku używane przez dziennik
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 @JOURNAL_NAME@ (@JOURNAL_PATH@) obecnie używa @CURRENT_USE_PRETTY@.
 Maksymalnie może używać @MAX_USE_PRETTY@.
@@ -59,7 +59,7 @@ informacji.
 -- a596d6fe7bfa4994828e72309e95d61e
 Subject: Ograniczono komunikaty z usługi
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:journald.conf(5)
 
 Usługa zapisała za dużo komunikatów w określonym czasie. Komunikaty z usługi
@@ -75,7 +75,7 @@ za pomocÄ… opcji RateLimitIntervalSec= i RateLimitBurst= w pliku
 -- e9bf28e6e834481bb6f48f548ad13606
 Subject: Utracono komunikaty dziennika
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Komunikaty jądra zostały utracone, ponieważ system dziennika nie mógł
 przetworzyć ich odpowiednio szybko.
@@ -83,7 +83,7 @@ przetworzyć ich odpowiednio szybko.
 -- fc2e22bc6ee647b6b90729ab34a250b1
 Subject: Proces @COREDUMP_PID@ (@COREDUMP_COMM@) zrzucił plik core
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:core(5)
 
 Proces @COREDUMP_PID@ (@COREDUMP_COMM@) uległ awarii i zrzucił plik core.
@@ -94,7 +94,7 @@ zgłoszone jego producentowi jako błąd.
 -- 8d45620c1a4348dbb17410da57c60c66
 Subject: Utworzono nową sesję @SESSION_ID@ dla użytkownika @USER_ID@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 Nowa sesja o identyfikatorze @SESSION_ID@ została utworzona dla użytkownika
@@ -105,7 +105,7 @@ Proces prowadzÄ…cy sesji: @LEADER@.
 -- 3354939424b4456d9802ca8333ed424a
 Subject: Zakończono sesję @SESSION_ID@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 Sesja o identyfikatorze @SESSION_ID@ została zakończona.
@@ -113,7 +113,7 @@ Sesja o identyfikatorze @SESSION_ID@ została zakończona.
 -- fcbefc5da23d428093f97c82a9290f7b
 Subject: Dostępne jest nowe stanowisko @SEAT_ID@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 Nowe stanowisko @SEAT_ID@ zostało skonfigurowane i jest teraz dostępne.
@@ -121,7 +121,7 @@ Nowe stanowisko @SEAT_ID@ zostało skonfigurowane i jest teraz dostępne.
 -- e7852bfe46784ed0accde04bc864c2d5
 Subject: Usunięto stanowisko @SEAT_ID@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 Stanowisko @SEAT_ID@ zostało usunięte i nie jest już dostępne.
@@ -129,21 +129,21 @@ Stanowisko @SEAT_ID@ zostało usunięte i nie jest już dostępne.
 -- c7a787079b354eaaa9e77b371893cd27
 Subject: Zmiana czasu
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Zegar systemowy został zmieniony na @REALTIME@ μs po 1 stycznia 1970.
 
 -- 45f82f4aef7a4bbf942ce861d1f20990
 Subject: Zmiana strefy czasowej na @TIMEZONE@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Systemowa strefa czasowa została zmieniona na @TIMEZONE@.
 
 -- b07a249cd024414a82dd00cd181378ff
 Subject: Ukończono uruchamianie systemu
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Wszystkie usługi systemowe obowiązkowo zakolejkowane do włączenia podczas
 uruchamiania systemu zostały pomyślnie uruchomione. Proszę zauważyć, że nie
@@ -159,21 +159,21 @@ Uruchamianie przestrzeni użytkownika zajęło @USERSPACE_USEC@ μs.
 -- 6bbd95ee977941e497c48be27c254128
 Subject: Przejście do stanu uśpienia @SLEEP@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 System przeszedł do stanu uśpienia @SLEEP@.
 
 -- 8811e6df2a8e40f58a94cea26f8ebf14
 Subject: Wyjście ze stanu uśpienia @SLEEP@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 System wyszedł ze stanu uśpienia @SLEEP@.
 
 -- 98268866d1d54a499c4e98921d93bc40
 Subject: Zainicjowano wyłączenie systemu
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Zainicjowano wyłączenie systemd. Wyłączenie zostało rozpoczęte i wszystkie
 usługi systemowe zostały zakończone, a wszystkie systemy plików odmontowane.
@@ -181,14 +181,14 @@ usługi systemowe zostały zakończone, a wszystkie systemy plików odmontowane.
 -- 7d4958e842da4a758f6c1cdc7b36dcc5
 Subject: Rozpoczęto uruchamianie jednostki @UNIT@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Jednostka @UNIT@ rozpoczęła uruchamianie.
 
 -- 39f53479d3a045ac8e11786248231fbf
 Subject: Ukończono uruchamianie jednostki @UNIT@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Jednostka @UNIT@ ukończyła uruchamianie.
 
@@ -197,21 +197,21 @@ Wynik uruchamiania: @RESULT@.
 -- de5b426a63be47a7b6ac3eaac82e2f6f
 Subject: Rozpoczęto wyłączanie jednostki @UNIT@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Jednostka @UNIT@ rozpoczęła wyłączanie.
 
 -- 9d1aaa27d60140bd96365438aad20286
 Subject: Ukończono wyłączanie jednostki @UNIT@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Jednostka @UNIT@ ukończyła wyłączanie.
 
 -- be02cf6855d2428ba40df7e9d022f03d
 Subject: Jednostka @UNIT@ się nie powiodła
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Jednostka @UNIT@ się nie powiodła.
 
@@ -220,14 +220,14 @@ Wynik: @RESULT@.
 -- d34d037fff1847e6ae669a370e694725
 Subject: Rozpoczęto ponowne wczytywanie konfiguracji jednostki @UNIT@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Jednostka @UNIT@ rozpoczęła ponowne wczytywanie swojej konfiguracji.
 
 -- 7b05ebc668384222baa8881179cfda54
 Subject: Ukończono ponowne wczytywanie konfiguracji jednostki @UNIT@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Jednostka @UNIT@ ukończyła ponowne wczytywanie swojej konfiguracji.
 
@@ -236,7 +236,7 @@ Wynik: @RESULT@.
 -- 641257651c1b4ec9a8624d7a40a9e1e7
 Subject: Nie można wykonać procesu @EXECUTABLE@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Proces @EXECUTABLE@ nie mógł zostać wykonany i się nie powiódł.
 
@@ -245,7 +245,7 @@ Numer błędu zwrócony przez ten proces: @ERRNO@.
 -- 0027229ca0644181a76c4e92458afa2e
 Subject: Nie można przekazać jednego lub więcej komunikatów do syslog
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Jeden lub więcej komunikatów nie może zostać przekazanych do usługi syslog
 uruchomionej obok journald. Zwykle oznacza to, że implementacja syslog nie
@@ -254,7 +254,7 @@ jest w stanie nadążyć za prędkością kolejki komunikatów.
 -- 1dee0369c7fc4736b7099b38ecb46ee7
 Subject: Punkt montowania nie jest pusty
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Katalog @WHERE@ został podany jako punkt montowania (drugie pole w pliku
 /etc/fstab lub pole Where= w pliku jednostki systemd) i nie jest pusty. Nie
@@ -265,7 +265,7 @@ plików w innym położeniu.
 -- 24d8d4452573402496068381a6312df2
 Subject: Uruchomiono maszynÄ™ wirtualnÄ… lub kontener
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Maszyna wirtualna @NAME@ (PID prowadzący @LEADER@) została uruchomiona i jest
 gotowa do użycia.
@@ -273,14 +273,14 @@ gotowa do użycia.
 -- 58432bd3bace477cb514b56381b8a758
 Subject: Zakończono maszynę wirtualną lub kontener
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Maszyna wirtualna @NAME@ (PID prowadzący @LEADER@) została wyłączona.
 
 -- 36db2dfa5a9045e1bd4af5f93e1cf057
 Subject: Wyłączono tryb DNSSEC, ponieważ serwer go nie obsługuje
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:systemd-resolved.service(8) resolved.conf(5)
 
 Usługa resolver (systemd-resolved.service) wykryła, że skonfigurowany serwer
@@ -298,7 +298,7 @@ albo że atakującemu udało się upozorować atak tego typu.
 -- 1675d7f172174098b1108bf8c7dc8f5d
 Subject: Walidacja DNSSEC się nie powiodła
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:systemd-resolved.service(8)
 
 Zapytanie DNS lub ustawiony wpis zasobu nie przeszedł walidacji DNSSEC.
@@ -307,7 +307,7 @@ Zwykle wskazuje to, że ktoś manipulował używanym kanałem komunikacji.
 -- 4d4408cfd0d144859184d1e65d7c8a65
 Subject: Unieważniono kotwicę zaufania DNSSEC
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:systemd-resolved.service(8)
 
 Kotwica zaufania DNSSEC została unieważniona. Należy skonfigurować nową, albo
diff --git a/catalog/systemd.pt_BR.catalog b/catalog/systemd.pt_BR.catalog.in
index 8b856e8355..e461c2b2ba 100644
--- a/catalog/systemd.pt_BR.catalog
+++ b/catalog/systemd.pt_BR.catalog.in
@@ -27,7 +27,7 @@
 -- f77379a8490b408bbe5f6940505a777b
 Subject: O jornal foi inciado
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 O processo jornal do sistema foi iniciado, arquivos foram abertos e está
 pronto para processar requisições.
@@ -35,7 +35,7 @@ pronto para processar requisições.
 -- d93fb3c9c24d451a97cea615ce59c00b
 Subject: O jornal foi interrompido
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 O processo do jornal do sistema foi desligado e todos os arquivos de jornal
 do sistema foram fechados.
@@ -43,7 +43,7 @@ do sistema foram fechados.
 -- a596d6fe7bfa4994828e72309e95d61e
 Subject: Mensagens de um serviço foram suprimidas
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:journald.conf(5)
 
 Um serviço registrou no log um número excessivo de mensagens dentro de um
@@ -59,7 +59,7 @@ configurado com RateLimitIntervalSec= e RateLimitBurst= no
 -- e9bf28e6e834481bb6f48f548ad13606
 Subject: Mensagens do jornal foram perdidas
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Mensagens do kernel foram perdidas pois o sistema do jornal não pôde
 processá-las em velocidade suficiente para a demanda.
@@ -67,7 +67,7 @@ processá-las em velocidade suficiente para a demanda.
 -- fc2e22bc6ee647b6b90729ab34a250b1
 Subject: Processo @COREDUMP_PID@ (@COREDUMP_COMM@) despejou núcleo
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:core(5)
 
 Processo @COREDUMP_PID@ (@COREDUMP_COMM@) travou e despejou o núcleo.
@@ -78,7 +78,7 @@ deveria ser relatado para seu fabricante como um erro.
 -- 8d45620c1a4348dbb17410da57c60c66
 Subject: A nova sessão @SESSION_ID@ foi criada para usuário o @USER_ID@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 Uma nova sessão com o ID @SESSION_ID@ foi criada para o usuário @USER_ID@.
@@ -88,7 +88,7 @@ O processo originador da sessão é @LEADER@.
 -- 3354939424b4456d9802ca8333ed424a
 Subject: Sessão @SESSION_ID@ foi terminada
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 Um sessão com o ID @SESSION_ID@ foi terminada.
@@ -96,7 +96,7 @@ Um sessão com o ID @SESSION_ID@ foi terminada.
 -- fcbefc5da23d428093f97c82a9290f7b
 Subject: Um novo seat @SEAT_ID@ está disponível
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 Um novo seat @SEAT_ID@ foi configurado e está disponível.
@@ -104,7 +104,7 @@ Um novo seat @SEAT_ID@ foi configurado e está disponível.
 -- e7852bfe46784ed0accde04bc864c2d5
 Subject: Seat @SEAT_ID@ foi removido agora
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 Um seat @SEAT_ID@ foi removido e não está mais disponível.
@@ -112,7 +112,7 @@ Um seat @SEAT_ID@ foi removido e não está mais disponível.
 -- c7a787079b354eaaa9e77b371893cd27
 Subject: Time change
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 O relógio do sistema foi alterado para @REALTIME@ microssegundos após 1º de
 janeiro de 1970.
@@ -120,14 +120,14 @@ janeiro de 1970.
 -- 45f82f4aef7a4bbf942ce861d1f20990
 Subject: Fuso horário alterado para @TIMEZONE@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 O fuso horário do sistema foi alterado para @TIMEZONE@.
 
 -- b07a249cd024414a82dd00cd181378ff
 Subject: Inicialização do sistema foi concluída
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Todos os serviços do sistema necessários que estão enfileirados para
 executar na inicialização do sistema, foram iniciados com sucesso. Note
@@ -143,21 +143,21 @@ Inicialização do espaço do usuário precisou de @USERSPACE_USEC@ microssegund
 -- 6bbd95ee977941e497c48be27c254128
 Subject: Estado de suspensão do sistema @SLEEP@ iniciado
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 O sistema entrou agora no estado de suspensão @SLEEP@.
 
 -- 8811e6df2a8e40f58a94cea26f8ebf14
 Subject: Estado de suspensão do sistema @SLEEP@ finalizado
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 O sistema saiu agora do estado de suspensão @SLEEP@.
 
 -- 98268866d1d54a499c4e98921d93bc40
 Subject: Desligamento do sistema iniciado
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Desligamento do sistema foi inicializado. O desligamento se iniciou e todos
 os serviços do sistema foram terminados e todos os sistemas desmontados.
@@ -165,14 +165,14 @@ os serviços do sistema foram terminados e todos os sistemas desmontados.
 -- 7d4958e842da4a758f6c1cdc7b36dcc5
 Subject: Unidade @UNIT@ sendo iniciado
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 A unidade @UNIT@ está sendo iniciada.
 
 -- 39f53479d3a045ac8e11786248231fbf
 Subject: Unidade @UNIT@ concluiu a inicialização
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 A unidade @UNIT@ concluiu a inicialização.
 
@@ -181,21 +181,21 @@ The start-up result is @RESULT@.
 -- de5b426a63be47a7b6ac3eaac82e2f6f
 Subject: Unidade @UNIT@ sendo desligado
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 A unidade @UNIT@ está sendo desligada.
 
 -- 9d1aaa27d60140bd96365438aad20286
 Subject: A unidade @UNIT@ concluiu o desligamento
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 A unidade @UNIT@ concluiu o desligamento.
 
 -- be02cf6855d2428ba40df7e9d022f03d
 Subject: A unidade @UNIT@ falhou
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 A unidade @UNIT@ falhou.
 
@@ -204,14 +204,14 @@ O resultado é @RESULT@.
 -- d34d037fff1847e6ae669a370e694725
 Subject: Unidade @UNIT@ iniciou recarregamento de sua configuração
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 A unidade @UNIT@ iniciou o recarregamento de sua configuração.
 
 -- 7b05ebc668384222baa8881179cfda54
 Subject: Unidade @UNIT@ concluiu recarregamento de sua configuração
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 A unidade @UNIT@ concluiu o recarregamento de sua configuração.
 
@@ -220,7 +220,7 @@ O resultado é @RESULT@.
 -- 641257651c1b4ec9a8624d7a40a9e1e7
 Subject: Processo @EXECUTABLE@ não pôde ser executado
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 O processo @EXECUTABLE@ não pôde ser executado e falhou.
 
@@ -229,7 +229,7 @@ O número de erro retornado por este processo é @ERRNO@.
 -- 0027229ca0644181a76c4e92458afa2e
 Subject: Uma ou mais mensagens não puderam ser encaminhadas para o syslog
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Uma ou mais mensagens não puderam ser encaminhadas para o serviço do syslog
 em execução paralela ao journald. Isso normalmente indica que a implementação
@@ -239,7 +239,7 @@ enfileiradas.
 -- 1dee0369c7fc4736b7099b38ecb46ee7
 Subject: Ponto de montagem não está vazio
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 O diretório @WHERE@ está especificado como ponto de montagem (o segundo campo
 no /etc/fstab ou campo Where= no arquivo de unidade do systemd) e não está
@@ -251,7 +251,7 @@ arquivos subjacente para uma localização secundária.
 -- 24d8d4452573402496068381a6312df2
 Subject: Uma máquina virtual ou contêiner foi iniciado
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 A máquina virtual @NAME@ com seu PID @LEADER@ incial foi iniciada e está
 pronto para ser usad.
@@ -259,6 +259,6 @@ pronto para ser usad.
 -- 58432bd3bace477cb514b56381b8a758
 Subject: Uma máquina virtual ou contêiner foi terminado
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 A máquina virtual @NAME@ com seu PID @LEADER@ incial foi desligada.
diff --git a/catalog/systemd.ru.catalog b/catalog/systemd.ru.catalog.in
index e56dbe3acc..df55478592 100644
--- a/catalog/systemd.ru.catalog
+++ b/catalog/systemd.ru.catalog.in
@@ -29,7 +29,7 @@
 -- f77379a8490b408bbe5f6940505a777b
 Subject: Запущена �лужба журналировани�
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Проце��, отвечающий за журналирование �и�темных �обытий, у�пешно запу�тил��,
 открыл дл� запи�и файлы журнала, и готов обрабатывать запро�ы.
@@ -38,7 +38,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- d93fb3c9c24d451a97cea615ce59c00b
 Subject: Служба журналировани� о�тановлена
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Проце��, отвечающий за журналирование �и�темных �обытий, завершил работу и
 закрыл в�е �вои файлы.
@@ -47,26 +47,26 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- ec387f577b844b8fa948f33cad9a75e6
 Subject: Ме�то на ди�ке, зан�тое журналом
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 @JOURNAL_NAME@ (@JOURNAL_PATH@) �ейча� занимает @CURRENT_USE_PRETTY@.
 Мак�имальный разрешенный размер �о�тавл�ет @MAX_USE_PRETTY@.
-О�тавл�ем �вободными как минимум @DISK_KEEP_FREE_PRETTY@ (�ейча� на ди�ке 
+О�тавл�ем �вободными как минимум @DISK_KEEP_FREE_PRETTY@ (�ейча� на ди�ке
 �вободно @DISK_AVAILABLE_PRETTY@).
 Таким образом, предел и�пользовани� �о�тавл�ет @LIMIT_PRETTY@, из которых
 @AVAILABLE_PRETTY@ пока �вободно.
 
 Ограничени� на размер журнала на�траивают�� при помощи параметров
-SystemMaxUse=, SystemKeepFree=, SystemMaxFileSize=, RuntimeMaxUse=, 
+SystemMaxUse=, SystemKeepFree=, SystemMaxFileSize=, RuntimeMaxUse=,
 RuntimeKeepFree=, RuntimeMaxFileSize= в файле /etc/systemd/journald.conf.
-Более подробные �ведени� вы можете получить на �правочной �транице 
+Более подробные �ведени� вы можете получить на �правочной �транице
 journald.conf(5).
 
 # Subject: Messages from a service have been suppressed
 -- a596d6fe7bfa4994828e72309e95d61e
 Subject: Ча�ть �ообщений от �лужбы пропущена
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:journald.conf(5)
 
 Служба отправила �лишком много �ообщений за короткий промежуток времени.
@@ -84,7 +84,7 @@ journald.conf(5).
 -- e9bf28e6e834481bb6f48f548ad13606
 Subject: Ча�ть �ообщений �дра пропущена
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Ча�ть �ообщений, по�тупивших от �дра, была потер�на, так как �лужба
 журналировани� не у�пела их обработать.
@@ -93,7 +93,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- fc2e22bc6ee647b6b90729ab34a250b1
 Subject: Проце�� @COREDUMP_PID@ (@COREDUMP_COMM@) �бро�ил дамп пам�ти
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:core(5)
 
 Проце�� @COREDUMP_PID@ (@COREDUMP_COMM@) завершил�� из-за критиче�кой ошибки.
@@ -106,7 +106,7 @@ Documentation: man:core(5)
 -- 8d45620c1a4348dbb17410da57c60c66
 Subject: Дл� пользовател� @USER_ID@ �оздан новый �еан� @SESSION_ID@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 Дл� пользовател� @USER_ID@ �оздан новый �еан� � идентификатором @SESSION_ID@.
@@ -117,7 +117,7 @@ Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 -- 3354939424b4456d9802ca8333ed424a
 Subject: Сеан� @SESSION_ID@ завершен
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 Сеан� � идентификатором @SESSION_ID@ завершил��.
@@ -126,7 +126,7 @@ Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 -- fcbefc5da23d428093f97c82a9290f7b
 Subject: Добавлено новое рабочее ме�то @SEAT_ID@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 �овое рабочее ме�то (seat) @SEAT_ID@ полно�тью на�троено и готово к
@@ -136,7 +136,7 @@ Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 -- e7852bfe46784ed0accde04bc864c2d5
 Subject: Рабочее ме�то @SEAT_ID@ отключено
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 Рабочее ме�то (seat) @SEAT_ID@ было отключено.
@@ -145,7 +145,7 @@ Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 -- c7a787079b354eaaa9e77b371893cd27
 Subject: Переведены �и�темные ча�ы
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Си�темные ча�ы были переведены. Сейча� они показывают @REALTIME@ микро�екунд
 � момента 00:00:00 1 �нвар� 1970 года.
@@ -154,7 +154,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 45f82f4aef7a4bbf942ce861d1f20990
 Subject: Ча�овой по�� изменен на @TIMEZONE@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Си�темный ча�овой по�� был изменен. �овое значение: @TIMEZONE@.
 
@@ -162,7 +162,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- b07a249cd024414a82dd00cd181378ff
 Subject: Запу�к �и�темы завершен
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 В�е �и�темные �лужбы, запу�к которых предпи�ан на�тройками, были запущены.
 Впрочем, �то ещё не означает, что �и�тема в данный момент ничем не зан�та,
@@ -179,7 +179,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 6bbd95ee977941e497c48be27c254128
 Subject: Си�тема перешла в �о�то�ние �на (@SLEEP@)
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Си�тема была переведена в �о�то�ние �на (@SLEEP@).
 
@@ -187,7 +187,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 8811e6df2a8e40f58a94cea26f8ebf14
 Subject: Си�тема вышла из �о�то�ни� �на (@SLEEP@)
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Си�тема была выведена из �о�то�ни� �на (@SLEEP@).
 
@@ -195,7 +195,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 98268866d1d54a499c4e98921d93bc40
 Subject: Подготовка �и�темы к выключению
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 �ачат проце�� подготовки к выключению компьютера. О�танавливают�� в�е �и�темные
 �лужбы, отмонтируют�� в�е файловые �и�темы.
@@ -204,7 +204,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 7d4958e842da4a758f6c1cdc7b36dcc5
 Subject: �ачинает�� запу�к юнита @UNIT@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 �ачат проце�� запу�ка юнита @UNIT@.
 
@@ -212,7 +212,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 39f53479d3a045ac8e11786248231fbf
 Subject: Запу�к юнита @UNIT@ завершен
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Проце�� запу�ка юнита @UNIT@ был завершен.
 
@@ -222,7 +222,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- de5b426a63be47a7b6ac3eaac82e2f6f
 Subject: �ачинает�� о�тановка юнита @UNIT@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 �ачат проце�� о�тановки юнита @UNIT@.
 
@@ -230,7 +230,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 9d1aaa27d60140bd96365438aad20286
 Subject: Завершена о�тановка юнита @UNIT@.
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Проце�� о�тановки юнита @UNIT@ был завершен.
 
@@ -238,7 +238,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- be02cf6855d2428ba40df7e9d022f03d
 Subject: Ошибка юнита @UNIT@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Произошел �бой юнита @UNIT@.
 
@@ -248,7 +248,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- d34d037fff1847e6ae669a370e694725
 Subject: Юнит @UNIT@ начал перечитывать �вои на�тройки
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Юнит @UNIT@ начал проце�� перечитывани� �воей конфигурации.
 
@@ -256,7 +256,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 7b05ebc668384222baa8881179cfda54
 Subject: Юнит @UNIT@ завершил перечитывание �воих на�троек
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Юнит @UNIT@ завершил проце�� перечитывани� �воей конфигурации.
 
@@ -266,7 +266,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 641257651c1b4ec9a8624d7a40a9e1e7
 Subject: �е удало�ь запу�тить проце�� @EXECUTABLE@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Сбой: не удало�ь запу�тить проце�� @EXECUTABLE@.
 
@@ -276,7 +276,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 0027229ca0644181a76c4e92458afa2e
 Subject: Ча�ть �ообщений не удало�ь передать проце��у syslog
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 �е удало�ь передать некоторые �ообщени� демону �и�темного лога (syslog),
 дублирующему работу �лужбы �и�темного журнала. Скорее в�его, причина в том, что
@@ -287,7 +287,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 1dee0369c7fc4736b7099b38ecb46ee7
 Subject: Каталог, �вл�ющий�� точкой монтировани�, не пу�т
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Каталог @WHERE@, который был указан в каче�тве точки монтировани� (во втором
 �толбце файла /etc/fstab, либо в параметре Where= файла конфигурации юнита),
@@ -299,7 +299,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 24d8d4452573402496068381a6312df2
 Subject: Запущена виртуальна� машина/контейнер
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Виртуальна� машина @NAME@ (идентификатор главного проце��а: @LEADER@) запущена и
 готова к работе.
@@ -308,7 +308,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 58432bd3bace477cb514b56381b8a758
 Subject: О�тановлена виртуальна� машина/контейнер
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Виртуальна� машина @NAME@ (идентификатор главного проце��а: @LEADER@) выключена.
 
@@ -316,11 +316,11 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 36db2dfa5a9045e1bd4af5f93e1cf057
 Subject: Механизм DNSSEC был отключен, так как DNS-�ервер его не поддерживает
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:systemd-resolved.service(8) resolved.conf(5)
 
 Служба разрешени� имен хо�тов (systemd-resolved.service) определила, что
-указанный в на�тойках DNS-�ервер не поддерживает технологию DNSSEC, и 
+указанный в на�тойках DNS-�ервер не поддерживает технологию DNSSEC, и
 автоматиче�ки отключила DNSSEC-проверки.
 
 Данное �обытие возникает, е�ли в файле resolved.conf указан параметр
@@ -329,7 +329,7 @@ DNSSEC=allow-downgrade, и выше�то�щий DNS-�ервер не подд
 "DNSSEC downgrade", в ходе которой атакующий хакер блокирует проверки DNSSEC
 путем отправки ложных �ообщений от имени DNS-�ервера.
 
-Возникновение данного �обыти� может �видетель�твовать как о том, что ваш 
+Возникновение данного �обыти� может �видетель�твовать как о том, что ваш
 DNS-�ервер не поддерживает DNSSEC, так и о том, что некий хакер у�пешно провел
 против ва� атаку, направленную на блокировку DNSSEC-проверок.
 
@@ -337,7 +337,7 @@ DNS-�ервер не поддерживает DNSSEC, так и о том, чт
 -- 1675d7f172174098b1108bf8c7dc8f5d
 Subject: Проверка DNSSEC провалена
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:systemd-resolved.service(8)
 
 DNS-запро� или отдельна� ре�ур�на� запи�ь не прошла проверку DNSSEC.
@@ -347,8 +347,8 @@ DNS-запро� или отдельна� ре�ур�на� запи�ь не
 -- 4d4408cfd0d144859184d1e65d7c8a65
 Subject: Открытый ключ DNSSEC был отозван
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:systemd-resolved.service(8)
 
-Открытый ключ (trust ahcnor) DNSSEC был отозван. �еобходимо на�троить новый 
+Открытый ключ (trust ahcnor) DNSSEC был отозван. �еобходимо на�троить новый
 открытый ключ, либо обновить �и�тему, чтобы получить обновленный открытый ключ.
diff --git a/catalog/systemd.sr.catalog b/catalog/systemd.sr.catalog.in
index cc689b7956..06a0ff648c 100644
--- a/catalog/systemd.sr.catalog
+++ b/catalog/systemd.sr.catalog.in
@@ -26,7 +26,7 @@
 -- f77379a8490b408bbe5f6940505a777b
 Subject: Журнал је покренут
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Си�тем�ки журнал�ки проце� �е покренуо, отворио журнал�ке
 датотеке за упи� и �преман је за обраду захтева.
@@ -34,7 +34,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- d93fb3c9c24d451a97cea615ce59c00b
 Subject: Журнал је зау�тављен
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Си�тем�ки журнал�ки проце� �е зау�тавио и затворио �ве тренутно
 отворене журнал�ке датотеке.
@@ -42,7 +42,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- a596d6fe7bfa4994828e72309e95d61e
 Subject: Поруке од у�луге �у утишане
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:journald.conf(5)
 
 У�луга је упи�ала �увише порука за једно време. Поруке
@@ -58,7 +58,7 @@ Documentation: man:journald.conf(5)
 -- e9bf28e6e834481bb6f48f548ad13606
 Subject: Журнал�ке поруке �у изгубљене
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Поруке кернела �у изгубљене јер журнал�ки �и�тем није могао да их
 обради довољно брзо.
@@ -66,7 +66,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- fc2e22bc6ee647b6b90729ab34a250b1
 Subject: Проце� @COREDUMP_PID@ (@COREDUMP_COMM@) је избацио �воје језгро
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:core(5)
 
 Проце� @COREDUMP_PID@ (@COREDUMP_COMM@) је пао и избацио �воје језгро.
@@ -77,7 +77,7 @@ Documentation: man:core(5)
 -- 8d45620c1a4348dbb17410da57c60c66
 Subject: �ова �е�ија @SESSION_ID@ је направљена за кори�ника @USER_ID@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 �ова �е�ија �а ИБ-ом @SESSION_ID@ је направљена за кори�ника @USER_ID@.
@@ -87,7 +87,7 @@ Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 -- 3354939424b4456d9802ca8333ed424a
 Subject: Се�ија @SESSION_ID@ је окончана
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 Се�ија �а ИБ-ом @SESSION_ID@ је окончана.
@@ -95,7 +95,7 @@ Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 -- fcbefc5da23d428093f97c82a9290f7b
 Subject: �ово �едиште @SEAT_ID@ је �ада до�тупно
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 �ово �едиште @SEAT_ID@ је и�подешавано и �ада је до�тупно.
@@ -103,7 +103,7 @@ Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 -- e7852bfe46784ed0accde04bc864c2d5
 Subject: Седиште @SEAT_ID@ је �ада уклоњено
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 Седиште @SEAT_ID@ је �ада уклоњено и више није до�тупно.
@@ -111,21 +111,21 @@ Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 -- c7a787079b354eaaa9e77b371893cd27
 Subject: Време је промењено
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Си�тем�ки �ат је �ада подешен на @REALTIME@ микро�екунде након 1. јануара 1970. године.
 
 -- 45f82f4aef7a4bbf942ce861d1f20990
 Subject: Времен�ка зона је промењена на @TIMEZONE@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Времен�ка зона је промењена на @TIMEZONE@.
 
 -- b07a249cd024414a82dd00cd181378ff
 Subject: Подизање �и�тема је �ада готово
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Све �и�тем�ке у�луге које �у заказане за подизање �у у�пешно покренуте.
 Знајте да ово не значи да је машина �ада бе�по�лена јер у�луге могу
@@ -140,21 +140,21 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 6bbd95ee977941e497c48be27c254128
 Subject: Си�тем�ко �тање �павања @SLEEP@ започето
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Си�тем је �ада ушао у @SLEEP@ �тање �павања.
 
 -- 8811e6df2a8e40f58a94cea26f8ebf14
 Subject: Си�тем�ко �тање �павања @SLEEP@ напуштено
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Си�тем је изашао из @SLEEP@ �тања �павања.
 
 -- 98268866d1d54a499c4e98921d93bc40
 Subject: Гашење �и�тема започето
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Си�тем-де гашење је започето. Гашење је �ада почело и �ве
 �и�тем�ке у�луге �у окончане и �ви �и�теми датотека откачени.
@@ -162,14 +162,14 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 7d4958e842da4a758f6c1cdc7b36dcc5
 Subject: Јединица @UNIT@ је почела �а покретањем
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Јединица @UNIT@ је почела �а покретањем.
 
 -- 39f53479d3a045ac8e11786248231fbf
 Subject: Јединица @UNIT@ је завршила �а покретањем
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Јединица @UNIT@ је завршила �а покретањем.
 
@@ -178,21 +178,21 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- de5b426a63be47a7b6ac3eaac82e2f6f
 Subject: Јединица @UNIT@ је почела �а гашењем
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Јединица @UNIT@ је почела �а гашењем.
 
 -- 9d1aaa27d60140bd96365438aad20286
 Subject: Јединица @UNIT@ је завршила �а гашењем
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Јединица @UNIT@ је завршила �а гашењем.
 
 -- be02cf6855d2428ba40df7e9d022f03d
 Subject: Јединица @UNIT@ је пукла
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Јединица @UNIT@ је пукла.
 
@@ -201,14 +201,14 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- d34d037fff1847e6ae669a370e694725
 Subject: Јединица @UNIT@ је почела �а поновним учитавањем �вог подешавања
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Јединица @UNIT@ је почела �а поновним учитавањем �вог подешавања
 
 -- 7b05ebc668384222baa8881179cfda54
 Subject: Јединица @UNIT@ је завршила �а поновним учитавањем �вог подешавања
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Јединица @UNIT@ је завршила �а поновним учитавањем �вог подешавања
 
@@ -217,7 +217,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 641257651c1b4ec9a8624d7a40a9e1e7
 Subject: Проце� @EXECUTABLE@ није могао бити извршен
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Проце� @EXECUTABLE@ није могао бити извршен и пукао је.
 
@@ -226,7 +226,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 0027229ca0644181a76c4e92458afa2e
 Subject: Једна или више порука није могло бити про�леђено �и�тем�ком запи�нику
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Једна или више порука није могло бити про�леђено „syslog“ у�лузи
 која ради упоредно �а журнал-деом. Ово обично значи да �проведена
@@ -236,7 +236,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 1dee0369c7fc4736b7099b38ecb46ee7
 Subject: Тачка качења није празна
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Директоријум @WHERE@ је наведен као тачка качења (друго поље у
 /etc/fstab датотеци или у „Where=“ пољу �и�тем-де јединичне датотеке)
@@ -248,7 +248,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 24d8d4452573402496068381a6312df2
 Subject: Виртуелна машина или контејнер је покренут(а)
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Виртуелна машина @NAME@ �а водећим ПИБ-ом @LEADER@ је
 покренута и �ада је �премна за коришћење.
@@ -256,7 +256,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 58432bd3bace477cb514b56381b8a758
 Subject: Виртуелна машина или контејнер је окончан(а)
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Виртуелна машина @NAME@ �а водећим ПИБ-ом @LEADER@ је
 угашена.
diff --git a/catalog/systemd.zh_CN.catalog b/catalog/systemd.zh_CN.catalog.in
index ed59fc9250..ba7c697c16 100644
--- a/catalog/systemd.zh_CN.catalog
+++ b/catalog/systemd.zh_CN.catalog.in
@@ -27,21 +27,21 @@
 -- f77379a8490b408bbe5f6940505a777b
 Subject: 日志已开始
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 系统日志进程已�动，已打开供写入的日志文件并准备好处�请求。
 
 -- d93fb3c9c24d451a97cea615ce59c00b
 Subject: 日志已�止
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 系统日志进程已终止，并已关闭所有当�活动的日志文件。
 
 -- a596d6fe7bfa4994828e72309e95d61e
 Subject: 由�个�务而�的消�已被抑制
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:journald.conf(5)
 
 �个�务在一个时间周期内记录了太多消�。
@@ -57,7 +57,7 @@ Documentation: man:journald.conf(5)
 -- e9bf28e6e834481bb6f48f548ad13606
 Subject: 日志消�已�失
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 因日志系统对内核消�的处�速度�够快，
 部分信�已��失。
@@ -65,7 +65,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- fc2e22bc6ee647b6b90729ab34a250b1
 Subject: 进程 @COREDUMP_PID@ (@COREDUMP_COMM@) 核心已转储
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:core(5)
 
 进程 @COREDUMP_PID@ (@COREDUMP_COMM@) 已崩溃并进行核心转储。
@@ -75,7 +75,7 @@ Documentation: man:core(5)
 -- 8d45620c1a4348dbb17410da57c60c66
 Subject: 一个新会� @SESSION_ID@ 已为用户 @USER_ID@ 建立
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 一个 ID 为 @SESSION_ID@ 的新会�已为用户 @USER_ID@ 建立。
@@ -85,7 +85,7 @@ Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 -- 3354939424b4456d9802ca8333ed424a
 Subject: 会� @SESSION_ID@ 已终止
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 一个 ID 为 @SESSION_ID@ 的会�已终止。
@@ -93,7 +93,7 @@ Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 -- fcbefc5da23d428093f97c82a9290f7b
 Subject: 一个新的座� @SEAT_ID@ �用
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 一个新的座� @SEAT_ID@ 已被�置并已�用。
@@ -101,7 +101,7 @@ Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 -- e7852bfe46784ed0accde04bc864c2d5
 Subject: 座� @SEAT_ID@ 已被移除
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 座� @SEAT_ID@ 已被移除并���用。
@@ -109,21 +109,21 @@ Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 -- c7a787079b354eaaa9e77b371893cd27
 Subject: 时间已�更
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 系统时钟已�更为1970年1月1日� @REALTIME@ 微秒。
 
 -- 45f82f4aef7a4bbf942ce861d1f20990
 Subject: 时区�更为 @TIMEZONE@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 系统时区已�更为 @TIMEZONE@。
 
 -- b07a249cd024414a82dd00cd181378ff
 Subject: 系统�动已完�
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 所有系统�动时需�的系统�务�已�功�动。
 请注�这并�代表现在机器已�空闲，因为�些�务�能�处于完��动的过程中。
@@ -144,14 +144,14 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-deve
 -- 8811e6df2a8e40f58a94cea26f8ebf14
 Subject: 系统已离开 @SLEEP@ �眠状�
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 系统现已离开 @SLEEP@ �眠状�。
 
 -- 98268866d1d54a499c4e98921d93bc40
 Subject: 系统关机已开始
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 系统关机�作已�始化。
 关机已开始，所有系统�务�已结�，所有文件系统已�载。
@@ -159,14 +159,14 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 7d4958e842da4a758f6c1cdc7b36dcc5
 Subject: @UNIT@ �元已开始�动
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 @UNIT@ �元已开始�动。
 
 -- 39f53479d3a045ac8e11786248231fbf
 Subject: @UNIT@ �元已结��动
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 @UNIT@ �元已结��动。
 
@@ -175,21 +175,21 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- de5b426a63be47a7b6ac3eaac82e2f6f
 Subject: @UNIT@ �元已开始�止�作
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 @UNIT@ �元已开始�止�作。
 
 -- 9d1aaa27d60140bd96365438aad20286
 Subject: @UNIT@ �元已结��止�作
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 @UNIT@ �元已结��止�作。
 
 -- be02cf6855d2428ba40df7e9d022f03d
 Subject: @UNIT@ �元已失败
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 @UNIT@ �元已失败。
 
@@ -198,14 +198,14 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- d34d037fff1847e6ae669a370e694725
 Subject: @UNIT@ �元已开始�新载入其�置
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 @UNIT@ �元已开始�新载入其�置。
 
 -- 7b05ebc668384222baa8881179cfda54
 Subject: @UNIT@ �元已结��置�载入
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 @UNIT@ �元已结��置�载入�作。
 
@@ -214,7 +214,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 641257651c1b4ec9a8624d7a40a9e1e7
 Subject: 进程 @EXECUTABLE@ 无法执行
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 进程 @EXECUTABLE@ 无法被执行并已失败。
 
@@ -223,7 +223,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 0027229ca0644181a76c4e92458afa2e
 Subject: 一个或更多消�无法被转�至 syslog
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 有一�或更多的消�无法被转�至与 journald �时�行的 syslog �务。
 这通常�味� syslog 实现无法跟上队列中消�进入的速度。
@@ -231,7 +231,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 1dee0369c7fc4736b7099b38ecb46ee7
 Subject: 挂载点�为空
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 目录 @WHERE@ 被指定为挂载点（� /etc/fstab 文件的第二�，或 systemd �元
 文件的 Where= 字段），且该目录�空。
@@ -241,13 +241,13 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 24d8d4452573402496068381a6312df2
 Subject: 一个虚拟机或容器已�动
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 虚拟机 @NAME@，以�其首进程 PID @LEADER@，已被�动并�被使用。
 
 -- 58432bd3bace477cb514b56381b8a758
 Subject: 一个虚拟机或容器已被终止
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 虚拟机 @NAME@，以�其首进程 PID @LEADER@，已被关闭并�止。
diff --git a/catalog/systemd.zh_TW.catalog b/catalog/systemd.zh_TW.catalog.in
index aa5004db08..f7b42fa1c7 100644
--- a/catalog/systemd.zh_TW.catalog
+++ b/catalog/systemd.zh_TW.catalog.in
@@ -27,7 +27,7 @@
 -- f77379a8490b408bbe5f6940505a777b
 Subject: 日誌已開始
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 系統日誌行程已啟動，已開啟日誌
 檔案供寫入並準備好�行程的�求�出回應。
@@ -35,7 +35,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- d93fb3c9c24d451a97cea615ce59c00b
 Subject: 日誌已�止
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 系統日誌行程已關閉，且關閉所有目�
 活�的日誌檔案。
@@ -43,7 +43,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- a596d6fe7bfa4994828e72309e95d61e
 Subject: 從�務而來的訊�已被抑制
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:journald.conf(5)
 
 有一個�務在一個時間週期內記錄了太多訊�。
@@ -59,7 +59,7 @@ RateLimitIntervalSec= 以� RateLimitBurst=
 -- e9bf28e6e834481bb6f48f548ad13606
 Subject: 日誌訊�已�失
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 因日誌系統�核心訊�的處��夠快速，
 部份訊�已�失。
@@ -67,7 +67,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- fc2e22bc6ee647b6b90729ab34a250b1
 Subject: 行程 @COREDUMP_PID@ (@COREDUMP_COMM@) 核心傾�
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: man:core(5)
 
 行程 @COREDUMP_PID@ (@COREDUMP_COMM@) 當掉並核心傾�。
@@ -78,7 +78,7 @@ Documentation: man:core(5)
 -- 8d45620c1a4348dbb17410da57c60c66
 Subject: 新的工作階段 @SESSION_ID@ 已為使用者 @USER_ID@ 建立
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 一個新的工作階段，ID @SESSION_ID@ 已為使用者 @USER_ID@ 建立。
@@ -88,7 +88,7 @@ Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 -- 3354939424b4456d9802ca8333ed424a
 Subject: 工作階段 @SESSION_ID@ 已��
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 一個工作階段，ID @SESSION_ID@ 已��。
@@ -96,7 +96,7 @@ Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 -- fcbefc5da23d428093f97c82a9290f7b
 Subject: 新的座� @SEAT_ID@ �用
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 一個新的座� @SEAT_ID@ 已被設定且�在�用。
@@ -104,7 +104,7 @@ Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 -- e7852bfe46784ed0accde04bc864c2d5
 Subject: 座� @SEAT_ID@ 已被移除
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 
 座� @SEAT_ID@ 已被移除且���用。
@@ -112,21 +112,21 @@ Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
 -- c7a787079b354eaaa9e77b371893cd27
 Subject: 時間變更
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 系統時間已變更為1970年1月1日後 @REALTIME@ 微秒。
 
 -- 45f82f4aef7a4bbf942ce861d1f20990
 Subject: 時�變更為 @TIMEZONE@
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 系統時�已變更為 @TIMEZONE@。
 
 -- b07a249cd024414a82dd00cd181378ff
 Subject: 系統啟動已完�
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 所有開機所必�的系統�務都已�功啟動。
 注�這並�代表這臺機器有空閒的時間
@@ -141,21 +141,21 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 6bbd95ee977941e497c48be27c254128
 Subject: 系統進入 @SLEEP@ �眠狀態
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 系統�在已進入 @SLEEP@ �眠狀態。
 
 -- 8811e6df2a8e40f58a94cea26f8ebf14
 Subject: 系統離開 @SLEEP@ �眠狀態
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 系統�在已離開 @SLEEP@ �眠狀態。
 
 -- 98268866d1d54a499c4e98921d93bc40
 Subject: 系統關機開始
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 Systemd 關閉已經開始。關閉已開始且所有系統�務
 都已��，所有的檔案系統也都已被�載。
@@ -163,14 +163,14 @@ Systemd 關閉已經開始。關閉已開始且所有系統�務
 -- 7d4958e842da4a758f6c1cdc7b36dcc5
 Subject: 單� @UNIT@ 已開始啟動
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 單� @UNIT@ 已開始啟動。
 
 -- 39f53479d3a045ac8e11786248231fbf
 Subject: 單� @UNIT@ 啟動已��
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 單� @UNIT@ 啟動已��。
 
@@ -179,21 +179,21 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- de5b426a63be47a7b6ac3eaac82e2f6f
 Subject: 單� @UNIT@ 已開始關閉
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 單� @UNIT@ 已開始關閉。
 
 -- 9d1aaa27d60140bd96365438aad20286
 Subject: 單� @UNIT@ 已關閉��
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 單� @UNIT@ 已關閉��。
 
 -- be02cf6855d2428ba40df7e9d022f03d
 Subject: 單� @UNIT@ 已失敗
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 單� @UNIT@ 已失敗。
 
@@ -202,14 +202,14 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- d34d037fff1847e6ae669a370e694725
 Subject: 單� @UNIT@ 已開始�新載入其設定
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 單� @UNIT@ 已開始�新載入其設定
 
 -- 7b05ebc668384222baa8881179cfda54
 Subject: 單� @UNIT@ 已���新載入其設定
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 單� @UNIT@ 已���新載入其設定
 
@@ -218,7 +218,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 641257651c1b4ec9a8624d7a40a9e1e7
 Subject: 行程 @EXECUTABLE@ 無法執行
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 行程 @EXECUTABLE@ 無法執行且失敗。
 
@@ -227,7 +227,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 0027229ca0644181a76c4e92458afa2e
 Subject: 一個或更多訊�無法被轉發到 syslog
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 一個或更多訊�無法被轉發到 syslog �務
 以�並行執行的 journald。這通常代表著
@@ -237,7 +237,7 @@ syslog 實作並無未跟上佇列中訊�
 -- 1dee0369c7fc4736b7099b38ecb46ee7
 Subject: 掛載點�為空
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 目錄 @WHERE@ 被指定為掛載點（在 /etc/fstab 中的
 第二欄或是在 systemd 單�檔案中的 Where= 欄�）且其�為空。
@@ -249,7 +249,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 24d8d4452573402496068381a6312df2
 Subject: 虛擬機器或容器已啟動
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 虛擬機器 @NAME@ 包�它的領導 PID @LEADER@ �在
 已經開始並已經�以使用。
@@ -257,7 +257,7 @@ Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 -- 58432bd3bace477cb514b56381b8a758
 Subject: 虛擬機器或容器已��
 Defined-By: systemd
-Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
+Support: %SUPPORT_URL%
 
 虛擬機器 @NAME@ 包�它的領導 PID @LEADER@ 已經
 關閉。
diff --git a/configure.ac b/configure.ac
index 1326eebc6a..dd5f51fd7c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -551,6 +551,14 @@ AC_ARG_WITH([certificate-root],
 
 AC_SUBST(CERTIFICATEROOT)
 
+AC_ARG_WITH([support-url],
+        AS_HELP_STRING([--with-support-url=URL],
+                [Specify the supoport URL to show in catalog entries included in systemd]),
+        [SUPPORT_URL="$withval"],
+        [SUPPORT_URL=http://lists.freedesktop.org/mailman/listinfo/systemd-devel])
+
+AC_SUBST(SUPPORT_URL)
+
 # ------------------------------------------------------------------------------
 have_xz=no
 AC_ARG_ENABLE(xz, AS_HELP_STRING([--disable-xz], [Disable optional XZ support]))
@@ -1665,6 +1673,7 @@ AC_MSG_RESULT([
         Maximum System UID:                ${SYSTEM_UID_MAX}
         Maximum System GID:                ${SYSTEM_GID_MAX}
         Certificate root:                  ${CERTIFICATEROOT}
+        Support URL:                       ${SUPPORT_URL}
 
         CFLAGS:   ${OUR_CFLAGS} ${CFLAGS}
         CPPFLAGS: ${OUR_CPPFLAGS} ${CPPFLAGS}
diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml
index 920ce9e89b..024ad6a9c1 100644
--- a/man/resolved.conf.xml
+++ b/man/resolved.conf.xml
@@ -202,6 +202,23 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><varname>Cache=</varname></term>
+        <listitem><para>Takes a boolean argument. If "yes" (the default),
+        resolving a domain name which already got queried earlier will re-use
+        the previous result as long as that is still valid, and thus does not
+        need to do an actual network request.</para>
+
+        <para>However, local caching slightly increases the chance of a
+        successful DNS poisoning attack, and might also be a privacy problem in
+        some environments: By measuring the time it takes to resolve a
+        particular network name, a user can determine whether any other user on
+        the same machine recently visited that name. If either of these is a
+        concern, you may disable the local caching. Be aware that this comes at
+        a performance cost, which is <emphasis>very</emphasis> high with DNSSEC.
+        </para></listitem>
+      </varlistentry>
+
     </variablelist>
   </refsect1>
 
diff --git a/man/sd_notify.xml b/man/sd_notify.xml
index bd6cfdcd29..025fbec6c1 100644
--- a/man/sd_notify.xml
+++ b/man/sd_notify.xml
@@ -250,6 +250,15 @@
         restrictions, it is ignored.</para></listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term>WATCHDOG_USEC=...</term>
+
+        <listitem><para>Reset <varname>watchdog_usec</varname> value during runtime.
+        Notice that this is not available when using <function>sd_event_set_watchdog()</function>
+        or <function>sd_watchdog_enabled()</function>.
+        Example : <literal>WATCHDOG_USEC=20000000</literal></para></listitem>
+      </varlistentry>
+
     </variablelist>
 
     <para>It is recommended to prefix variable names that are not
diff --git a/man/systemctl.xml b/man/systemctl.xml
index 914af929c8..742da81cfe 100644
--- a/man/systemctl.xml
+++ b/man/systemctl.xml
@@ -481,6 +481,9 @@
           <para>When used with <command>enable</command>, overwrite
           any existing conflicting symlinks.</para>
 
+          <para>When used with <command>edit</command>, create all of the
+          specified units which do not already exist.</para>
+
           <para>When used with <command>halt</command>, <command>poweroff</command>, <command>reboot</command> or
           <command>kexec</command>, execute the selected operation without shutting down all units. However, all
           processes will be killed forcibly and all file systems are unmounted or remounted read-only. This is hence a
@@ -1303,6 +1306,9 @@ kobject-uevent 1 systemd-udevd-kernel.socket systemd-udevd.service
             <para>If <option>--full</option> is specified, this will copy the
             original units instead of creating drop-in files.</para>
 
+            <para>If <option>--force</option> is specified and any units do
+            not already exist, new unit files will be opened for editing.</para>
+
             <para>If <option>--runtime</option> is specified, the changes will
             be made temporarily in <filename>/run</filename> and they will be
             lost on the next reboot.</para>
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index 08122795f4..c436f42948 100644
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -67,69 +67,82 @@
   <refsect1>
     <title>Description</title>
 
-    <para><command>systemd-nspawn</command> may be used to run a
-    command or OS in a light-weight namespace container. In many ways
-    it is similar to
-    <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
-    but more powerful since it fully virtualizes the file system
-    hierarchy, as well as the process tree, the various IPC subsystems
-    and the host and domain name.</para>
-
-    <para><command>systemd-nspawn</command> limits access to various
-    kernel interfaces in the container to read-only, such as
-    <filename>/sys</filename>, <filename>/proc/sys</filename> or
-    <filename>/sys/fs/selinux</filename>. Network interfaces and the
-    system clock may not be changed from within the container. Device
-    nodes may not be created. The host system cannot be rebooted and
-    kernel modules may not be loaded from within the container.</para>
-
-    <para>Note that even though these security precautions are taken
-    <command>systemd-nspawn</command> is not suitable for fully secure
-    container setups. Many of the security features may be
-    circumvented and are hence primarily useful to avoid accidental
-    changes to the host system from the container.</para>
-
-    <para>In contrast to
-    <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry> <command>systemd-nspawn</command>
-    may be used to boot full Linux-based operating systems in a
+    <para><command>systemd-nspawn</command> may be used to run a command or OS in a light-weight namespace
+    container. In many ways it is similar to <citerefentry
+    project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>, but more powerful
+    since it fully virtualizes the file system hierarchy, as well as the process tree, the various IPC subsystems and
+    the host and domain name.</para>
+
+    <para>Like <citerefentry
+    project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry> the
+    <command>systemd-nspawn</command> command may be invoked on any directory tree containing an operating system tree,
+    using the <option>--directory=</option> command line option. By using the <option>--machine=</option> option an OS
+    tree is automatically searched in a couple of locations, most importantly in
+    <filename>/var/lib/machines</filename>, the suggested directory to place container images installed on the
+    system.</para>
+
+    <para>In contrast to <citerefentry
+    project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry> <command>systemd-nspawn</command>
+    may be used to boot full Linux-based operating systems in a container.</para>
+
+    <para><command>systemd-nspawn</command> limits access to various kernel interfaces in the container to read-only,
+    such as <filename>/sys</filename>, <filename>/proc/sys</filename> or <filename>/sys/fs/selinux</filename>. The
+    host's network interfaces and the system clock may not be changed from within the container. Device nodes may not
+    be created. The host system cannot be rebooted and kernel modules may not be loaded from within the
     container.</para>
 
-    <para>Use a tool like
-    <citerefentry project='mankier'><refentrytitle>dnf</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
-    <citerefentry project='die-net'><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
-    or
-    <citerefentry project='archlinux'><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry>
-    to set up an OS directory tree suitable as file system hierarchy
-    for <command>systemd-nspawn</command> containers.</para>
-
-    <para>Note that <command>systemd-nspawn</command> will mount file
-    systems private to the container to <filename>/dev</filename>,
-    <filename>/run</filename> and similar. These will not be visible
-    outside of the container, and their contents will be lost when the
-    container exits.</para>
-
-    <para>Note that running two <command>systemd-nspawn</command>
-    containers from the same directory tree will not make processes in
-    them see each other. The PID namespace separation of the two
-    containers is complete and the containers will share very few
-    runtime objects except for the underlying file system. Use
-    <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
-    <command>login</command> command to request an additional login
-    prompt in a running container.</para>
-
-    <para><command>systemd-nspawn</command> implements the
-    <ulink
-    url="http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface">Container
-    Interface</ulink> specification.</para>
-
-    <para>As a safety check <command>systemd-nspawn</command> will
-    verify the existence of <filename>/usr/lib/os-release</filename>
-    or <filename>/etc/os-release</filename> in the container tree
-    before starting the container (see
-    <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
-    It might be necessary to add this file to the container tree
-    manually if the OS of the container is too old to contain this
+    <para>Use a tool like <citerefentry
+    project='mankier'><refentrytitle>dnf</refentrytitle><manvolnum>8</manvolnum></citerefentry>, <citerefentry
+    project='die-net'><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>, or
+    <citerefentry project='archlinux'><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry> to
+    set up an OS directory tree suitable as file system hierarchy for <command>systemd-nspawn</command> containers. See
+    the Examples section below for details on suitable invocation of these commands.</para>
+
+    <para>As a safety check <command>systemd-nspawn</command> will verify the existence of
+    <filename>/usr/lib/os-release</filename> or <filename>/etc/os-release</filename> in the container tree before
+    starting the container (see
+    <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>).  It might be
+    necessary to add this file to the container tree manually if the OS of the container is too old to contain this
     file out-of-the-box.</para>
+
+    <para><command>systemd-nspawn</command> may be invoked directly from the interactive command line or run as system
+    service in the background. In this mode each container instance runs as its own service instance; a default
+    template unit file <filename>systemd-nspawn@.service</filename> is provided to make this easy, taking the container
+    name as instance identifier. Note that different default options apply when <command>systemd-nspawn</command> is
+    invoked by the template unit file than interactively on the commnd line. Most importanly the template unit file
+    makes use of the <option>--boot</option> which is not the default in case <command>systemd-nspawn</command> is
+    invoked from the interactive command line. Further differences with the defaults are documented dalong with the
+    various supported options below.</para>
+
+    <para>The <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> tool may
+    be used to execute a number of operations on containers. In particular it provides easy-to-use commands to run
+    containers as system services using the <filename>systemd-nspawn@.service</filename> template unit
+    file.</para>
+
+    <para>Along with each container a settings file with the <filename>.nspawn</filename> suffix may exist, containing
+    additional settings to apply when running the container. See
+    <citerefentry><refentrytitle>systemd.nspawn</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
+    details. Settings files override the default options used by the <filename>systemd-nspawn@.service</filename>
+    template unit file, making it usually unnecessary to alter this template file directly.</para>
+
+    <para>Note that <command>systemd-nspawn</command> will mount file systems private to the container to
+    <filename>/dev</filename>, <filename>/run</filename> and similar. These will not be visible outside of the
+    container, and their contents will be lost when the container exits.</para>
+
+    <para>Note that running two <command>systemd-nspawn</command> containers from the same directory tree will not make
+    processes in them see each other. The PID namespace separation of the two containers is complete and the containers
+    will share very few runtime objects except for the underlying file system. Use
+    <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
+    <command>login</command> or <command>shell</command> commands to request an additional login session in a running
+    container.</para>
+
+    <para><command>systemd-nspawn</command> implements the <ulink
+    url="http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface">Container Interface</ulink>
+    specification.</para>
+
+    <para>While running, containers invoked with <command>systemd-nspawn</command> are registered with the
+    <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry> service that
+    keeps track of running containers, and provides programming interfaces to interact with them.</para>
   </refsect1>
 
   <refsect1>
@@ -139,7 +152,7 @@
     are used as arguments for the init binary. Otherwise,
     <replaceable>COMMAND</replaceable> specifies the program to launch
     in the container, and the remaining arguments are used as
-    arguments for this program. If <option>-b</option> is not used and
+    arguments for this program. If <option>--boot</option> is not used and
     no arguments are specified, a shell is launched in the
     container.</para>
 
@@ -310,6 +323,9 @@
             </tbody>
           </tgroup>
         </table>
+
+        <para>Note that <option>--boot</option> is the default mode of operation if the
+        <filename>systemd-nspawn@.service</filename> template unit file is used.</para>
         </listitem>
       </varlistentry>
 
@@ -446,7 +462,10 @@
 
         <listitem><para>If the kernel supports the user namespaces feature, equivalent to
         <option>--private-users=pick</option>, otherwise equivalent to
-        <option>--private-users=no</option>.</para></listitem>
+        <option>--private-users=no</option>.</para>
+
+        <para>Note that <option>-U</option> is the default if the <filename>systemd-nspawn@.service</filename> template unit
+        file is used.</para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -540,6 +559,9 @@
         assignment via DHCP. In case <filename>systemd-networkd</filename> is running on both the host and inside the
         container, automatic IP communication from the container to the host is thus available, with further
         connectivity to the external network.</para>
+
+        <para>Note that <option>--network-veth</option> is the default if the
+        <filename>systemd-nspawn@.service</filename> template unit file is used.</para>
         </listitem>
       </varlistentry>
 
@@ -705,7 +727,10 @@
         Effectively, booting a container once with
         <literal>guest</literal> or <literal>host</literal> will link
         the journal persistently if further on the default of
-        <literal>auto</literal> is used.</para></listitem>
+        <literal>auto</literal> is used.</para>
+
+        <para>Note that <option>--link-journal=try-guest</option> is the default if the
+        <filename>systemd-nspawn@.service</filename> template unit file is used.</para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -981,10 +1006,10 @@
       </varlistentry>
 
       <varlistentry>
-        <term><varname>--notify-ready=</varname></term>
+        <term><option>--notify-ready=</option></term>
 
         <listitem><para>Configures support for notifications from the container's init process.
-        <varname>--notify-ready=</varname> takes a boolean (<option>no</option> and  <option>yes</option>).
+        <option>--notify-ready=</option> takes a boolean (<option>no</option> and  <option>yes</option>).
         With option <option>no</option> systemd-nspawn notifies systemd
         with a <literal>READY=1</literal> message when the init process is created.
         With option <option>yes</option> systemd-nspawn waits for the
diff --git a/man/systemd-resolve.xml b/man/systemd-resolve.xml
index b917ac20a2..ca26bb4d49 100644
--- a/man/systemd-resolve.xml
+++ b/man/systemd-resolve.xml
@@ -114,6 +114,12 @@
     and IPv6 addresses. If the parameters specified are formatted as IPv4 or IPv6 operation the reverse operation is
     done, and a hostname is retrieved for the specified addresses.</para>
 
+    <para>The program's output contains information about the protocol used for the look-up and on which network
+    interface the data was discovered. It also contains information on whether the information could be
+    authenticated. All data for which local DNSSEC validation succeeds is considered authenticated. Moreover all data
+    originating from local, trusted sources is also reported authenticated, including resolution of the local host
+    name, the <literal>localhost</literal> host name or all data from <filename>/etc/hosts</filename>.</para>
+
     <para>The <option>--type=</option> switch may be used to specify a DNS resource record type (A, AAAA, SOA, MX, ...) in
     order to request a specific DNS resource record, instead of the address or reverse address lookups.
     The special value <literal>help</literal> may be used to list known values.</para>
@@ -294,8 +300,15 @@
         <listitem><para>Flushes all DNS resource record caches the service maintains locally.</para></listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><option>--status</option></term>
+
+        <listitem><para>Shows the global and per-link DNS settings in currently in effect.</para></listitem>
+      </varlistentry>
+
       <xi:include href="standard-options.xml" xpointer="help" />
       <xi:include href="standard-options.xml" xpointer="version" />
+      <xi:include href="standard-options.xml" xpointer="no-pager" />
     </variablelist>
   </refsect1>
 
diff --git a/man/systemd-resolved.service.xml b/man/systemd-resolved.service.xml
index 485f3e9aee..0df037ba69 100644
--- a/man/systemd-resolved.service.xml
+++ b/man/systemd-resolved.service.xml
@@ -58,27 +58,45 @@
 
     <para><command>systemd-resolved</command> is a system service that provides network name resolution to local
     applications. It implements a caching and validating DNS/DNSSEC stub resolver, as well as an LLMNR resolver and
-    responder. In addition it maintains the <filename>/run/systemd/resolve/resolv.conf</filename> file for
-    compatibility with traditional Linux programs. This file may be symlinked from
-    <filename>/etc/resolv.conf</filename>.</para>
-
-    <para>The glibc NSS module
-    <citerefentry><refentrytitle>nss-resolve</refentrytitle><manvolnum>8</manvolnum></citerefentry> is required to
-    permit glibc's NSS resolver functions to resolve host names via <command>systemd-resolved</command>.</para>
-
-    <para>The DNS servers contacted are determined from the global
-    settings in <filename>/etc/systemd/resolved.conf</filename>, the
-    per-link static settings in <filename>/etc/systemd/network/*.network</filename> files,
-    and the per-link dynamic settings received over DHCP. See
-    <citerefentry><refentrytitle>resolved.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
-    and
-    <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
-    for details. To improve compatibility,
-    <filename>/etc/resolv.conf</filename> is read in order to discover
-    configured system DNS servers, but only if it is not a symlink
-    to <filename>/run/systemd/resolve/resolv.conf</filename> (see above).</para>
+    responder. Local applications may submit network name resolution requests via three interfaces:</para>
+
+    <itemizedlist>
+      <listitem><para>The native, fully-featured API <command>systemd-resolved</command> exposes on the bus. See the
+      <ulink url="http://www.freedesktop.org/wiki/Software/systemd/resolved">API Documentation</ulink> for
+      details. Usage of this API is generally recommended to clients as it is asynchronous and fully featured (for
+      example, properly returns DNSSEC validation status and interface scope for addresses as necessary for supporting
+      link-local networking).</para></listitem>
+
+      <listitem><para>The glibc
+      <citerefentry><refentrytitle>getaddrinfo</refentrytitle><manvolnum>3</manvolnum></citerefentry> API (as defined
+      by <ulink url="https://tools.ietf.org/html/rfc3493">RFC3493</ulink>) and its related resolver functions,
+      including <citerefentry><refentrytitle>gethostbyname</refentrytitle><manvolnum>3</manvolnum></citerefentry>. This
+      API is widely supported, including beyond the Linux platform. In its current form it does not expose DNSSEC
+      validation status information however, and is synchronous only. This API is backed by the glibc Name Service
+      Switch (<citerefentry><refentrytitle>nss</refentrytitle><manvolnum>5</manvolnum></citerefentry>). Usage of the
+      glibc NSS module <citerefentry><refentrytitle>nss-resolve</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+      is required in order to allow glibc's NSS resolver functions to resolve host names via
+      <command>systemd-resolved</command>.</para></listitem>
+
+      <listitem><para>Additionally, <command>systemd-resolved</command> provides a local DNS stub listener on IP
+      address 127.0.0.53 on the local loopback interface. Programs issuing DNS requests directly, bypassing any local
+      API may be directed to this stub, in order to connect them <command>systemd-resolved</command>. Note however that
+      it is strongly recommended that local programs use the glibc NSS or bus APIs instead (as described above), as
+      various network resolution concepts (such as link-local addressing, or LLMNR Unicode domains) cannot be mapped to
+      the unicast DNS protocol.</para></listitem>
+    </itemizedlist>
 
-    <para><command>systemd-resolved</command> synthesizes DNS RRs for the following cases:</para>
+    <para>The DNS servers contacted are determined from the global settings in
+    <filename>/etc/systemd/resolved.conf</filename>, the per-link static settings in
+    <filename>/etc/systemd/network/*.network</filename> files, the per-link dynamic settings received over DHCP and any
+    DNS server information made available by other system services. See
+    <citerefentry><refentrytitle>resolved.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> and
+    <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry> for details
+    about systemd's own configuration files for DNS servers. To improve compatibility,
+    <filename>/etc/resolv.conf</filename> is read in order to discover configured system DNS servers, but only if it is
+    not a symlink to <filename>/run/systemd/resolve/resolv.conf</filename> (see below).</para>
+
+    <para><command>systemd-resolved</command> synthesizes DNS resource records (RRs) for the following cases:</para>
 
     <itemizedlist>
       <listitem><para>The local, configured hostname is resolved to
@@ -137,15 +155,46 @@
     per-interface domains are exclusively routed to the matching
     interfaces.</para>
 
-    <para>Note that <filename>/run/systemd/resolve/resolv.conf</filename> should not be used directly by applications,
-    but only through a symlink from <filename>/etc/resolv.conf</filename>.</para>
-
     <para>See the <ulink url="http://www.freedesktop.org/wiki/Software/systemd/resolved"> resolved D-Bus API
     Documentation</ulink> for information about the APIs <filename>systemd-resolved</filename> provides.</para>
 
   </refsect1>
 
   <refsect1>
+    <title><filename>/etc/resolv.conf</filename></title>
+
+    <para>Three modes of handling <filename>/etc/resolv.conf</filename> (see
+    <citerefentry><refentrytitle>resolv.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>) are
+    supported:</para>
+
+    <itemizedlist>
+      <listitem><para>A static file <filename>/usr/lib/systemd/resolv.conf</filename> is provided that lists
+      the 127.0.0.53 DNS stub (see above) as only DNS server. This file may be symlinked from
+      <filename>/etc/resolv.conf</filename> in order to connect all local clients that bypass local DNS APIs to
+      <command>systemd-resolved</command>. This mode of operation is recommended.</para></listitem>
+
+      <listitem><para><command>systemd-resolved</command> maintains the
+      <filename>/run/systemd/resolve/resolv.conf</filename> file for compatibility with traditional Linux
+      programs. This file may be symlinked from <filename>/etc/resolv.conf</filename> and is always kept up-to-date,
+      containing information about all known DNS servers. Note the file format's limitations: it does not know a
+      concept of per-interface DNS servers and hence only contains system-wide DNS server definitions. Note that
+      <filename>/run/systemd/resolve/resolv.conf</filename> should not be used directly by applications, but only
+      through a symlink from <filename>/etc/resolv.conf</filename>. If this mode of operation is used local clients
+      that bypass any local DNS API will also bypass <command>systemd-resolved</command> and will talk directly to the
+      known DNS servers.</para> </listitem>
+
+      <listitem><para>Alternatively, <filename>/etc/resolv.conf</filename> may be managed by other packages, in which
+      case <command>systemd-resolved</command> will read it for DNS configuration data. In this mode of operation
+      <command>systemd-resolved</command> is consumer rather than provider of this configuration
+      file. </para></listitem>
+    </itemizedlist>
+
+    <para>Note that the selected mode of operation for this file is detected fully automatically, depending on whether
+    <filename>/etc/resolv.conf</filename> is a symlink to <filename>/run/systemd/resolve/resolv.conf</filename> or
+    lists 127.0.0.53 as DNS server.</para>
+  </refsect1>
+
+  <refsect1>
     <title>Signals</title>
 
     <variablelist>
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index dbfc7692f7..ed02666daf 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1413,6 +1413,19 @@
         </para></listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><varname>RestrictRealtime=</varname></term>
+
+        <listitem><para>Takes a boolean argument. If set, any attempts to enable realtime scheduling in a process of
+        the unit are refused. This restricts access to realtime task scheduling policies such as
+        <constant>SCHED_FIFO</constant>, <constant>SCHED_RR</constant> or <constant>SCHED_DEADLINE</constant>. See
+        <citerefentry><refentrytitle>sched</refentrytitle><manvolnum>7</manvolnum></citerefentry> for details about
+        these scheduling policies. Realtime scheduling policies may be used to monopolize CPU time for longer periods
+        of time, and may hence be used to lock up or otherwise trigger Denial-of-Service situations on the system. It
+        is hence recommended to restrict access to realtime scheduling to the few programs that actually require
+        them. Defaults to off.</para></listitem>
+      </varlistentry>
+
     </variablelist>
   </refsect1>
 
diff --git a/man/systemd.nspawn.xml b/man/systemd.nspawn.xml
index 6df4aeb2a9..b1344d6c10 100644
--- a/man/systemd.nspawn.xml
+++ b/man/systemd.nspawn.xml
@@ -146,7 +146,8 @@
         specified parameters using <varname>Parameters=</varname> are passed as additional arguments to the
         <filename>init</filename> process. This setting corresponds to the <option>--boot</option> switch on the
         <command>systemd-nspawn</command> command line. This option may not be combined with
-        <varname>ProcessTwo=yes</varname>.</para></listitem>
+        <varname>ProcessTwo=yes</varname>. This option is the default if the
+        <filename>systemd-nspawn@.service</filename> template unit file is used.</para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -257,7 +258,8 @@
 
         <listitem><para>Configures support for usernamespacing. This is equivalent to the
         <option>--private-users=</option> command line switch, and takes the same options. This option is privileged
-        (see above). </para></listitem>
+        (see above). This option is the default if the <filename>systemd-nspawn@.service</filename> template unit file
+        is used.</para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -367,13 +369,11 @@
       <varlistentry>
         <term><varname>VirtualEthernet=</varname></term>
 
-        <listitem><para>Takes a boolean argument. Configures whether
-        to create a virtual Ethernet connection
-        (<literal>veth</literal>) between host and the container. This
-        setting implies <varname>Private=yes</varname>. This setting
-        corresponds to the <option>--network-veth</option> command
-        line switch. This option is privileged (see
-        above).</para></listitem>
+        <listitem><para>Takes a boolean argument. Configures whether to create a virtual Ethernet connection
+        (<literal>veth</literal>) between host and the container. This setting implies
+        <varname>Private=yes</varname>. This setting corresponds to the <option>--network-veth</option> command line
+        switch. This option is privileged (see above). This option is the default if the
+        <filename>systemd-nspawn@.service</filename> template unit file is used.</para></listitem>
       </varlistentry>
 
       <varlistentry>
diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml
index 341789cd47..85a7b12d76 100644
--- a/man/systemd.unit.xml
+++ b/man/systemd.unit.xml
@@ -1234,7 +1234,7 @@
           <row>
       <entry><literal>%f</literal></entry>
       <entry>Unescaped filename</entry>
-      <entry>This is either the unescaped instance name (if applicable) with <filename>/</filename> prepended (if applicable), or the prefix name prepended with <filename>/</filename>.</entry>
+      <entry>This is either the unescaped instance name (if applicable) with <filename>/</filename> prepended (if applicable), or the unescaped prefix name prepended with <filename>/</filename>.</entry>
           </row>
           <row>
       <entry><literal>%c</literal></entry>
diff --git a/src/basic/bitmap.c b/src/basic/bitmap.c
index ad1fda0198..f4b12fc261 100644
--- a/src/basic/bitmap.c
+++ b/src/basic/bitmap.c
@@ -50,6 +50,23 @@ Bitmap *bitmap_new(void) {
         return new0(Bitmap, 1);
 }
 
+Bitmap *bitmap_copy(Bitmap *b) {
+        Bitmap *ret;
+
+        ret = bitmap_new();
+        if (!ret)
+                return NULL;
+
+        ret->bitmaps = newdup(uint64_t, b->bitmaps, b->n_bitmaps);
+        if (!ret->bitmaps) {
+                free(ret);
+                return NULL;
+        }
+
+        ret->n_bitmaps = ret->bitmaps_allocated = b->n_bitmaps;
+        return ret;
+}
+
 void bitmap_free(Bitmap *b) {
         if (!b)
                 return;
diff --git a/src/basic/bitmap.h b/src/basic/bitmap.h
index f5f8f2f018..63fdbe8bea 100644
--- a/src/basic/bitmap.h
+++ b/src/basic/bitmap.h
@@ -27,10 +27,9 @@
 typedef struct Bitmap Bitmap;
 
 Bitmap *bitmap_new(void);
-
-void bitmap_free(Bitmap *b);
-
+Bitmap *bitmap_copy(Bitmap *b);
 int bitmap_ensure_allocated(Bitmap **b);
+void bitmap_free(Bitmap *b);
 
 int bitmap_set(Bitmap *b, unsigned n);
 void bitmap_unset(Bitmap *b, unsigned n);
diff --git a/src/basic/hashmap.c b/src/basic/hashmap.c
index 49a0479592..50fefb0b54 100644
--- a/src/basic/hashmap.c
+++ b/src/basic/hashmap.c
@@ -1764,6 +1764,9 @@ void *ordered_hashmap_next(OrderedHashmap *h, const void *key) {
 int set_consume(Set *s, void *value) {
         int r;
 
+        assert(s);
+        assert(value);
+
         r = set_put(s, value);
         if (r <= 0)
                 free(value);
@@ -1791,6 +1794,8 @@ int set_put_strdupv(Set *s, char **l) {
         int n = 0, r;
         char **i;
 
+        assert(s);
+
         STRV_FOREACH(i, l) {
                 r = set_put_strdup(s, *i);
                 if (r < 0)
@@ -1801,3 +1806,23 @@ int set_put_strdupv(Set *s, char **l) {
 
         return n;
 }
+
+int set_put_strsplit(Set *s, const char *v, const char *separators, ExtractFlags flags) {
+        const char *p = v;
+        int r;
+
+        assert(s);
+        assert(v);
+
+        for (;;) {
+                char *word;
+
+                r = extract_first_word(&p, &word, separators, flags);
+                if (r <= 0)
+                        return r;
+
+                r = set_consume(s, word);
+                if (r < 0)
+                        return r;
+        }
+}
diff --git a/src/basic/process-util.c b/src/basic/process-util.c
index 20768b715a..3afb5e0a40 100644
--- a/src/basic/process-util.c
+++ b/src/basic/process-util.c
@@ -553,7 +553,7 @@ int wait_for_terminate(pid_t pid, siginfo_t *status) {
                         if (errno == EINTR)
                                 continue;
 
-                        return -errno;
+                        return negative_errno();
                 }
 
                 return 0;
diff --git a/src/basic/set.h b/src/basic/set.h
index e0d9dd001c..12f64a8c57 100644
--- a/src/basic/set.h
+++ b/src/basic/set.h
@@ -19,6 +19,7 @@
   along with systemd; If not, see <http://www.gnu.org/licenses/>.
 ***/
 
+#include "extract-word.h"
 #include "hashmap.h"
 #include "macro.h"
 
@@ -122,6 +123,7 @@ static inline char **set_get_strv(Set *s) {
 int set_consume(Set *s, void *value);
 int set_put_strdup(Set *s, const char *p);
 int set_put_strdupv(Set *s, char **l);
+int set_put_strsplit(Set *s, const char *v, const char *separators, ExtractFlags flags);
 
 #define SET_FOREACH(e, s, i) \
         for ((i) = ITERATOR_FIRST; set_iterate((s), &(i), (void**)&(e)); )
diff --git a/src/basic/string-table.h b/src/basic/string-table.h
index d88625fca7..369610efc8 100644
--- a/src/basic/string-table.h
+++ b/src/basic/string-table.h
@@ -48,6 +48,8 @@ ssize_t string_table_lookup(const char * const *table, size_t len, const char *k
 #define _DEFINE_STRING_TABLE_LOOKUP_FROM_STRING_WITH_BOOLEAN(name,type,yes,scope) \
         scope type name##_from_string(const char *s) {                  \
                 int b;                                                  \
+                if (!s)                                                 \
+                        return -1;                                      \
                 b = parse_boolean(s);                                   \
                 if (b == 0)                                             \
                         return (type) 0;                                \
diff --git a/src/basic/strv.c b/src/basic/strv.c
index 97a96e5762..578a9c1005 100644
--- a/src/basic/strv.c
+++ b/src/basic/strv.c
@@ -804,11 +804,7 @@ char **strv_reverse(char **l) {
                 return l;
 
         for (i = 0; i < n / 2; i++) {
-                char *t;
-
-                t = l[i];
-                l[i] = l[n-1-i];
-                l[n-1-i] = t;
+                SWAP_TWO(l[i], l[n-1-i]);
         }
 
         return l;
diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c
index 4c88c41127..644b9561b5 100644
--- a/src/core/dbus-execute.c
+++ b/src/core/dbus-execute.c
@@ -720,6 +720,7 @@ const sd_bus_vtable bus_exec_vtable[] = {
         SD_BUS_PROPERTY("RuntimeDirectoryMode", "u", bus_property_get_mode, offsetof(ExecContext, runtime_directory_mode), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("RuntimeDirectory", "as", NULL, offsetof(ExecContext, runtime_directory), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("MemoryDenyWriteExecute", "b", bus_property_get_bool, offsetof(ExecContext, memory_deny_write_execute), SD_BUS_VTABLE_PROPERTY_CONST),
+        SD_BUS_PROPERTY("RestrictRealtime", "b", bus_property_get_bool, offsetof(ExecContext, restrict_realtime), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_VTABLE_END
 };
 
@@ -1057,7 +1058,7 @@ int bus_exec_context_set_transient_property(
         } else if (STR_IN_SET(name,
                               "IgnoreSIGPIPE", "TTYVHangup", "TTYReset",
                               "PrivateTmp", "PrivateDevices", "PrivateNetwork",
-                              "NoNewPrivileges", "SyslogLevelPrefix", "MemoryDenyWriteExecute")) {
+                              "NoNewPrivileges", "SyslogLevelPrefix", "MemoryDenyWriteExecute", "RestrictRealtime")) {
                 int b;
 
                 r = sd_bus_message_read(message, "b", &b);
@@ -1083,6 +1084,8 @@ int bus_exec_context_set_transient_property(
                                 c->syslog_level_prefix = b;
                         else if (streq(name, "MemoryDenyWriteExecute"))
                                 c->memory_deny_write_execute = b;
+                        else if (streq(name, "RestrictRealtime"))
+                                c->restrict_realtime = b;
 
                         unit_write_drop_in_private_format(u, mode, name, "%s=%s", name, yes_no(b));
                 }
diff --git a/src/core/execute.c b/src/core/execute.c
index 3c3369373f..8cb18dbd5b 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1237,7 +1237,7 @@ static int apply_memory_deny_write_execute(const ExecContext *c) {
 
         r = seccomp_rule_add(
                         seccomp,
-                        SCMP_ACT_KILL,
+                        SCMP_ACT_ERRNO(EPERM),
                         SCMP_SYS(mmap),
                         1,
                         SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC|PROT_WRITE, PROT_EXEC|PROT_WRITE));
@@ -1246,7 +1246,7 @@ static int apply_memory_deny_write_execute(const ExecContext *c) {
 
         r = seccomp_rule_add(
                         seccomp,
-                        SCMP_ACT_KILL,
+                        SCMP_ACT_ERRNO(EPERM),
                         SCMP_SYS(mprotect),
                         1,
                         SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC, PROT_EXEC));
@@ -1264,6 +1264,76 @@ finish:
         return r;
 }
 
+static int apply_restrict_realtime(const ExecContext *c) {
+        static const int permitted_policies[] = {
+                SCHED_OTHER,
+                SCHED_BATCH,
+                SCHED_IDLE,
+        };
+
+        scmp_filter_ctx *seccomp;
+        unsigned i;
+        int r, p, max_policy = 0;
+
+        assert(c);
+
+        seccomp = seccomp_init(SCMP_ACT_ALLOW);
+        if (!seccomp)
+                return -ENOMEM;
+
+        /* Determine the highest policy constant we want to allow */
+        for (i = 0; i < ELEMENTSOF(permitted_policies); i++)
+                if (permitted_policies[i] > max_policy)
+                        max_policy = permitted_policies[i];
+
+        /* Go through all policies with lower values than that, and block them -- unless they appear in the
+         * whitelist. */
+        for (p = 0; p < max_policy; p++) {
+                bool good = false;
+
+                /* Check if this is in the whitelist. */
+                for (i = 0; i < ELEMENTSOF(permitted_policies); i++)
+                        if (permitted_policies[i] == p) {
+                                good = true;
+                                break;
+                        }
+
+                if (good)
+                        continue;
+
+                /* Deny this policy */
+                r = seccomp_rule_add(
+                                seccomp,
+                                SCMP_ACT_ERRNO(EPERM),
+                                SCMP_SYS(sched_setscheduler),
+                                1,
+                                SCMP_A1(SCMP_CMP_EQ, p));
+                if (r < 0)
+                        goto finish;
+        }
+
+        /* Blacklist all other policies, i.e. the ones with higher values. Note that all comparisons are unsigned here,
+         * hence no need no check for < 0 values. */
+        r = seccomp_rule_add(
+                        seccomp,
+                        SCMP_ACT_ERRNO(EPERM),
+                        SCMP_SYS(sched_setscheduler),
+                        1,
+                        SCMP_A1(SCMP_CMP_GT, max_policy));
+        if (r < 0)
+                goto finish;
+
+        r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
+        if (r < 0)
+                goto finish;
+
+        r = seccomp_load(seccomp);
+
+finish:
+        seccomp_release(seccomp);
+        return r;
+}
+
 #endif
 
 static void do_idle_pipe_dance(int idle_pipe[4]) {
@@ -1951,10 +2021,20 @@ static int exec_child(
                 int secure_bits = context->secure_bits;
 
                 for (i = 0; i < _RLIMIT_MAX; i++) {
+
                         if (!context->rlimit[i])
                                 continue;
 
-                        if (setrlimit_closest(i, context->rlimit[i]) < 0) {
+                        r = setrlimit_closest(i, context->rlimit[i]);
+                        if (r < 0) {
+                                *exit_status = EXIT_LIMITS;
+                                return r;
+                        }
+                }
+
+                /* Set the RTPRIO resource limit to 0, but only if nothing else was explicitly requested. */
+                if (context->restrict_realtime && !context->rlimit[RLIMIT_RTPRIO]) {
+                        if (setrlimit(RLIMIT_RTPRIO, &RLIMIT_MAKE_CONST(0)) < 0) {
                                 *exit_status = EXIT_LIMITS;
                                 return -errno;
                         }
@@ -2015,7 +2095,7 @@ static int exec_child(
                         }
 
                 if (context->no_new_privileges ||
-                    (!have_effective_cap(CAP_SYS_ADMIN) && (use_address_families || use_syscall_filter)))
+                    (!have_effective_cap(CAP_SYS_ADMIN) && (use_address_families || context->memory_deny_write_execute || context->restrict_realtime || use_syscall_filter)))
                         if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
                                 *exit_status = EXIT_NO_NEW_PRIVILEGES;
                                 return -errno;
@@ -2037,6 +2117,15 @@ static int exec_child(
                                 return r;
                         }
                 }
+
+                if (context->restrict_realtime) {
+                        r = apply_restrict_realtime(context);
+                        if (r < 0) {
+                                *exit_status = EXIT_SECCOMP;
+                                return r;
+                        }
+                }
+
                 if (use_syscall_filter) {
                         r = apply_seccomp(context);
                         if (r < 0) {
@@ -2472,7 +2561,8 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
                 "%sProtectHome: %s\n"
                 "%sProtectSystem: %s\n"
                 "%sIgnoreSIGPIPE: %s\n"
-                "%sMemoryDenyWriteExecute: %s\n",
+                "%sMemoryDenyWriteExecute: %s\n"
+                "%sRestrictRealtime: %s\n",
                 prefix, c->umask,
                 prefix, c->working_directory ? c->working_directory : "/",
                 prefix, c->root_directory ? c->root_directory : "/",
@@ -2483,7 +2573,8 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
                 prefix, protect_home_to_string(c->protect_home),
                 prefix, protect_system_to_string(c->protect_system),
                 prefix, yes_no(c->ignore_sigpipe),
-                prefix, yes_no(c->memory_deny_write_execute));
+                prefix, yes_no(c->memory_deny_write_execute),
+                prefix, yes_no(c->restrict_realtime));
 
         STRV_FOREACH(e, c->environment)
                 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
diff --git a/src/core/execute.h b/src/core/execute.h
index cd1f7b36f6..210eea0e82 100644
--- a/src/core/execute.h
+++ b/src/core/execute.h
@@ -193,12 +193,14 @@ struct ExecContext {
         char **runtime_directory;
         mode_t runtime_directory_mode;
 
+        bool memory_deny_write_execute;
+        bool restrict_realtime;
+
         bool oom_score_adjust_set:1;
         bool nice_set:1;
         bool ioprio_set:1;
         bool cpu_sched_set:1;
         bool no_new_privileges_set:1;
-        bool memory_deny_write_execute;
 };
 
 #include "cgroup-util.h"
diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4
index eb58586523..fe1006830b 100644
--- a/src/core/load-fragment-gperf.gperf.m4
+++ b/src/core/load-fragment-gperf.gperf.m4
@@ -56,11 +56,13 @@ m4_ifdef(`HAVE_SECCOMP',
 $1.SystemCallArchitectures,      config_parse_syscall_archs,         0,                             offsetof($1, exec_context.syscall_archs)
 $1.SystemCallErrorNumber,        config_parse_syscall_errno,         0,                             offsetof($1, exec_context)
 $1.MemoryDenyWriteExecute,       config_parse_bool,                  0,                             offsetof($1, exec_context.memory_deny_write_execute)
+$1.RestrictRealtime,             config_parse_bool,                  0,                             offsetof($1, exec_context.restrict_realtime)
 $1.RestrictAddressFamilies,      config_parse_address_families,      0,                             offsetof($1, exec_context)',
 `$1.SystemCallFilter,            config_parse_warn_compat,           DISABLED_CONFIGURATION,        0
 $1.SystemCallArchitectures,      config_parse_warn_compat,           DISABLED_CONFIGURATION,        0
 $1.SystemCallErrorNumber,        config_parse_warn_compat,           DISABLED_CONFIGURATION,        0
 $1.MemoryDenyWriteExecute,       config_parse_warn_compat,           DISABLED_CONFIGURATION,        0
+$1.RestrictRealtime,             config_parse_warn_compat,           DISABLED_CONFIGURATION,        0
 $1.RestrictAddressFamilies,      config_parse_warn_compat,           DISABLED_CONFIGURATION,        0')
 $1.LimitCPU,                     config_parse_limit,                 RLIMIT_CPU,                    offsetof($1, exec_context.rlimit)
 $1.LimitFSIZE,                   config_parse_limit,                 RLIMIT_FSIZE,                  offsetof($1, exec_context.rlimit)
diff --git a/src/core/main.c b/src/core/main.c
index 2785a3aa0b..3d74ef1adf 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -1294,6 +1294,35 @@ static int bump_unix_max_dgram_qlen(void) {
         return 1;
 }
 
+static int fixup_environment(void) {
+        _cleanup_free_ char *term = NULL;
+        int r;
+
+        /* When started as PID1, the kernel uses /dev/console
+         * for our stdios and uses TERM=linux whatever the
+         * backend device used by the console. We try to make
+         * a better guess here since some consoles might not
+         * have support for color mode for example.
+         *
+         * However if TERM was configured through the kernel
+         * command line then leave it alone. */
+
+        r = get_proc_cmdline_key("TERM=", &term);
+        if (r < 0)
+                return r;
+
+        if (r == 0) {
+                term = strdup(default_term_for_tty("/dev/console") + 5);
+                if (!term)
+                        return -errno;
+        }
+
+        if (setenv("TERM", term, 1) < 0)
+                return -errno;
+
+        return 0;
+}
+
 int main(int argc, char *argv[]) {
         Manager *m = NULL;
         int r, retval = EXIT_FAILURE;
@@ -1353,7 +1382,6 @@ int main(int argc, char *argv[]) {
         saved_argv = argv;
         saved_argc = argc;
 
-        log_show_color(colors_enabled());
         log_set_upgrade_syslog_to_journal(true);
 
         /* Disable the umask logic */
@@ -1364,7 +1392,6 @@ int main(int argc, char *argv[]) {
 
                 /* Running outside of a container as PID 1 */
                 arg_system = true;
-                make_null_stdio();
                 log_set_target(LOG_TARGET_KMSG);
                 log_open();
 
@@ -1480,6 +1507,22 @@ int main(int argc, char *argv[]) {
                         (void) write_string_file("/proc/sys/kernel/core_pattern", "|/bin/false", 0);
         }
 
+        if (arg_system) {
+                /* We expect the environment to be set correctly
+                 * if run inside a container. */
+                if (detect_container() <= 0)
+                        if (fixup_environment() < 0) {
+                                error_message = "Failed to fix up PID1 environment";
+                                goto finish;
+                        }
+
+                /* Try to figure out if we can use colors with the console. No
+                 * need to do that for user instances since they never log
+                 * into the console. */
+                log_show_color(colors_enabled());
+                make_null_stdio();
+        }
+
         /* Initialize default unit */
         r = free_and_strdup(&arg_default_unit, SPECIAL_DEFAULT_TARGET);
         if (r < 0) {
@@ -1967,6 +2010,9 @@ finish:
                                 log_error_errno(r, "Failed to switch root, trying to continue: %m");
                 }
 
+                /* Reopen the console */
+                (void) make_console_stdio();
+
                 args_size = MAX(6, argc+1);
                 args = newa(const char*, args_size);
 
@@ -1992,10 +2038,6 @@ finish:
                         args[i++] = sfd;
                         args[i++] = NULL;
 
-                        /* do not pass along the environment we inherit from the kernel or initrd */
-                        if (switch_root_dir)
-                                (void) clearenv();
-
                         assert(i <= args_size);
 
                         /*
@@ -2018,9 +2060,6 @@ finish:
                 arg_serialization = safe_fclose(arg_serialization);
                 fds = fdset_free(fds);
 
-                /* Reopen the console */
-                (void) make_console_stdio();
-
                 for (j = 1, i = 1; j < (unsigned) argc; j++)
                         args[i++] = argv[j];
                 args[i++] = NULL;
diff --git a/src/core/service.c b/src/core/service.c
index 78c33b1530..13de671700 100644
--- a/src/core/service.c
+++ b/src/core/service.c
@@ -200,16 +200,27 @@ static void service_stop_watchdog(Service *s) {
         s->watchdog_timestamp = DUAL_TIMESTAMP_NULL;
 }
 
+static usec_t service_get_watchdog_usec(Service *s) {
+        assert(s);
+
+        if (s->watchdog_override_enable)
+                return s->watchdog_override_usec;
+        else
+                return s->watchdog_usec;
+}
+
 static void service_start_watchdog(Service *s) {
         int r;
+        usec_t watchdog_usec;
 
         assert(s);
 
-        if (s->watchdog_usec <= 0)
+        watchdog_usec = service_get_watchdog_usec(s);
+        if (watchdog_usec == 0 || watchdog_usec == USEC_INFINITY)
                 return;
 
         if (s->watchdog_event_source) {
-                r = sd_event_source_set_time(s->watchdog_event_source, usec_add(s->watchdog_timestamp.monotonic, s->watchdog_usec));
+                r = sd_event_source_set_time(s->watchdog_event_source, usec_add(s->watchdog_timestamp.monotonic, watchdog_usec));
                 if (r < 0) {
                         log_unit_warning_errno(UNIT(s), r, "Failed to reset watchdog timer: %m");
                         return;
@@ -221,7 +232,7 @@ static void service_start_watchdog(Service *s) {
                                 UNIT(s)->manager->event,
                                 &s->watchdog_event_source,
                                 CLOCK_MONOTONIC,
-                                usec_add(s->watchdog_timestamp.monotonic, s->watchdog_usec), 0,
+                                usec_add(s->watchdog_timestamp.monotonic, watchdog_usec), 0,
                                 service_dispatch_watchdog, s);
                 if (r < 0) {
                         log_unit_warning_errno(UNIT(s), r, "Failed to add watchdog timer: %m");
@@ -246,6 +257,17 @@ static void service_reset_watchdog(Service *s) {
         service_start_watchdog(s);
 }
 
+static void service_reset_watchdog_timeout(Service *s, usec_t watchdog_override_usec) {
+        assert(s);
+
+        s->watchdog_override_enable = true;
+        s->watchdog_override_usec = watchdog_override_usec;
+        service_reset_watchdog(s);
+
+        log_unit_debug(UNIT(s), "watchdog_usec="USEC_FMT, s->watchdog_usec);
+        log_unit_debug(UNIT(s), "watchdog_override_usec="USEC_FMT, s->watchdog_override_usec);
+}
+
 static void service_fd_store_unlink(ServiceFDStore *fs) {
 
         if (!fs)
@@ -1992,6 +2014,9 @@ static int service_start(Unit *u) {
 
         s->notify_state = NOTIFY_UNKNOWN;
 
+        s->watchdog_override_enable = false;
+        s->watchdog_override_usec = 0;
+
         service_enter_start_pre(s);
         return 1;
 }
@@ -2123,6 +2148,9 @@ static int service_serialize(Unit *u, FILE *f, FDSet *fds) {
 
         unit_serialize_item(u, f, "forbid-restart", yes_no(s->forbid_restart));
 
+        if (s->watchdog_override_enable)
+               unit_serialize_item_format(u, f, "watchdog-override-usec", USEC_FMT, s->watchdog_override_usec);
+
         return 0;
 }
 
@@ -2317,6 +2345,14 @@ static int service_deserialize_item(Unit *u, const char *key, const char *value,
                         s->stderr_fd = fdset_remove(fds, fd);
                         s->exec_context.stdio_as_fds = true;
                 }
+        } else if (streq(key, "watchdog-override-usec")) {
+                usec_t watchdog_override_usec;
+                if (timestamp_deserialize(value, &watchdog_override_usec) < 0)
+                        log_unit_debug(u, "Failed to parse watchdog_override_usec value: %s", value);
+                else {
+                        s->watchdog_override_enable = true;
+                        s->watchdog_override_usec = watchdog_override_usec;
+                }
         } else
                 log_unit_debug(u, "Unknown serialization key: %s", key);
 
@@ -2895,12 +2931,15 @@ static int service_dispatch_timer(sd_event_source *source, usec_t usec, void *us
 static int service_dispatch_watchdog(sd_event_source *source, usec_t usec, void *userdata) {
         Service *s = SERVICE(userdata);
         char t[FORMAT_TIMESPAN_MAX];
+        usec_t watchdog_usec;
 
         assert(s);
         assert(source == s->watchdog_event_source);
 
+        watchdog_usec = service_get_watchdog_usec(s);
+
         log_unit_error(UNIT(s), "Watchdog timeout (limit %s)!",
-                       format_timespan(t, sizeof(t), s->watchdog_usec, 1));
+                       format_timespan(t, sizeof(t), watchdog_usec, 1));
 
         service_enter_signal(s, SERVICE_STOP_SIGABRT, SERVICE_FAILURE_WATCHDOG);
 
@@ -3037,6 +3076,15 @@ static void service_notify_message(Unit *u, pid_t pid, char **tags, FDSet *fds)
                 service_add_fd_store_set(s, fds, name);
         }
 
+        e = strv_find_startswith(tags, "WATCHDOG_USEC=");
+        if (e) {
+                usec_t watchdog_override_usec;
+                if (safe_atou64(e, &watchdog_override_usec) < 0)
+                        log_unit_warning(u, "Failed to parse WATCHDOG_USEC=%s", e);
+                else
+                        service_reset_watchdog_timeout(s, watchdog_override_usec);
+        }
+
         /* Notify clients about changed status or main pid */
         if (notify_dbus)
                 unit_add_to_dbus_queue(u);
diff --git a/src/core/service.h b/src/core/service.h
index 4af3d40439..cfef375b03 100644
--- a/src/core/service.h
+++ b/src/core/service.h
@@ -120,6 +120,8 @@ struct Service {
 
         dual_timestamp watchdog_timestamp;
         usec_t watchdog_usec;
+        usec_t watchdog_override_usec;
+        bool watchdog_override_enable;
         sd_event_source *watchdog_event_source;
 
         ExecCommand* exec_command[_SERVICE_EXEC_COMMAND_MAX];
diff --git a/src/core/unit.c b/src/core/unit.c
index 581962eba6..0a1a5321df 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -3364,6 +3364,7 @@ int unit_write_drop_in(Unit *u, UnitSetPropertiesMode mode, const char *name, co
                 /* When this is a transient unit file in creation, then let's not create a new drop-in but instead
                  * write to the transient unit file. */
                 fputs(data, u->transient_file);
+                fputc('\n', u->transient_file);
                 return 0;
         }
 
diff --git a/src/fstab-generator/fstab-generator.c b/src/fstab-generator/fstab-generator.c
index fc7cf39847..5aeca7e2d5 100644
--- a/src/fstab-generator/fstab-generator.c
+++ b/src/fstab-generator/fstab-generator.c
@@ -417,8 +417,7 @@ static int parse_fstab(bool initrd) {
                 if (errno == ENOENT)
                         return 0;
 
-                log_error_errno(errno, "Failed to open %s: %m", fstab_path);
-                return -errno;
+                return log_error_errno(errno, "Failed to open %s: %m", fstab_path);
         }
 
         while ((me = getmntent(f))) {
@@ -502,6 +501,12 @@ static int add_sysroot_mount(void) {
                 return 0;
         }
 
+        if (path_equal(arg_root_what, "/dev/nfs")) {
+                /* This is handled by the kernel or the initrd */
+                log_debug("Skipping root directory handling, as /dev/nfs was requested.");
+                return 0;
+        }
+
         what = fstab_node_to_udev_node(arg_root_what);
         if (!what)
                 return log_oom();
@@ -526,10 +531,10 @@ static int add_sysroot_mount(void) {
                          "/sysroot",
                          arg_root_fstype,
                          opts,
-                         is_device_path(what) ? 1 : 0,
-                         false,
-                         false,
-                         false,
+                         is_device_path(what) ? 1 : 0, /* passno */
+                         false,                        /* noauto off */
+                         false,                        /* nofail off */
+                         false,                        /* automount off */
                          SPECIAL_INITRD_ROOT_FS_TARGET,
                          "/proc/cmdline");
 }
@@ -542,22 +547,20 @@ static int add_sysroot_usr_mount(void) {
                 return 0;
 
         if (arg_root_what && !arg_usr_what) {
+                /* Copy over the root device, in case the /usr mount just differs in a mount option (consider btrfs subvolumes) */
                 arg_usr_what = strdup(arg_root_what);
-
                 if (!arg_usr_what)
                         return log_oom();
         }
 
         if (arg_root_fstype && !arg_usr_fstype) {
                 arg_usr_fstype = strdup(arg_root_fstype);
-
                 if (!arg_usr_fstype)
                         return log_oom();
         }
 
         if (arg_root_options && !arg_usr_options) {
                 arg_usr_options = strdup(arg_root_options);
-
                 if (!arg_usr_options)
                         return log_oom();
         }
@@ -566,10 +569,8 @@ static int add_sysroot_usr_mount(void) {
                 return 0;
 
         what = fstab_node_to_udev_node(arg_usr_what);
-        if (!path_is_absolute(what)) {
-                log_debug("Skipping entry what=%s where=/sysroot/usr type=%s", what, strna(arg_usr_fstype));
-                return -1;
-        }
+        if (!what)
+                return log_oom();
 
         if (!arg_usr_options)
                 opts = arg_root_rw > 0 ? "rw" : "ro";
@@ -583,10 +584,10 @@ static int add_sysroot_usr_mount(void) {
                          "/sysroot/usr",
                          arg_usr_fstype,
                          opts,
-                         1,
-                         false,
-                         false,
-                         false,
+                         is_device_path(what) ? 1 : 0, /* passno */
+                         false,                        /* noauto off */
+                         false,                        /* nofail off */
+                         false,                        /* automount off */
                          SPECIAL_INITRD_FS_TARGET,
                          "/proc/cmdline");
 }
@@ -681,10 +682,15 @@ int main(int argc, char *argv[]) {
 
         /* Always honour root= and usr= in the kernel command line if we are in an initrd */
         if (in_initrd()) {
+                int k;
+
                 r = add_sysroot_mount();
-                if (r == 0)
-                        r = add_sysroot_usr_mount();
-        }
+
+                k = add_sysroot_usr_mount();
+                if (k < 0)
+                        r = k;
+        } else
+                r = 0;
 
         /* Honour /etc/fstab only when that's enabled */
         if (arg_fstab_enabled) {
diff --git a/src/journal/mmap-cache.c b/src/journal/mmap-cache.c
index 6bcd9b6ac8..293d27053a 100644
--- a/src/journal/mmap-cache.c
+++ b/src/journal/mmap-cache.c
@@ -481,7 +481,7 @@ static int mmap_try_harder(MMapCache *m, void *addr, int fd, int prot, int flags
                 if (ptr != MAP_FAILED)
                         break;
                 if (errno != ENOMEM)
-                        return -errno;
+                        return negative_errno();
 
                 r = make_room(m);
                 if (r < 0)
@@ -571,7 +571,7 @@ static int add_mmap(
         return 1;
 
 outofmem:
-        munmap(d, wsize);
+        (void) munmap(d, wsize);
         return -ENOMEM;
 }
 
diff --git a/src/login/loginctl.c b/src/login/loginctl.c
index 0fc2720b43..0fc33cf541 100644
--- a/src/login/loginctl.c
+++ b/src/login/loginctl.c
@@ -290,7 +290,7 @@ typedef struct SessionStatusInfo {
         char *seat;
         char *tty;
         char *display;
-        bool remote;
+        int remote;
         char *remote_host;
         char *remote_user;
         char *service;
@@ -304,7 +304,7 @@ typedef struct SessionStatusInfo {
 
 typedef struct UserStatusInfo {
         uid_t uid;
-        bool linger;
+        int linger;
         char *name;
         struct dual_timestamp timestamp;
         char *state;
diff --git a/src/machine/machinectl.c b/src/machine/machinectl.c
index b60e3be362..843e678eca 100644
--- a/src/machine/machinectl.c
+++ b/src/machine/machinectl.c
@@ -32,6 +32,7 @@
 #include "sd-bus.h"
 
 #include "alloc-util.h"
+#include "bus-common-errors.h"
 #include "bus-error.h"
 #include "bus-unit-util.h"
 #include "bus-util.h"
@@ -1523,6 +1524,32 @@ static int read_only_image(int argc, char *argv[], void *userdata) {
         return 0;
 }
 
+static int image_exists(sd_bus *bus, const char *name) {
+        _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
+        int r;
+
+        assert(bus);
+        assert(name);
+
+        r = sd_bus_call_method(
+                        bus,
+                        "org.freedesktop.machine1",
+                        "/org/freedesktop/machine1",
+                        "org.freedesktop.machine1.Manager",
+                        "GetImage",
+                        &error,
+                        NULL,
+                        "s", name);
+        if (r < 0) {
+                if (sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_IMAGE))
+                        return 0;
+
+                return log_error_errno(r, "Failed to check whether image %s exists: %s", name, bus_error_message(&error, -r));
+        }
+
+        return 1;
+}
+
 static int make_service_name(const char *name, char **ret) {
         _cleanup_free_ char *e = NULL;
         int r;
@@ -1535,11 +1562,7 @@ static int make_service_name(const char *name, char **ret) {
                 return -EINVAL;
         }
 
-        e = unit_name_escape(name);
-        if (!e)
-                return log_oom();
-
-        r = unit_name_build("systemd-nspawn", e, ".service", ret);
+        r = unit_name_build("systemd-nspawn", name, ".service", ret);
         if (r < 0)
                 return log_error_errno(r, "Failed to build unit name: %m");
 
@@ -1569,6 +1592,14 @@ static int start_machine(int argc, char *argv[], void *userdata) {
                 if (r < 0)
                         return r;
 
+                r = image_exists(bus, argv[i]);
+                if (r < 0)
+                        return r;
+                if (r == 0) {
+                        log_error("Machine image '%s' does not exist.", argv[1]);
+                        return -ENXIO;
+                }
+
                 r = sd_bus_call_method(
                                 bus,
                                 "org.freedesktop.systemd1",
@@ -1636,6 +1667,14 @@ static int enable_machine(int argc, char *argv[], void *userdata) {
                 if (r < 0)
                         return r;
 
+                r = image_exists(bus, argv[i]);
+                if (r < 0)
+                        return r;
+                if (r == 0) {
+                        log_error("Machine image '%s' does not exist.", argv[1]);
+                        return -ENXIO;
+                }
+
                 r = sd_bus_message_append(m, "s", unit);
                 if (r < 0)
                         return bus_log_create_error(r);
diff --git a/src/network/networkd-brvlan.c b/src/network/networkd-brvlan.c
index f621b8011b..8bc330ebae 100644
--- a/src/network/networkd-brvlan.c
+++ b/src/network/networkd-brvlan.c
@@ -58,7 +58,7 @@ static int append_vlan_info_data(Link *const link, sd_netlink_message *req, uint
         struct bridge_vlan_info br_vlan;
         int i, j, k, r, done, cnt;
         uint16_t begin, end;
-        bool untagged;
+        bool untagged = false;
 
         assert(link);
         assert(req);
diff --git a/src/network/networkd-network-gperf.gperf b/src/network/networkd-network-gperf.gperf
index affc0d00e9..5172a7b5e9 100644
--- a/src/network/networkd-network-gperf.gperf
+++ b/src/network/networkd-network-gperf.gperf
@@ -52,7 +52,7 @@ Network.DNS,                            config_parse_strv,
 Network.LLMNR,                          config_parse_resolve_support,                   0,                             offsetof(Network, llmnr)
 Network.MulticastDNS,                   config_parse_resolve_support,                   0,                             offsetof(Network, mdns)
 Network.DNSSEC,                         config_parse_dnssec_mode,                       0,                             offsetof(Network, dnssec_mode)
-Network.DNSSECNegativeTrustAnchors,     config_parse_dnssec_negative_trust_anchors,     0,                             offsetof(Network, dnssec_negative_trust_anchors)
+Network.DNSSECNegativeTrustAnchors,     config_parse_dnssec_negative_trust_anchors,     0,                             0
 Network.NTP,                            config_parse_strv,                              0,                             offsetof(Network, ntp)
 Network.IPForward,                      config_parse_address_family_boolean_with_kernel,0,                             offsetof(Network, ip_forward)
 Network.IPMasquerade,                   config_parse_bool,                              0,                             offsetof(Network, ip_masquerade)
diff --git a/src/network/networkd-wait-online-manager.c b/src/network/networkd-wait-online-manager.c
index 2ff7ddb044..725b3310dd 100644
--- a/src/network/networkd-wait-online-manager.c
+++ b/src/network/networkd-wait-online-manager.c
@@ -30,8 +30,6 @@
 #include "util.h"
 
 bool manager_ignore_link(Manager *m, Link *link) {
-        char **ignore;
-
         assert(m);
         assert(link);
 
@@ -44,11 +42,7 @@ bool manager_ignore_link(Manager *m, Link *link) {
                 return true;
 
         /* ignore interfaces we explicitly are asked to ignore */
-        STRV_FOREACH(ignore, m->ignore)
-                if (fnmatch(*ignore, link->ifname, 0) == 0)
-                        return true;
-
-        return false;
+        return strv_fnmatch(m->ignore, link->ifname, 0);
 }
 
 bool manager_all_configured(Manager *m) {
diff --git a/src/nspawn/nspawn-patch-uid.c b/src/nspawn/nspawn-patch-uid.c
index cc79597c95..ded5866d05 100644
--- a/src/nspawn/nspawn-patch-uid.c
+++ b/src/nspawn/nspawn-patch-uid.c
@@ -263,9 +263,12 @@ static int patch_fd(int fd, const char *name, const struct stat *st, uid_t shift
                         return -errno;
 
                 /* The Linux kernel alters the mode in some cases of chown(). Let's undo this. */
-                if (name && !S_ISLNK(st->st_mode))
-                        r = fchmodat(fd, name, st->st_mode, 0);
-                else
+                if (name) {
+                        if (!S_ISLNK(st->st_mode))
+                                r = fchmodat(fd, name, st->st_mode, 0);
+                        else /* AT_SYMLINK_NOFOLLOW is not available for fchmodat() */
+                                r = 0;
+                } else
                         r = fchmod(fd, st->st_mode);
                 if (r < 0)
                         return -errno;
diff --git a/src/resolve/dns-type.c b/src/resolve/dns-type.c
index 78d9d5733f..aaf5ed62c1 100644
--- a/src/resolve/dns-type.c
+++ b/src/resolve/dns-type.c
@@ -96,6 +96,15 @@ bool dns_type_is_valid_query(uint16_t type) {
                        DNS_TYPE_RRSIG);
 }
 
+bool dns_type_is_zone_transer(uint16_t type) {
+
+        /* Zone transfers, either normal or incremental */
+
+        return IN_SET(type,
+                      DNS_TYPE_AXFR,
+                      DNS_TYPE_IXFR);
+}
+
 bool dns_type_is_valid_rr(uint16_t type) {
 
         /* The types valid as RR in packets (but not necessarily
diff --git a/src/resolve/dns-type.h b/src/resolve/dns-type.h
index 7b79d29d7e..e675fe4ea3 100644
--- a/src/resolve/dns-type.h
+++ b/src/resolve/dns-type.h
@@ -136,6 +136,7 @@ bool dns_type_is_obsolete(uint16_t type);
 bool dns_type_may_wildcard(uint16_t type);
 bool dns_type_apex_only(uint16_t type);
 bool dns_type_needs_authentication(uint16_t type);
+bool dns_type_is_zone_transer(uint16_t type);
 int dns_type_to_af(uint16_t type);
 
 bool dns_class_is_pseudo(uint16_t class);
diff --git a/src/resolve/resolv.conf b/src/resolve/resolv.conf
new file mode 100644
index 0000000000..b8034d6829
--- /dev/null
+++ b/src/resolve/resolv.conf
@@ -0,0 +1,11 @@
+# This is a static resolv.conf file for connecting local clients to
+# systemd-resolved via its DNS stub listener on 127.0.0.53.
+#
+# Third party programs must not access this file directly, but only through the
+# symlink at /etc/resolv.conf. To manage resolv.conf(5) in a different way,
+# replace this symlink by a static file or a different symlink.
+#
+# See systemd-resolved.service(8) for details about the supported modes of
+# operation for /etc/resolv.conf.
+
+nameserver 127.0.0.53
diff --git a/src/resolve/resolve-tool.c b/src/resolve/resolve-tool.c
index 2cb2e42b23..4e1e916669 100644
--- a/src/resolve/resolve-tool.c
+++ b/src/resolve/resolve-tool.c
@@ -21,17 +21,21 @@
 #include <net/if.h>
 
 #include "sd-bus.h"
+#include "sd-netlink.h"
 
 #include "af-list.h"
 #include "alloc-util.h"
 #include "bus-error.h"
 #include "bus-util.h"
 #include "escape.h"
-#include "in-addr-util.h"
 #include "gcrypt-util.h"
+#include "in-addr-util.h"
+#include "netlink-util.h"
+#include "pager.h"
 #include "parse-util.h"
 #include "resolved-def.h"
 #include "resolved-dns-packet.h"
+#include "strv.h"
 #include "terminal-util.h"
 
 #define DNS_CALL_TIMEOUT_USEC (45*USEC_PER_SEC)
@@ -42,6 +46,7 @@ static uint16_t arg_type = 0;
 static uint16_t arg_class = 0;
 static bool arg_legend = true;
 static uint64_t arg_flags = 0;
+static bool arg_no_pager = false;
 
 typedef enum ServiceFamily {
         SERVICE_FAMILY_TCP,
@@ -67,6 +72,7 @@ static enum {
         MODE_STATISTICS,
         MODE_RESET_STATISTICS,
         MODE_FLUSH_CACHES,
+        MODE_STATUS,
 } arg_mode = MODE_RESOLVE_HOST;
 
 static ServiceFamily service_family_from_string(const char *s) {
@@ -1031,6 +1037,472 @@ static int flush_caches(sd_bus *bus) {
         return 0;
 }
 
+static int map_link_dns_servers(sd_bus *bus, const char *member, sd_bus_message *m, sd_bus_error *error, void *userdata) {
+        char ***l = userdata;
+        int r;
+
+        assert(bus);
+        assert(member);
+        assert(m);
+        assert(l);
+
+        r = sd_bus_message_enter_container(m, 'a', "(iay)");
+        if (r < 0)
+                return r;
+
+        for (;;) {
+                const void *a;
+                char *pretty;
+                int family;
+                size_t sz;
+
+                r = sd_bus_message_enter_container(m, 'r', "iay");
+                if (r < 0)
+                        return r;
+                if (r == 0)
+                        break;
+
+                r = sd_bus_message_read(m, "i", &family);
+                if (r < 0)
+                        return r;
+
+                r = sd_bus_message_read_array(m, 'y', &a, &sz);
+                if (r < 0)
+                        return r;
+
+                r = sd_bus_message_exit_container(m);
+                if (r < 0)
+                        return r;
+
+                if (!IN_SET(family, AF_INET, AF_INET6)) {
+                        log_debug("Unexpected family, ignoring.");
+                        continue;
+                }
+
+                if (sz != FAMILY_ADDRESS_SIZE(family)) {
+                        log_debug("Address size mismatch, ignoring.");
+                        continue;
+                }
+
+                r = in_addr_to_string(family, a, &pretty);
+                if (r < 0)
+                        return r;
+
+                r = strv_consume(l, pretty);
+                if (r < 0)
+                        return r;
+        }
+
+        r = sd_bus_message_exit_container(m);
+        if (r < 0)
+                return r;
+
+        return 0;
+}
+
+static int map_link_domains(sd_bus *bus, const char *member, sd_bus_message *m, sd_bus_error *error, void *userdata) {
+        char ***l = userdata;
+        int r;
+
+        assert(bus);
+        assert(member);
+        assert(m);
+        assert(l);
+
+        r = sd_bus_message_enter_container(m, 'a', "(sb)");
+        if (r < 0)
+                return r;
+
+        for (;;) {
+                const char *domain;
+                int route_only;
+                char *pretty;
+
+                r = sd_bus_message_read(m, "(sb)", &domain, &route_only);
+                if (r < 0)
+                        return r;
+                if (r == 0)
+                        break;
+
+                if (route_only)
+                        pretty = strappend("~", domain);
+                else
+                        pretty = strdup(domain);
+                if (!pretty)
+                        return -ENOMEM;
+
+                r = strv_consume(l, pretty);
+                if (r < 0)
+                        return r;
+        }
+
+        r = sd_bus_message_exit_container(m);
+        if (r < 0)
+                return r;
+
+        return 0;
+}
+
+static int status_ifindex(sd_bus *bus, int ifindex, const char *name, bool *empty_line) {
+
+        struct link_info {
+                uint64_t scopes_mask;
+                char *llmnr;
+                char *mdns;
+                char *dnssec;
+                char **dns;
+                char **domains;
+                char **ntas;
+                int dnssec_supported;
+        } link_info = {};
+
+        static const struct bus_properties_map property_map[] = {
+                { "ScopesMask",                 "t",      NULL,                 offsetof(struct link_info, scopes_mask)      },
+                { "DNS",                        "a(iay)", map_link_dns_servers, offsetof(struct link_info, dns)              },
+                { "Domains",                    "a(sb)",  map_link_domains,     offsetof(struct link_info, domains)          },
+                { "LLMNR",                      "s",      NULL,                 offsetof(struct link_info, llmnr)            },
+                { "MulticastDNS",               "s",      NULL,                 offsetof(struct link_info, mdns)             },
+                { "DNSSEC",                     "s",      NULL,                 offsetof(struct link_info, dnssec)           },
+                { "DNSSECNegativeTrustAnchors", "as",     NULL,                 offsetof(struct link_info, ntas)             },
+                { "DNSSECSupported",            "b",      NULL,                 offsetof(struct link_info, dnssec_supported) },
+                {}
+        };
+
+        _cleanup_free_ char *ifi = NULL, *p = NULL;
+        char ifname[IF_NAMESIZE] = "";
+        char **i;
+        int r;
+
+        assert(bus);
+        assert(ifindex > 0);
+        assert(empty_line);
+
+        if (!name) {
+                if (!if_indextoname(ifindex, ifname))
+                        return log_error_errno(errno, "Failed to resolve interface name for %i: %m", ifindex);
+
+                name = ifname;
+        }
+
+        if (asprintf(&ifi, "%i", ifindex) < 0)
+                return log_oom();
+
+        r = sd_bus_path_encode("/org/freedesktop/resolve1/link", ifi, &p);
+        if (r < 0)
+                return log_oom();
+
+        r = bus_map_all_properties(bus,
+                                   "org.freedesktop.resolve1",
+                                   p,
+                                   property_map,
+                                   &link_info);
+        if (r < 0) {
+                log_error_errno(r, "Failed to get link data for %i: %m", ifindex);
+                goto finish;
+        }
+
+        pager_open(arg_no_pager, false);
+
+        if (*empty_line)
+                fputc('\n', stdout);
+
+        printf("%sLink %i (%s)%s\n",
+               ansi_highlight(), ifindex, name, ansi_normal());
+
+        if (link_info.scopes_mask == 0)
+                printf("      Current Scopes: none\n");
+        else
+                printf("      Current Scopes:%s%s%s%s%s\n",
+                       link_info.scopes_mask & SD_RESOLVED_DNS ? " DNS" : "",
+                       link_info.scopes_mask & SD_RESOLVED_LLMNR_IPV4 ? " LLMNR/IPv4" : "",
+                       link_info.scopes_mask & SD_RESOLVED_LLMNR_IPV6 ? " LLMNR/IPv6" : "",
+                       link_info.scopes_mask & SD_RESOLVED_MDNS_IPV4 ? " mDNS/IPv4" : "",
+                       link_info.scopes_mask & SD_RESOLVED_MDNS_IPV6 ? " mDNS/IPv6" : "");
+
+        printf("       LLMNR setting: %s\n"
+               "MulticastDNS setting: %s\n"
+               "      DNSSEC setting: %s\n"
+               "    DNSSEC supported: %s\n",
+               strna(link_info.llmnr),
+               strna(link_info.mdns),
+               strna(link_info.dnssec),
+               yes_no(link_info.dnssec_supported));
+
+        STRV_FOREACH(i, link_info.dns) {
+                printf("          %s %s\n",
+                       i == link_info.dns ? "DNS Server:" : "           ",
+                       *i);
+        }
+
+        STRV_FOREACH(i, link_info.domains) {
+                printf("          %s %s\n",
+                       i == link_info.domains ? "DNS Domain:" : "           ",
+                       *i);
+        }
+
+        STRV_FOREACH(i, link_info.ntas) {
+                printf("          %s %s\n",
+                       i == link_info.ntas ? "DNSSEC NTA:" : "           ",
+                       *i);
+        }
+
+        *empty_line = true;
+
+        r = 0;
+
+finish:
+        strv_free(link_info.dns);
+        strv_free(link_info.domains);
+        free(link_info.llmnr);
+        free(link_info.mdns);
+        free(link_info.dnssec);
+        strv_free(link_info.ntas);
+        return r;
+}
+
+static int map_global_dns_servers(sd_bus *bus, const char *member, sd_bus_message *m, sd_bus_error *error, void *userdata) {
+        char ***l = userdata;
+        int r;
+
+        assert(bus);
+        assert(member);
+        assert(m);
+        assert(l);
+
+        r = sd_bus_message_enter_container(m, 'a', "(iiay)");
+        if (r < 0)
+                return r;
+
+        for (;;) {
+                const void *a;
+                char *pretty;
+                int family, ifindex;
+                size_t sz;
+
+                r = sd_bus_message_enter_container(m, 'r', "iiay");
+                if (r < 0)
+                        return r;
+                if (r == 0)
+                        break;
+
+                r = sd_bus_message_read(m, "ii", &ifindex, &family);
+                if (r < 0)
+                        return r;
+
+                r = sd_bus_message_read_array(m, 'y', &a, &sz);
+                if (r < 0)
+                        return r;
+
+                r = sd_bus_message_exit_container(m);
+                if (r < 0)
+                        return r;
+
+                if (ifindex != 0) /* only show the global ones here */
+                        continue;
+
+                if (!IN_SET(family, AF_INET, AF_INET6)) {
+                        log_debug("Unexpected family, ignoring.");
+                        continue;
+                }
+
+                if (sz != FAMILY_ADDRESS_SIZE(family)) {
+                        log_debug("Address size mismatch, ignoring.");
+                        continue;
+                }
+
+                r = in_addr_to_string(family, a, &pretty);
+                if (r < 0)
+                        return r;
+
+                r = strv_consume(l, pretty);
+                if (r < 0)
+                        return r;
+        }
+
+        r = sd_bus_message_exit_container(m);
+        if (r < 0)
+                return r;
+
+        return 0;
+}
+
+static int map_global_domains(sd_bus *bus, const char *member, sd_bus_message *m, sd_bus_error *error, void *userdata) {
+        char ***l = userdata;
+        int r;
+
+        assert(bus);
+        assert(member);
+        assert(m);
+        assert(l);
+
+        r = sd_bus_message_enter_container(m, 'a', "(isb)");
+        if (r < 0)
+                return r;
+
+        for (;;) {
+                const char *domain;
+                int route_only, ifindex;
+                char *pretty;
+
+                r = sd_bus_message_read(m, "(isb)", &ifindex, &domain, &route_only);
+                if (r < 0)
+                        return r;
+                if (r == 0)
+                        break;
+
+                if (ifindex != 0) /* only show the global ones here */
+                        continue;
+
+                if (route_only)
+                        pretty = strappend("~", domain);
+                else
+                        pretty = strdup(domain);
+                if (!pretty)
+                        return -ENOMEM;
+
+                r = strv_consume(l, pretty);
+                if (r < 0)
+                        return r;
+        }
+
+        r = sd_bus_message_exit_container(m);
+        if (r < 0)
+                return r;
+
+        return 0;
+}
+
+static int status_global(sd_bus *bus, bool *empty_line) {
+
+        struct global_info {
+                char **dns;
+                char **domains;
+                char **ntas;
+        } global_info = {};
+
+        static const struct bus_properties_map property_map[] = {
+                { "DNS",                        "a(iiay)", map_global_dns_servers, offsetof(struct global_info, dns)     },
+                { "Domains",                    "a(isb)",  map_global_domains,     offsetof(struct global_info, domains) },
+                { "DNSSECNegativeTrustAnchors", "as",      NULL,                   offsetof(struct global_info, ntas)    },
+                {}
+        };
+
+        char **i;
+        int r;
+
+        assert(bus);
+        assert(empty_line);
+
+        r = bus_map_all_properties(bus,
+                                   "org.freedesktop.resolve1",
+                                   "/org/freedesktop/resolve1",
+                                   property_map,
+                                   &global_info);
+        if (r < 0) {
+                log_error_errno(r, "Failed to get global data: %m");
+                goto finish;
+        }
+
+        if (strv_isempty(global_info.dns) && strv_isempty(global_info.domains) && strv_isempty(global_info.ntas)) {
+                r = 0;
+                goto finish;
+        }
+
+        pager_open(arg_no_pager, false);
+
+        printf("%sGlobal%s\n", ansi_highlight(), ansi_normal());
+        STRV_FOREACH(i, global_info.dns) {
+                printf("          %s %s\n",
+                       i == global_info.dns ? "DNS Server:" : "           ",
+                       *i);
+        }
+
+        STRV_FOREACH(i, global_info.domains) {
+                printf("          %s %s\n",
+                       i == global_info.domains ? "DNS Domain:" : "           ",
+                       *i);
+        }
+
+        strv_sort(global_info.ntas);
+        STRV_FOREACH(i, global_info.ntas) {
+                printf("          %s %s\n",
+                       i == global_info.ntas ? "DNSSEC NTA:" : "           ",
+                       *i);
+        }
+
+        *empty_line = true;
+
+        r = 0;
+
+finish:
+        strv_free(global_info.dns);
+        strv_free(global_info.domains);
+        strv_free(global_info.ntas);
+
+        return r;
+}
+
+static int status_all(sd_bus *bus) {
+        _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *req = NULL, *reply = NULL;
+        _cleanup_(sd_netlink_unrefp) sd_netlink *rtnl = NULL;
+        sd_netlink_message *i;
+        bool empty_line = true;
+        int r;
+
+        assert(bus);
+
+        r = status_global(bus, &empty_line);
+        if (r < 0)
+                return r;
+
+        r = sd_netlink_open(&rtnl);
+        if (r < 0)
+                return log_error_errno(r, "Failed to connect to netlink: %m");
+
+        r = sd_rtnl_message_new_link(rtnl, &req, RTM_GETLINK, 0);
+        if (r < 0)
+                return rtnl_log_create_error(r);
+
+        r = sd_netlink_message_request_dump(req, true);
+        if (r < 0)
+                return rtnl_log_create_error(r);
+
+        r = sd_netlink_call(rtnl, req, 0, &reply);
+        if (r < 0)
+                return log_error_errno(r, "Failed to enumerate links: %m");
+
+        r = 0;
+        for (i = reply; i; i = sd_netlink_message_next(i)) {
+                const char *name;
+                int ifindex, q;
+                uint16_t type;
+
+                q = sd_netlink_message_get_type(i, &type);
+                if (q < 0)
+                        return rtnl_log_parse_error(q);
+
+                if (type != RTM_NEWLINK)
+                        continue;
+
+                q = sd_rtnl_message_link_get_ifindex(i, &ifindex);
+                if (q < 0)
+                        return rtnl_log_parse_error(q);
+
+                if (ifindex == LOOPBACK_IFINDEX)
+                        continue;
+
+                q = sd_netlink_message_read_string(i, IFLA_IFNAME, &name);
+                if (q < 0)
+                        return rtnl_log_parse_error(q);
+
+                q = status_ifindex(bus, ifindex, name, &empty_line);
+                if (q < 0 && r >= 0)
+                        r = q;
+        }
+
+        return r;
+}
+
 static void help_protocol_types(void) {
         if (arg_legend)
                 puts("Known protocol types:");
@@ -1038,8 +1510,8 @@ static void help_protocol_types(void) {
 }
 
 static void help_dns_types(void) {
-        int i;
         const char *t;
+        int i;
 
         if (arg_legend)
                 puts("Known DNS RR types:");
@@ -1051,8 +1523,8 @@ static void help_dns_types(void) {
 }
 
 static void help_dns_classes(void) {
-        int i;
         const char *t;
+        int i;
 
         if (arg_legend)
                 puts("Known DNS RR classes:");
@@ -1073,6 +1545,7 @@ static void help(void) {
                "Resolve domain names, IPv4 and IPv6 addresses, DNS resource records, and services.\n\n"
                "  -h --help                 Show this help\n"
                "     --version              Show package version\n"
+               "     --no-pager             Do not pipe output into a pager\n"
                "  -4                        Resolve IPv4 addresses\n"
                "  -6                        Resolve IPv6 addresses\n"
                "  -i --interface=INTERFACE  Look on interface\n"
@@ -1091,6 +1564,7 @@ static void help(void) {
                "     --legend=BOOL          Print headers and additional info (default: yes)\n"
                "     --statistics           Show resolver statistics\n"
                "     --reset-statistics     Reset resolver statistics\n"
+               "     --status               Show link and server status\n"
                "     --flush-caches         Flush all local DNS caches\n"
                , program_invocation_short_name);
 }
@@ -1109,7 +1583,9 @@ static int parse_argv(int argc, char *argv[]) {
                 ARG_SEARCH,
                 ARG_STATISTICS,
                 ARG_RESET_STATISTICS,
+                ARG_STATUS,
                 ARG_FLUSH_CACHES,
+                ARG_NO_PAGER,
         };
 
         static const struct option options[] = {
@@ -1130,7 +1606,9 @@ static int parse_argv(int argc, char *argv[]) {
                 { "search",           required_argument, NULL, ARG_SEARCH           },
                 { "statistics",       no_argument,       NULL, ARG_STATISTICS,      },
                 { "reset-statistics", no_argument,       NULL, ARG_RESET_STATISTICS },
+                { "status",           no_argument,       NULL, ARG_STATUS           },
                 { "flush-caches",     no_argument,       NULL, ARG_FLUSH_CACHES     },
+                { "no-pager",         no_argument,       NULL, ARG_NO_PAGER         },
                 {}
         };
 
@@ -1308,6 +1786,14 @@ static int parse_argv(int argc, char *argv[]) {
                         arg_mode = MODE_FLUSH_CACHES;
                         break;
 
+                case ARG_STATUS:
+                        arg_mode = MODE_STATUS;
+                        break;
+
+                case ARG_NO_PAGER:
+                        arg_no_pager = true;
+                        break;
+
                 case '?':
                         return -EINVAL;
 
@@ -1484,8 +1970,38 @@ int main(int argc, char **argv) {
 
                 r = flush_caches(bus);
                 break;
+
+        case MODE_STATUS:
+
+                if (argc > optind) {
+                        char **ifname;
+                        bool empty_line = false;
+
+                        r = 0;
+                        STRV_FOREACH(ifname, argv + optind) {
+                                int ifindex, q;
+
+                                q = parse_ifindex(argv[optind], &ifindex);
+                                if (q < 0) {
+                                        ifindex = if_nametoindex(argv[optind]);
+                                        if (ifindex <= 0) {
+                                                log_error_errno(errno, "Failed to resolve interface name: %s", argv[optind]);
+                                                continue;
+                                        }
+                                }
+
+                                q = status_ifindex(bus, ifindex, NULL, &empty_line);
+                                if (q < 0 && r >= 0)
+                                        r = q;
+                        }
+                } else
+                        r = status_all(bus);
+
+                break;
         }
 
 finish:
+        pager_close();
+
         return r == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
 }
diff --git a/src/resolve/resolved-bus.c b/src/resolve/resolved-bus.c
index f08c6c0637..2ca65e6953 100644
--- a/src/resolve/resolved-bus.c
+++ b/src/resolve/resolved-bus.c
@@ -647,6 +647,8 @@ static int bus_method_resolve_record(sd_bus_message *message, void *userdata, sd
 
         if (!dns_type_is_valid_query(type))
                 return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Specified resource record type %" PRIu16 " may not be used in a query.", type);
+        if (dns_type_is_zone_transer(type))
+                return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED, "Zone transfers not permitted via this programming interface.");
         if (dns_type_is_obsolete(type))
                 return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED, "Specified DNS resource record type %" PRIu16 " is obsolete.", type);
 
@@ -670,6 +672,10 @@ static int bus_method_resolve_record(sd_bus_message *message, void *userdata, sd
         if (r < 0)
                 return r;
 
+        /* Let's request that the TTL is fixed up for locally cached entries, after all we return it in the wire format
+         * blob */
+        q->clamp_ttl = true;
+
         q->request = sd_bus_message_ref(message);
         q->complete = bus_method_resolve_record_complete;
 
@@ -1414,6 +1420,36 @@ static int bus_property_get_dnssec_supported(
         return sd_bus_message_append(reply, "b", manager_dnssec_supported(m));
 }
 
+static int bus_property_get_ntas(
+                sd_bus *bus,
+                const char *path,
+                const char *interface,
+                const char *property,
+                sd_bus_message *reply,
+                void *userdata,
+                sd_bus_error *error) {
+
+        Manager *m = userdata;
+        const char *domain;
+        Iterator i;
+        int r;
+
+        assert(reply);
+        assert(m);
+
+        r = sd_bus_message_open_container(reply, 'a', "s");
+        if (r < 0)
+                return r;
+
+        SET_FOREACH(domain, m->trust_anchor.negative_by_name, i) {
+                r = sd_bus_message_append(reply, "s", domain);
+                if (r < 0)
+                        return r;
+        }
+
+        return sd_bus_message_close_container(reply);
+}
+
 static int bus_method_reset_statistics(sd_bus_message *message, void *userdata, sd_bus_error *error) {
         Manager *m = userdata;
         DnsScope *s;
@@ -1540,6 +1576,7 @@ static const sd_bus_vtable resolve_vtable[] = {
         SD_BUS_PROPERTY("CacheStatistics", "(ttt)", bus_property_get_cache_statistics, 0, 0),
         SD_BUS_PROPERTY("DNSSECStatistics", "(tttt)", bus_property_get_dnssec_statistics, 0, 0),
         SD_BUS_PROPERTY("DNSSECSupported", "b", bus_property_get_dnssec_supported, 0, 0),
+        SD_BUS_PROPERTY("DNSSECNegativeTrustAnchors", "as", bus_property_get_ntas, 0, 0),
 
         SD_BUS_METHOD("ResolveHostname", "isit", "a(iiay)st", bus_method_resolve_hostname, SD_BUS_VTABLE_UNPRIVILEGED),
         SD_BUS_METHOD("ResolveAddress", "iiayt", "a(is)t", bus_method_resolve_address, SD_BUS_VTABLE_UNPRIVILEGED),
diff --git a/src/resolve/resolved-conf.c b/src/resolve/resolved-conf.c
index fecf7ecccf..dd233e7c4a 100644
--- a/src/resolve/resolved-conf.c
+++ b/src/resolve/resolved-conf.c
@@ -37,6 +37,10 @@ int manager_add_dns_server_by_string(Manager *m, DnsServerType type, const char
         if (r < 0)
                 return r;
 
+        /* Silently filter out 0.0.0.0 and 127.0.0.53 (our own stub DNS listener) */
+        if (!dns_server_address_valid(family, &address))
+                return 0;
+
         /* Filter out duplicates */
         s = dns_server_find(manager_get_first_dns_server(m, type), family, &address, ifindex);
         if (s) {
diff --git a/src/resolve/resolved-dns-answer.h b/src/resolve/resolved-dns-answer.h
index b2b86d1772..4a92bd1150 100644
--- a/src/resolve/resolved-dns-answer.h
+++ b/src/resolve/resolved-dns-answer.h
@@ -87,6 +87,10 @@ static inline unsigned dns_answer_size(DnsAnswer *a) {
         return a ? a->n_rrs : 0;
 }
 
+static inline bool dns_answer_isempty(DnsAnswer *a) {
+        return dns_answer_size(a) <= 0;
+}
+
 void dns_answer_dump(DnsAnswer *answer, FILE *f);
 
 DEFINE_TRIVIAL_CLEANUP_FUNC(DnsAnswer*, dns_answer_unref);
diff --git a/src/resolve/resolved-dns-cache.c b/src/resolve/resolved-dns-cache.c
index 77c42d7aad..87f7c21d03 100644
--- a/src/resolve/resolved-dns-cache.c
+++ b/src/resolve/resolved-dns-cache.c
@@ -624,6 +624,12 @@ int dns_cache_put(
 
         dns_cache_remove_previous(c, key, answer);
 
+        /* We only care for positive replies and NXDOMAINs, on all
+         * other replies we will simply flush the respective entries,
+         * and that's it */
+        if (!IN_SET(rcode, DNS_RCODE_SUCCESS, DNS_RCODE_NXDOMAIN))
+                return 0;
+
         if (dns_answer_size(answer) <= 0) {
                 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
 
@@ -632,12 +638,6 @@ int dns_cache_put(
                 return 0;
         }
 
-        /* We only care for positive replies and NXDOMAINs, on all
-         * other replies we will simply flush the respective entries,
-         * and that's it */
-        if (!IN_SET(rcode, DNS_RCODE_SUCCESS, DNS_RCODE_NXDOMAIN))
-                return 0;
-
         cache_keys = dns_answer_size(answer);
         if (key)
                 cache_keys++;
@@ -790,7 +790,7 @@ static DnsCacheItem *dns_cache_get_by_key_follow_cname_dname_nsec(DnsCache *c, D
         return NULL;
 }
 
-int dns_cache_lookup(DnsCache *c, DnsResourceKey *key, int *rcode, DnsAnswer **ret, bool *authenticated) {
+int dns_cache_lookup(DnsCache *c, DnsResourceKey *key, bool clamp_ttl, int *rcode, DnsAnswer **ret, bool *authenticated) {
         _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
         char key_str[DNS_RESOURCE_KEY_STRING_MAX];
         unsigned n = 0;
@@ -798,6 +798,7 @@ int dns_cache_lookup(DnsCache *c, DnsResourceKey *key, int *rcode, DnsAnswer **r
         bool nxdomain = false;
         DnsCacheItem *j, *first, *nsec = NULL;
         bool have_authenticated = false, have_non_authenticated = false;
+        usec_t current;
 
         assert(c);
         assert(key);
@@ -892,11 +893,24 @@ int dns_cache_lookup(DnsCache *c, DnsResourceKey *key, int *rcode, DnsAnswer **r
         if (!answer)
                 return -ENOMEM;
 
+        if (clamp_ttl)
+                current = now(clock_boottime_or_monotonic());
+
         LIST_FOREACH(by_key, j, first) {
+                _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL;
+
                 if (!j->rr)
                         continue;
 
-                r = dns_answer_add(answer, j->rr, j->ifindex, j->authenticated ? DNS_ANSWER_AUTHENTICATED : 0);
+                if (clamp_ttl) {
+                        rr = dns_resource_record_ref(j->rr);
+
+                        r = dns_resource_record_clamp_ttl(&rr, LESS_BY(j->until, current) / USEC_PER_SEC);
+                        if (r < 0)
+                                return r;
+                }
+
+                r = dns_answer_add(answer, rr ?: j->rr, j->ifindex, j->authenticated ? DNS_ANSWER_AUTHENTICATED : 0);
                 if (r < 0)
                         return r;
         }
diff --git a/src/resolve/resolved-dns-cache.h b/src/resolve/resolved-dns-cache.h
index 2293718e86..22a7c17377 100644
--- a/src/resolve/resolved-dns-cache.h
+++ b/src/resolve/resolved-dns-cache.h
@@ -40,7 +40,7 @@ void dns_cache_flush(DnsCache *c);
 void dns_cache_prune(DnsCache *c);
 
 int dns_cache_put(DnsCache *c, DnsResourceKey *key, int rcode, DnsAnswer *answer, bool authenticated, uint32_t nsec_ttl, usec_t timestamp, int owner_family, const union in_addr_union *owner_address);
-int dns_cache_lookup(DnsCache *c, DnsResourceKey *key, int *rcode, DnsAnswer **answer, bool *authenticated);
+int dns_cache_lookup(DnsCache *c, DnsResourceKey *key, bool clamp_ttl, int *rcode, DnsAnswer **answer, bool *authenticated);
 
 int dns_cache_check_conflicts(DnsCache *cache, DnsResourceRecord *rr, int owner_family, const union in_addr_union *owner_address);
 
diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c
index b7907bb511..ea0be56d98 100644
--- a/src/resolve/resolved-dns-packet.c
+++ b/src/resolve/resolved-dns-packet.c
@@ -264,6 +264,7 @@ int dns_packet_validate_query(DnsPacket *p) {
         switch (p->protocol) {
 
         case DNS_PROTOCOL_LLMNR:
+        case DNS_PROTOCOL_DNS:
                 /* RFC 4795, Section 2.1.1. says to discard all queries with QDCOUNT != 1 */
                 if (DNS_PACKET_QDCOUNT(p) != 1)
                         return -EBADMSG;
@@ -676,13 +677,15 @@ fail:
 }
 
 /* Append the OPT pseudo-RR described in RFC6891 */
-int dns_packet_append_opt(DnsPacket *p, uint16_t max_udp_size, bool edns0_do, size_t *start) {
+int dns_packet_append_opt(DnsPacket *p, uint16_t max_udp_size, bool edns0_do, int rcode, size_t *start) {
         size_t saved_size;
         int r;
 
         assert(p);
         /* we must never advertise supported packet size smaller than the legacy max */
         assert(max_udp_size >= DNS_PACKET_UNICAST_SIZE_MAX);
+        assert(rcode >= 0);
+        assert(rcode <= _DNS_RCODE_MAX);
 
         if (p->opt_start != (size_t) -1)
                 return -EBUSY;
@@ -701,13 +704,13 @@ int dns_packet_append_opt(DnsPacket *p, uint16_t max_udp_size, bool edns0_do, si
         if (r < 0)
                 goto fail;
 
-        /* maximum udp packet that can be received */
+        /* class: maximum udp packet that can be received */
         r = dns_packet_append_uint16(p, max_udp_size, NULL);
         if (r < 0)
                 goto fail;
 
         /* extended RCODE and VERSION */
-        r = dns_packet_append_uint16(p, 0, NULL);
+        r = dns_packet_append_uint16(p, ((uint16_t) rcode & 0x0FF0) << 4, NULL);
         if (r < 0)
                 goto fail;
 
@@ -717,9 +720,8 @@ int dns_packet_append_opt(DnsPacket *p, uint16_t max_udp_size, bool edns0_do, si
                 goto fail;
 
         /* RDLENGTH */
-
-        if (edns0_do) {
-                /* If DO is on, also append RFC6975 Algorithm data */
+        if (edns0_do & !DNS_PACKET_QR(p)) {
+                /* If DO is on and this is not a reply, also append RFC6975 Algorithm data */
 
                 static const uint8_t rfc6975[] = {
 
@@ -750,7 +752,6 @@ int dns_packet_append_opt(DnsPacket *p, uint16_t max_udp_size, bool edns0_do, si
                 r = dns_packet_append_blob(p, rfc6975, sizeof(rfc6975), NULL);
         } else
                 r = dns_packet_append_uint16(p, 0, NULL);
-
         if (r < 0)
                 goto fail;
 
@@ -791,6 +792,7 @@ int dns_packet_truncate_opt(DnsPacket *p) {
 }
 
 int dns_packet_append_rr(DnsPacket *p, const DnsResourceRecord *rr, size_t *start, size_t *rdata_start) {
+
         size_t saved_size, rdlength_offset, end, rdlength, rds;
         int r;
 
@@ -1134,6 +1136,36 @@ fail:
         return r;
 }
 
+int dns_packet_append_question(DnsPacket *p, DnsQuestion *q) {
+        DnsResourceKey *key;
+        int r;
+
+        assert(p);
+
+        DNS_QUESTION_FOREACH(key, q) {
+                r = dns_packet_append_key(p, key, NULL);
+                if (r < 0)
+                        return r;
+        }
+
+        return 0;
+}
+
+int dns_packet_append_answer(DnsPacket *p, DnsAnswer *a) {
+        DnsResourceRecord *rr;
+        int r;
+
+        assert(p);
+
+        DNS_ANSWER_FOREACH(rr, a) {
+                r = dns_packet_append_rr(p, rr, NULL, NULL);
+                if (r < 0)
+                        return r;
+        }
+
+        return 0;
+}
+
 int dns_packet_read(DnsPacket *p, size_t sz, const void **ret, size_t *start) {
         assert(p);
 
@@ -2029,8 +2061,10 @@ static bool opt_is_good(DnsResourceRecord *rr, bool *rfc6975) {
         assert(rr->key->type == DNS_TYPE_OPT);
 
         /* Check that the version is 0 */
-        if (((rr->ttl >> 16) & UINT32_C(0xFF)) != 0)
-                return false;
+        if (((rr->ttl >> 16) & UINT32_C(0xFF)) != 0) {
+                *rfc6975 = false;
+                return true; /* if it's not version 0, it's OK, but we will ignore the OPT field contents */
+        }
 
         p = rr->opt.data;
         l = rr->opt.data_size;
@@ -2153,16 +2187,27 @@ int dns_packet_extract(DnsPacket *p) {
                                         continue;
                                 }
 
-                                if (has_rfc6975) {
-                                        /* If the OPT RR contains RFC6975 algorithm data, then this is indication that
-                                         * the server just copied the OPT it got from us (which contained that data)
-                                         * back into the reply. If so, then it doesn't properly support EDNS, as
-                                         * RFC6975 makes it very clear that the algorithm data should only be contained
-                                         * in questions, never in replies. Crappy Belkin routers copy the OPT data for
-                                         * example, hence let's detect this so that we downgrade early. */
-                                        log_debug("OPT RR contained RFC6975 data, ignoring.");
-                                        bad_opt = true;
-                                        continue;
+                                if (DNS_PACKET_QR(p)) {
+                                        /* Additional checks for responses */
+
+                                        if (!DNS_RESOURCE_RECORD_OPT_VERSION_SUPPORTED(rr)) {
+                                                /* If this is a reply and we don't know the EDNS version then something
+                                                 * is weird... */
+                                                log_debug("EDNS version newer that our request, bad server.");
+                                                return -EBADMSG;
+                                        }
+
+                                        if (has_rfc6975) {
+                                                /* If the OPT RR contains RFC6975 algorithm data, then this is indication that
+                                                 * the server just copied the OPT it got from us (which contained that data)
+                                                 * back into the reply. If so, then it doesn't properly support EDNS, as
+                                                 * RFC6975 makes it very clear that the algorithm data should only be contained
+                                                 * in questions, never in replies. Crappy Belkin routers copy the OPT data for
+                                                 * example, hence let's detect this so that we downgrade early. */
+                                                log_debug("OPT RR contained RFC6975 data, ignoring.");
+                                                bad_opt = true;
+                                                continue;
+                                        }
                                 }
 
                                 p->opt = dns_resource_record_ref(rr);
diff --git a/src/resolve/resolved-dns-packet.h b/src/resolve/resolved-dns-packet.h
index 416335d0a2..7b7d4e14c9 100644
--- a/src/resolve/resolved-dns-packet.h
+++ b/src/resolve/resolved-dns-packet.h
@@ -118,6 +118,8 @@ static inline uint8_t* DNS_PACKET_DATA(DnsPacket *p) {
 #define DNS_PACKET_AD(p) ((be16toh(DNS_PACKET_HEADER(p)->flags) >> 5) & 1)
 #define DNS_PACKET_CD(p) ((be16toh(DNS_PACKET_HEADER(p)->flags) >> 4) & 1)
 
+#define DNS_PACKET_FLAG_TC (UINT16_C(1) << 9)
+
 static inline uint16_t DNS_PACKET_RCODE(DnsPacket *p) {
         uint16_t rcode;
 
@@ -126,7 +128,34 @@ static inline uint16_t DNS_PACKET_RCODE(DnsPacket *p) {
         else
                 rcode = 0;
 
-        return rcode | (be16toh(DNS_PACKET_HEADER(p)->flags) & 15);
+        return rcode | (be16toh(DNS_PACKET_HEADER(p)->flags) & 0xF);
+}
+
+static inline uint16_t DNS_PACKET_PAYLOAD_SIZE_MAX(DnsPacket *p) {
+
+        /* Returns the advertised maximum datagram size for replies, or the DNS default if there's nothing defined. */
+
+        if (p->opt)
+                return MAX(DNS_PACKET_UNICAST_SIZE_MAX, p->opt->key->class);
+
+        return DNS_PACKET_UNICAST_SIZE_MAX;
+}
+
+static inline bool DNS_PACKET_DO(DnsPacket *p) {
+        if (!p->opt)
+                return false;
+
+        return !!(p->opt->ttl & (1U << 15));
+}
+
+static inline bool DNS_PACKET_VERSION_SUPPORTED(DnsPacket *p) {
+        /* Returns true if this packet is in a version we support. Which means either non-EDNS or EDNS(0), but not EDNS
+         * of any newer versions */
+
+        if (!p->opt)
+                return true;
+
+        return DNS_RESOURCE_RECORD_OPT_VERSION_SUPPORTED(p->opt);
 }
 
 /* LLMNR defines some bits differently */
@@ -182,7 +211,9 @@ int dns_packet_append_label(DnsPacket *p, const char *s, size_t l, bool canonica
 int dns_packet_append_name(DnsPacket *p, const char *name, bool allow_compression, bool canonical_candidate, size_t *start);
 int dns_packet_append_key(DnsPacket *p, const DnsResourceKey *key, size_t *start);
 int dns_packet_append_rr(DnsPacket *p, const DnsResourceRecord *rr, size_t *start, size_t *rdata_start);
-int dns_packet_append_opt(DnsPacket *p, uint16_t max_udp_size, bool edns0_do, size_t *start);
+int dns_packet_append_opt(DnsPacket *p, uint16_t max_udp_size, bool edns0_do, int rcode, size_t *start);
+int dns_packet_append_question(DnsPacket *p, DnsQuestion *q);
+int dns_packet_append_answer(DnsPacket *p, DnsAnswer *a);
 
 void dns_packet_truncate(DnsPacket *p, size_t sz);
 int dns_packet_truncate_opt(DnsPacket *p);
@@ -232,7 +263,8 @@ enum {
         DNS_RCODE_BADNAME = 20,
         DNS_RCODE_BADALG = 21,
         DNS_RCODE_BADTRUNC = 22,
-        _DNS_RCODE_MAX_DEFINED
+        _DNS_RCODE_MAX_DEFINED,
+        _DNS_RCODE_MAX = 4095 /* 4 bit rcode in the header plus 8 bit rcode in OPT, makes 12 bit */
 };
 
 const char* dns_rcode_to_string(int i) _const_;
diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c
index ea04e58d61..c8af5579f0 100644
--- a/src/resolve/resolved-dns-query.c
+++ b/src/resolve/resolved-dns-query.c
@@ -154,6 +154,7 @@ static int dns_query_candidate_add_transaction(DnsQueryCandidate *c, DnsResource
                 goto gc;
         }
 
+        t->clamp_ttl = c->query->clamp_ttl;
         return 1;
 
 gc:
@@ -403,6 +404,16 @@ DnsQuery *dns_query_free(DnsQuery *q) {
         sd_bus_message_unref(q->request);
         sd_bus_track_unref(q->bus_track);
 
+        dns_packet_unref(q->request_dns_packet);
+
+        if (q->request_dns_stream) {
+                /* Detach the stream from our query, in case something else keeps a reference to it. */
+                q->request_dns_stream->complete = NULL;
+                q->request_dns_stream->on_packet = NULL;
+                q->request_dns_stream->query = NULL;
+                dns_stream_unref(q->request_dns_stream);
+        }
+
         free(q->request_address_string);
 
         if (q->manager) {
@@ -420,7 +431,8 @@ int dns_query_new(
                 DnsQuery **ret,
                 DnsQuestion *question_utf8,
                 DnsQuestion *question_idna,
-                int ifindex, uint64_t flags) {
+                int ifindex,
+                uint64_t flags) {
 
         _cleanup_(dns_query_freep) DnsQuery *q = NULL;
         DnsResourceKey *key;
diff --git a/src/resolve/resolved-dns-query.h b/src/resolve/resolved-dns-query.h
index c2ac02f68b..49a35b846b 100644
--- a/src/resolve/resolved-dns-query.h
+++ b/src/resolve/resolved-dns-query.h
@@ -71,6 +71,10 @@ struct DnsQuery {
          * family */
         bool suppress_unroutable_family;
 
+
+        /* If true, the RR TTLs of the answer will be clamped by their current left validity in the cache */
+        bool clamp_ttl;
+
         DnsTransactionState state;
         unsigned n_cname_redirects;
 
@@ -95,6 +99,10 @@ struct DnsQuery {
         unsigned block_all_complete;
         char *request_address_string;
 
+        /* DNS stub information */
+        DnsPacket *request_dns_packet;
+        DnsStream *request_dns_stream;
+
         /* Completion callback */
         void (*complete)(DnsQuery* q);
         unsigned block_ready;
diff --git a/src/resolve/resolved-dns-question.h b/src/resolve/resolved-dns-question.h
index ea41478975..a9a1863b1e 100644
--- a/src/resolve/resolved-dns-question.h
+++ b/src/resolve/resolved-dns-question.h
@@ -56,6 +56,10 @@ static inline unsigned dns_question_size(DnsQuestion *q) {
         return q ? q->n_keys : 0;
 }
 
+static inline bool dns_question_isempty(DnsQuestion *q) {
+        return dns_question_size(q) <= 0;
+}
+
 DEFINE_TRIVIAL_CLEANUP_FUNC(DnsQuestion*, dns_question_unref);
 
 #define _DNS_QUESTION_FOREACH(u, key, q)                                \
diff --git a/src/resolve/resolved-dns-rr.c b/src/resolve/resolved-dns-rr.c
index 6a29a93a26..5687588a7d 100644
--- a/src/resolve/resolved-dns-rr.c
+++ b/src/resolve/resolved-dns-rr.c
@@ -1532,6 +1532,232 @@ const struct hash_ops dns_resource_record_hash_ops = {
         .compare = dns_resource_record_compare_func,
 };
 
+DnsResourceRecord *dns_resource_record_copy(DnsResourceRecord *rr) {
+        _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *copy = NULL;
+        DnsResourceRecord *t;
+
+        assert(rr);
+
+        copy = dns_resource_record_new(rr->key);
+        if (!copy)
+                return NULL;
+
+        copy->ttl = rr->ttl;
+        copy->expiry = rr->expiry;
+        copy->n_skip_labels_signer = rr->n_skip_labels_signer;
+        copy->n_skip_labels_source = rr->n_skip_labels_source;
+        copy->unparseable = rr->unparseable;
+
+        switch (rr->unparseable ? _DNS_TYPE_INVALID : rr->key->type) {
+
+        case DNS_TYPE_SRV:
+                copy->srv.priority = rr->srv.priority;
+                copy->srv.weight = rr->srv.weight;
+                copy->srv.port = rr->srv.port;
+                copy->srv.name = strdup(rr->srv.name);
+                if (!copy->srv.name)
+                        return NULL;
+                break;
+
+        case DNS_TYPE_PTR:
+        case DNS_TYPE_NS:
+        case DNS_TYPE_CNAME:
+        case DNS_TYPE_DNAME:
+                copy->ptr.name = strdup(rr->ptr.name);
+                if (!copy->ptr.name)
+                        return NULL;
+                break;
+
+        case DNS_TYPE_HINFO:
+                copy->hinfo.cpu = strdup(rr->hinfo.cpu);
+                if (!copy->hinfo.cpu)
+                        return NULL;
+
+                copy->hinfo.os = strdup(rr->hinfo.os);
+                if(!copy->hinfo.os)
+                        return NULL;
+                break;
+
+        case DNS_TYPE_TXT:
+        case DNS_TYPE_SPF:
+                copy->txt.items = dns_txt_item_copy(rr->txt.items);
+                if (!copy->txt.items)
+                        return NULL;
+                break;
+
+        case DNS_TYPE_A:
+                copy->a = rr->a;
+                break;
+
+        case DNS_TYPE_AAAA:
+                copy->aaaa = rr->aaaa;
+                break;
+
+        case DNS_TYPE_SOA:
+                copy->soa.mname = strdup(rr->soa.mname);
+                if (!copy->soa.mname)
+                        return NULL;
+                copy->soa.rname = strdup(rr->soa.rname);
+                if (!copy->soa.rname)
+                        return NULL;
+                copy->soa.serial = rr->soa.serial;
+                copy->soa.refresh = rr->soa.refresh;
+                copy->soa.retry = rr->soa.retry;
+                copy->soa.expire = rr->soa.expire;
+                copy->soa.minimum = rr->soa.minimum;
+                break;
+
+        case DNS_TYPE_MX:
+                copy->mx.priority = rr->mx.priority;
+                copy->mx.exchange = strdup(rr->mx.exchange);
+                if (!copy->mx.exchange)
+                        return NULL;
+                break;
+
+        case DNS_TYPE_LOC:
+                copy->loc = rr->loc;
+                break;
+
+        case DNS_TYPE_SSHFP:
+                copy->sshfp.algorithm = rr->sshfp.algorithm;
+                copy->sshfp.fptype = rr->sshfp.fptype;
+                copy->sshfp.fingerprint = memdup(rr->sshfp.fingerprint, rr->sshfp.fingerprint_size);
+                if (!copy->sshfp.fingerprint)
+                        return NULL;
+                copy->sshfp.fingerprint_size = rr->sshfp.fingerprint_size;
+                break;
+
+        case DNS_TYPE_DNSKEY:
+                copy->dnskey.flags = rr->dnskey.flags;
+                copy->dnskey.protocol = rr->dnskey.protocol;
+                copy->dnskey.algorithm = rr->dnskey.algorithm;
+                copy->dnskey.key = memdup(rr->dnskey.key, rr->dnskey.key_size);
+                if (!copy->dnskey.key)
+                        return NULL;
+                copy->dnskey.key_size = rr->dnskey.key_size;
+                break;
+
+        case DNS_TYPE_RRSIG:
+                copy->rrsig.type_covered = rr->rrsig.type_covered;
+                copy->rrsig.algorithm = rr->rrsig.algorithm;
+                copy->rrsig.labels = rr->rrsig.labels;
+                copy->rrsig.original_ttl = rr->rrsig.original_ttl;
+                copy->rrsig.expiration = rr->rrsig.expiration;
+                copy->rrsig.inception = rr->rrsig.inception;
+                copy->rrsig.key_tag = rr->rrsig.key_tag;
+                copy->rrsig.signer = strdup(rr->rrsig.signer);
+                if (!copy->rrsig.signer)
+                        return NULL;
+                copy->rrsig.signature = memdup(rr->rrsig.signature, rr->rrsig.signature_size);
+                if (!copy->rrsig.signature)
+                        return NULL;
+                copy->rrsig.signature_size = rr->rrsig.signature_size;
+                break;
+
+        case DNS_TYPE_NSEC:
+                copy->nsec.next_domain_name = strdup(rr->nsec.next_domain_name);
+                if (!copy->nsec.next_domain_name)
+                        return NULL;
+                copy->nsec.types = bitmap_copy(rr->nsec.types);
+                if (!copy->nsec.types)
+                        return NULL;
+                break;
+
+        case DNS_TYPE_DS:
+                copy->ds.key_tag = rr->ds.key_tag;
+                copy->ds.algorithm = rr->ds.algorithm;
+                copy->ds.digest_type = rr->ds.digest_type;
+                copy->ds.digest = memdup(rr->ds.digest, rr->ds.digest_size);
+                if (!copy->ds.digest)
+                        return NULL;
+                copy->ds.digest_size = rr->ds.digest_size;
+                break;
+
+        case DNS_TYPE_NSEC3:
+                copy->nsec3.algorithm = rr->nsec3.algorithm;
+                copy->nsec3.flags = rr->nsec3.flags;
+                copy->nsec3.iterations = rr->nsec3.iterations;
+                copy->nsec3.salt = memdup(rr->nsec3.salt, rr->nsec3.salt_size);
+                if (!copy->nsec3.salt)
+                        return NULL;
+                copy->nsec3.salt_size = rr->nsec3.salt_size;
+                copy->nsec3.next_hashed_name = memdup(rr->nsec3.next_hashed_name, rr->nsec3.next_hashed_name_size);
+                if (!copy->nsec3.next_hashed_name_size)
+                        return NULL;
+                copy->nsec3.next_hashed_name_size = rr->nsec3.next_hashed_name_size;
+                copy->nsec3.types = bitmap_copy(rr->nsec3.types);
+                if (!copy->nsec3.types)
+                        return NULL;
+                break;
+
+        case DNS_TYPE_TLSA:
+                copy->tlsa.cert_usage = rr->tlsa.cert_usage;
+                copy->tlsa.selector = rr->tlsa.selector;
+                copy->tlsa.matching_type = rr->tlsa.matching_type;
+                copy->tlsa.data = memdup(rr->tlsa.data, rr->tlsa.data_size);
+                if (!copy->tlsa.data)
+                        return NULL;
+                copy->tlsa.data_size = rr->tlsa.data_size;
+                break;
+
+        case DNS_TYPE_CAA:
+                copy->caa.flags = rr->caa.flags;
+                copy->caa.tag = strdup(rr->caa.tag);
+                if (!copy->caa.tag)
+                        return NULL;
+                copy->caa.value = memdup(rr->caa.value, rr->caa.value_size);
+                if (!copy->caa.value)
+                        return NULL;
+                copy->caa.value_size = rr->caa.value_size;
+                break;
+
+        case DNS_TYPE_OPT:
+        default:
+                copy->generic.data = memdup(rr->generic.data, rr->generic.data_size);
+                if (!copy->generic.data)
+                        return NULL;
+                copy->generic.data_size = rr->generic.data_size;
+                break;
+        }
+
+        t = copy;
+        copy = NULL;
+
+        return t;
+}
+
+int dns_resource_record_clamp_ttl(DnsResourceRecord **rr, uint32_t max_ttl) {
+        DnsResourceRecord *old_rr, *new_rr;
+        uint32_t new_ttl;
+
+        assert(rr);
+        old_rr = *rr;
+
+        if (old_rr->key->type == DNS_TYPE_OPT)
+                return -EINVAL;
+
+        new_ttl = MIN(old_rr->ttl, max_ttl);
+        if (new_ttl == old_rr->ttl)
+                return 0;
+
+        if (old_rr->n_ref == 1) {
+                /* Patch in place */
+                old_rr->ttl = new_ttl;
+                return 1;
+        }
+
+        new_rr = dns_resource_record_copy(old_rr);
+        if (!new_rr)
+                return -ENOMEM;
+
+        new_rr->ttl = new_ttl;
+
+        dns_resource_record_unref(*rr);
+        *rr = new_rr;
+
+        return 1;
+}
+
 DnsTxtItem *dns_txt_item_free_all(DnsTxtItem *i) {
         DnsTxtItem *n;
 
@@ -1564,6 +1790,25 @@ bool dns_txt_item_equal(DnsTxtItem *a, DnsTxtItem *b) {
         return dns_txt_item_equal(a->items_next, b->items_next);
 }
 
+DnsTxtItem *dns_txt_item_copy(DnsTxtItem *first) {
+        DnsTxtItem *i, *copy = NULL, *end = NULL;
+
+        LIST_FOREACH(items, i, first) {
+                DnsTxtItem *j;
+
+                j = memdup(i, offsetof(DnsTxtItem, data) + i->length + 1);
+                if (!j) {
+                        dns_txt_item_free_all(copy);
+                        return NULL;
+                }
+
+                LIST_INSERT_AFTER(items, copy, end, j);
+                end = j;
+        }
+
+        return copy;
+}
+
 static const char* const dnssec_algorithm_table[_DNSSEC_ALGORITHM_MAX_DEFINED] = {
         /* Mnemonics as listed on https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml */
         [DNSSEC_ALGORITHM_RSAMD5]             = "RSAMD5",
diff --git a/src/resolve/resolved-dns-rr.h b/src/resolve/resolved-dns-rr.h
index 020a2abd77..42d39a1251 100644
--- a/src/resolve/resolved-dns-rr.h
+++ b/src/resolve/resolved-dns-rr.h
@@ -282,6 +282,13 @@ static inline size_t DNS_RESOURCE_RECORD_RDATA_SIZE(DnsResourceRecord *rr) {
         return rr->wire_format_size - rr->wire_format_rdata_offset;
 }
 
+static inline uint8_t DNS_RESOURCE_RECORD_OPT_VERSION_SUPPORTED(DnsResourceRecord *rr) {
+        assert(rr);
+        assert(rr->key->type == DNS_TYPE_OPT);
+
+        return ((rr->ttl >> 16) & 0xFF) == 0;
+}
+
 DnsResourceKey* dns_resource_key_new(uint16_t class, uint16_t type, const char *name);
 DnsResourceKey* dns_resource_key_new_redirect(const DnsResourceKey *key, const DnsResourceRecord *cname);
 int dns_resource_key_new_append_suffix(DnsResourceKey **ret, DnsResourceKey *key, char *name);
@@ -318,6 +325,7 @@ int dns_resource_record_new_reverse(DnsResourceRecord **ret, int family, const u
 int dns_resource_record_new_address(DnsResourceRecord **ret, int family, const union in_addr_union *address, const char *name);
 int dns_resource_record_equal(const DnsResourceRecord *a, const DnsResourceRecord *b);
 const char* dns_resource_record_to_string(DnsResourceRecord *rr);
+DnsResourceRecord *dns_resource_record_copy(DnsResourceRecord *rr);
 DEFINE_TRIVIAL_CLEANUP_FUNC(DnsResourceRecord*, dns_resource_record_unref);
 
 int dns_resource_record_to_wire_format(DnsResourceRecord *rr, bool canonical);
@@ -327,8 +335,11 @@ int dns_resource_record_source(DnsResourceRecord *rr, const char **ret);
 int dns_resource_record_is_signer(DnsResourceRecord *rr, const char *zone);
 int dns_resource_record_is_synthetic(DnsResourceRecord *rr);
 
+int dns_resource_record_clamp_ttl(DnsResourceRecord **rr, uint32_t max_ttl);
+
 DnsTxtItem *dns_txt_item_free_all(DnsTxtItem *i);
 bool dns_txt_item_equal(DnsTxtItem *a, DnsTxtItem *b);
+DnsTxtItem *dns_txt_item_copy(DnsTxtItem *i);
 
 void dns_resource_record_hash_func(const void *i, struct siphash *state);
 
diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c
index 9d484d0a48..ed0c6aa105 100644
--- a/src/resolve/resolved-dns-scope.c
+++ b/src/resolve/resolved-dns-scope.c
@@ -232,7 +232,7 @@ static int dns_scope_emit_one(DnsScope *s, int fd, DnsPacket *p) {
                 if (fd < 0)
                         return fd;
 
-                r = manager_send(s->manager, fd, ifindex, family, &addr, LLMNR_PORT, p);
+                r = manager_send(s->manager, fd, ifindex, family, &addr, LLMNR_PORT, NULL, p);
                 if (r < 0)
                         return r;
 
@@ -257,7 +257,7 @@ static int dns_scope_emit_one(DnsScope *s, int fd, DnsPacket *p) {
                 if (fd < 0)
                         return fd;
 
-                r = manager_send(s->manager, fd, ifindex, family, &addr, MDNS_PORT, p);
+                r = manager_send(s->manager, fd, ifindex, family, &addr, MDNS_PORT, NULL, p);
                 if (r < 0)
                         return r;
 
@@ -578,6 +578,7 @@ static int dns_scope_multicast_membership(DnsScope *s, bool b, struct in_addr in
 }
 
 int dns_scope_llmnr_membership(DnsScope *s, bool b) {
+        assert(s);
 
         if (s->protocol != DNS_PROTOCOL_LLMNR)
                 return 0;
@@ -586,6 +587,7 @@ int dns_scope_llmnr_membership(DnsScope *s, bool b) {
 }
 
 int dns_scope_mdns_membership(DnsScope *s, bool b) {
+        assert(s);
 
         if (s->protocol != DNS_PROTOCOL_MDNS)
                 return 0;
@@ -604,15 +606,14 @@ static int dns_scope_make_reply_packet(
                 DnsPacket **ret) {
 
         _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
-        unsigned i;
         int r;
 
         assert(s);
         assert(ret);
 
-        if ((!q || q->n_keys <= 0)
-            && (!answer || answer->n_rrs <= 0)
-            && (!soa || soa->n_rrs <= 0))
+        if (dns_question_isempty(q) &&
+            dns_answer_isempty(answer) &&
+            dns_answer_isempty(soa))
                 return -EINVAL;
 
         r = dns_packet_new(&p, s->protocol, 0);
@@ -631,35 +632,20 @@ static int dns_scope_make_reply_packet(
                                                               0 /* (cd) */,
                                                               rcode));
 
-        if (q) {
-                for (i = 0; i < q->n_keys; i++) {
-                        r = dns_packet_append_key(p, q->keys[i], NULL);
-                        if (r < 0)
-                                return r;
-                }
-
-                DNS_PACKET_HEADER(p)->qdcount = htobe16(q->n_keys);
-        }
-
-        if (answer) {
-                for (i = 0; i < answer->n_rrs; i++) {
-                        r = dns_packet_append_rr(p, answer->items[i].rr, NULL, NULL);
-                        if (r < 0)
-                                return r;
-                }
-
-                DNS_PACKET_HEADER(p)->ancount = htobe16(answer->n_rrs);
-        }
+        r = dns_packet_append_question(p, q);
+        if (r < 0)
+                return r;
+        DNS_PACKET_HEADER(p)->qdcount = htobe16(dns_question_size(q));
 
-        if (soa) {
-                for (i = 0; i < soa->n_rrs; i++) {
-                        r = dns_packet_append_rr(p, soa->items[i].rr, NULL, NULL);
-                        if (r < 0)
-                                return r;
-                }
+        r = dns_packet_append_answer(p, answer);
+        if (r < 0)
+                return r;
+        DNS_PACKET_HEADER(p)->ancount = htobe16(dns_answer_size(answer));
 
-                DNS_PACKET_HEADER(p)->arcount = htobe16(soa->n_rrs);
-        }
+        r = dns_packet_append_answer(p, soa);
+        if (r < 0)
+                return r;
+        DNS_PACKET_HEADER(p)->arcount = htobe16(dns_answer_size(soa));
 
         *ret = p;
         p = NULL;
@@ -668,25 +654,25 @@ static int dns_scope_make_reply_packet(
 }
 
 static void dns_scope_verify_conflicts(DnsScope *s, DnsPacket *p) {
-        unsigned n;
+        DnsResourceRecord *rr;
+        DnsResourceKey *key;
 
         assert(s);
         assert(p);
 
-        if (p->question)
-                for (n = 0; n < p->question->n_keys; n++)
-                        dns_zone_verify_conflicts(&s->zone, p->question->keys[n]);
-        if (p->answer)
-                for (n = 0; n < p->answer->n_rrs; n++)
-                        dns_zone_verify_conflicts(&s->zone, p->answer->items[n].rr->key);
+        DNS_QUESTION_FOREACH(key, p->question)
+                dns_zone_verify_conflicts(&s->zone, key);
+
+        DNS_ANSWER_FOREACH(rr, p->answer)
+                dns_zone_verify_conflicts(&s->zone, rr->key);
 }
 
 void dns_scope_process_query(DnsScope *s, DnsStream *stream, DnsPacket *p) {
-        _cleanup_(dns_packet_unrefp) DnsPacket *reply = NULL;
         _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL, *soa = NULL;
+        _cleanup_(dns_packet_unrefp) DnsPacket *reply = NULL;
         DnsResourceKey *key = NULL;
         bool tentative = false;
-        int r, fd;
+        int r;
 
         assert(s);
         assert(p);
@@ -708,7 +694,7 @@ void dns_scope_process_query(DnsScope *s, DnsStream *stream, DnsPacket *p) {
 
         r = dns_packet_extract(p);
         if (r < 0) {
-                log_debug_errno(r, "Failed to extract resources from incoming packet: %m");
+                log_debug_errno(r, "Failed to extract resource records from incoming packet: %m");
                 return;
         }
 
@@ -718,7 +704,7 @@ void dns_scope_process_query(DnsScope *s, DnsStream *stream, DnsPacket *p) {
                 return;
         }
 
-        assert(p->question->n_keys == 1);
+        assert(dns_question_size(p->question) == 1);
         key = p->question->keys[0];
 
         r = dns_zone_lookup(&s->zone, key, 0, &answer, &soa, &tentative);
@@ -738,9 +724,21 @@ void dns_scope_process_query(DnsScope *s, DnsStream *stream, DnsPacket *p) {
                 return;
         }
 
-        if (stream)
+        if (stream) {
                 r = dns_stream_write_packet(stream, reply);
-        else {
+                if (r < 0) {
+                        log_debug_errno(r, "Failed to enqueue reply packet: %m");
+                        return;
+                }
+
+                /* Let's take an extra reference on this stream, so that it stays around after returning. The reference
+                 * will be dangling until the stream is disconnected, and the default completion handler of the stream
+                 * will then unref the stream and destroy it */
+                if (DNS_STREAM_QUEUED(stream))
+                        dns_stream_ref(stream);
+        } else {
+                int fd;
+
                 if (!ratelimit_test(&s->ratelimit))
                         return;
 
@@ -762,12 +760,11 @@ void dns_scope_process_query(DnsScope *s, DnsStream *stream, DnsPacket *p) {
                  * verified uniqueness for all records. Also see RFC
                  * 4795, Section 2.7 */
 
-                r = manager_send(s->manager, fd, p->ifindex, p->family, &p->sender, p->sender_port, reply);
-        }
-
-        if (r < 0) {
-                log_debug_errno(r, "Failed to send reply packet: %m");
-                return;
+                r = manager_send(s->manager, fd, p->ifindex, p->family, &p->sender, p->sender_port, NULL, reply);
+                if (r < 0) {
+                        log_debug_errno(r, "Failed to send reply packet: %m");
+                        return;
+                }
         }
 }
 
diff --git a/src/resolve/resolved-dns-server.c b/src/resolve/resolved-dns-server.c
index 5acfcb4239..9b7b471600 100644
--- a/src/resolve/resolved-dns-server.c
+++ b/src/resolve/resolved-dns-server.c
@@ -21,6 +21,7 @@
 
 #include "alloc-util.h"
 #include "resolved-dns-server.h"
+#include "resolved-dns-stub.h"
 #include "resolved-resolv-conf.h"
 #include "siphash24.h"
 #include "string-table.h"
@@ -244,6 +245,26 @@ static void dns_server_verified(DnsServer *s, DnsServerFeatureLevel level) {
         assert_se(sd_event_now(s->manager->event, clock_boottime_or_monotonic(), &s->verified_usec) >= 0);
 }
 
+static void dns_server_reset_counters(DnsServer *s) {
+        assert(s);
+
+        s->n_failed_udp = 0;
+        s->n_failed_tcp = 0;
+        s->packet_truncated = false;
+        s->verified_usec = 0;
+
+        /* Note that we do not reset s->packet_bad_opt and s->packet_rrsig_missing here. We reset them only when the
+         * grace period ends, but not when lowering the possible feature level, as a lower level feature level should
+         * not make RRSIGs appear or OPT appear, but rather make them disappear. If the reappear anyway, then that's
+         * indication for a differently broken OPT/RRSIG implementation, and we really don't want to support that
+         * either.
+         *
+         * This is particularly important to deal with certain Belkin routers which break OPT for certain lookups (A),
+         * but pass traffic through for others (AAAA). If we detect the broken behaviour on one lookup we should not
+         * reenable it for another, because we cannot validate things anyway, given that the RRSIG/OPT data will be
+         * incomplete. */
+}
+
 void dns_server_packet_received(DnsServer *s, int protocol, DnsServerFeatureLevel level, usec_t rtt, size_t size) {
         assert(s);
 
@@ -304,17 +325,6 @@ void dns_server_packet_lost(DnsServer *s, int protocol, DnsServerFeatureLevel le
         s->resend_timeout = MIN(s->resend_timeout * 2, DNS_TIMEOUT_MAX_USEC);
 }
 
-void dns_server_packet_failed(DnsServer *s, DnsServerFeatureLevel level) {
-        assert(s);
-
-        /* Invoked whenever we get a FORMERR, SERVFAIL or NOTIMP rcode from a server. */
-
-        if (s->possible_feature_level != level)
-                return;
-
-        s->packet_failed = true;
-}
-
 void dns_server_packet_truncated(DnsServer *s, DnsServerFeatureLevel level) {
         assert(s);
 
@@ -352,6 +362,24 @@ void dns_server_packet_bad_opt(DnsServer *s, DnsServerFeatureLevel level) {
         s->packet_bad_opt = true;
 }
 
+void dns_server_packet_rcode_downgrade(DnsServer *s, DnsServerFeatureLevel level) {
+        assert(s);
+
+        /* Invoked whenever we got a FORMERR, SERVFAIL or NOTIMP rcode from a server and downgrading the feature level
+         * for the transaction made it go away. In this case we immediately downgrade to the feature level that made
+         * things work. */
+
+        if (s->verified_feature_level > level)
+                s->verified_feature_level = level;
+
+        if (s->possible_feature_level > level) {
+                s->possible_feature_level = level;
+                dns_server_reset_counters(s);
+        }
+
+        log_debug("Downgrading transaction feature level fixed an RCODE error, downgrading server %s too.", dns_server_string(s));
+}
+
 static bool dns_server_grace_period_expired(DnsServer *s) {
         usec_t ts;
 
@@ -371,27 +399,6 @@ static bool dns_server_grace_period_expired(DnsServer *s) {
         return true;
 }
 
-static void dns_server_reset_counters(DnsServer *s) {
-        assert(s);
-
-        s->n_failed_udp = 0;
-        s->n_failed_tcp = 0;
-        s->packet_failed = false;
-        s->packet_truncated = false;
-        s->verified_usec = 0;
-
-        /* Note that we do not reset s->packet_bad_opt and s->packet_rrsig_missing here. We reset them only when the
-         * grace period ends, but not when lowering the possible feature level, as a lower level feature level should
-         * not make RRSIGs appear or OPT appear, but rather make them disappear. If the reappear anyway, then that's
-         * indication for a differently broken OPT/RRSIG implementation, and we really don't want to support that
-         * either.
-         *
-         * This is particularly important to deal with certain Belkin routers which break OPT for certain lookups (A),
-         * but pass traffic through for others (AAAA). If we detect the broken behaviour on one lookup we should not
-         * reenable it for another, because we cannot validate things anyway, given that the RRSIG/OPT data will be
-         * incomplete. */
-}
-
 DnsServerFeatureLevel dns_server_possible_feature_level(DnsServer *s) {
         assert(s);
 
@@ -454,16 +461,6 @@ DnsServerFeatureLevel dns_server_possible_feature_level(DnsServer *s) {
                         log_debug("Lost too many UDP packets, downgrading feature level...");
                         s->possible_feature_level--;
 
-                } else if (s->packet_failed &&
-                           s->possible_feature_level > DNS_SERVER_FEATURE_LEVEL_UDP) {
-
-                        /* We got a failure packet, and are at a feature level above UDP. Note that in this case we
-                         * downgrade no further than UDP, under the assumption that a failure packet indicates an
-                         * incompatible packet contents, but not a problem with the transport. */
-
-                        log_debug("Got server failure, downgrading feature level...");
-                        s->possible_feature_level--;
-
                 } else if (s->n_failed_tcp >= DNS_SERVER_FEATURE_RETRY_ATTEMPTS &&
                            s->packet_truncated &&
                            s->possible_feature_level > DNS_SERVER_FEATURE_LEVEL_UDP) {
@@ -517,7 +514,7 @@ int dns_server_adjust_opt(DnsServer *server, DnsPacket *packet, DnsServerFeature
         else
                 packet_size = server->received_udp_packet_max;
 
-        return dns_packet_append_opt(packet, packet_size, edns_do, NULL);
+        return dns_packet_append_opt(packet, packet_size, edns_do, 0, NULL);
 }
 
 int dns_server_ifindex(const DnsServer *s) {
@@ -750,6 +747,19 @@ void manager_next_dns_server(Manager *m) {
                 manager_set_dns_server(m, m->dns_servers);
 }
 
+bool dns_server_address_valid(int family, const union in_addr_union *sa) {
+
+        /* Refuses the 0 IP addresses as well as 127.0.0.53 (which is our own DNS stub) */
+
+        if (in_addr_is_null(family, sa))
+                return false;
+
+        if (family == AF_INET && sa->in.s_addr == htobe32(INADDR_DNS_STUB))
+                return false;
+
+        return true;
+}
+
 static const char* const dns_server_type_table[_DNS_SERVER_TYPE_MAX] = {
         [DNS_SERVER_SYSTEM] = "system",
         [DNS_SERVER_FALLBACK] = "fallback",
diff --git a/src/resolve/resolved-dns-server.h b/src/resolve/resolved-dns-server.h
index 463c5724a7..c1732faffd 100644
--- a/src/resolve/resolved-dns-server.h
+++ b/src/resolve/resolved-dns-server.h
@@ -77,7 +77,6 @@ struct DnsServer {
         unsigned n_failed_udp;
         unsigned n_failed_tcp;
 
-        bool packet_failed:1;
         bool packet_truncated:1;
         bool packet_bad_opt:1;
         bool packet_rrsig_missing:1;
@@ -113,10 +112,10 @@ void dns_server_move_back_and_unmark(DnsServer *s);
 
 void dns_server_packet_received(DnsServer *s, int protocol, DnsServerFeatureLevel level, usec_t rtt, size_t size);
 void dns_server_packet_lost(DnsServer *s, int protocol, DnsServerFeatureLevel level, usec_t usec);
-void dns_server_packet_failed(DnsServer *s, DnsServerFeatureLevel level);
 void dns_server_packet_truncated(DnsServer *s, DnsServerFeatureLevel level);
 void dns_server_packet_rrsig_missing(DnsServer *s, DnsServerFeatureLevel level);
 void dns_server_packet_bad_opt(DnsServer *s, DnsServerFeatureLevel level);
+void dns_server_packet_rcode_downgrade(DnsServer *s, DnsServerFeatureLevel level);
 
 DnsServerFeatureLevel dns_server_possible_feature_level(DnsServer *s);
 
@@ -141,6 +140,8 @@ DnsServer *manager_set_dns_server(Manager *m, DnsServer *s);
 DnsServer *manager_get_dns_server(Manager *m);
 void manager_next_dns_server(Manager *m);
 
+bool dns_server_address_valid(int family, const union in_addr_union *sa);
+
 DEFINE_TRIVIAL_CLEANUP_FUNC(DnsServer*, dns_server_unref);
 
 extern const struct hash_ops dns_server_hash_ops;
diff --git a/src/resolve/resolved-dns-stream.c b/src/resolve/resolved-dns-stream.c
index a1040aeff4..dd0e0b90e3 100644
--- a/src/resolve/resolved-dns-stream.c
+++ b/src/resolve/resolved-dns-stream.c
@@ -56,8 +56,8 @@ static int dns_stream_complete(DnsStream *s, int error) {
 
         if (s->complete)
                 s->complete(s, error);
-        else
-                dns_stream_free(s);
+        else /* the default action if no completion function is set is to close the stream */
+                dns_stream_unref(s);
 
         return 0;
 }
@@ -323,10 +323,16 @@ static int on_stream_io(sd_event_source *es, int fd, uint32_t revents, void *use
         return 0;
 }
 
-DnsStream *dns_stream_free(DnsStream *s) {
+DnsStream *dns_stream_unref(DnsStream *s) {
         if (!s)
                 return NULL;
 
+        assert(s->n_ref > 0);
+        s->n_ref--;
+
+        if (s->n_ref > 0)
+                return NULL;
+
         dns_stream_stop(s);
 
         if (s->manager) {
@@ -339,13 +345,23 @@ DnsStream *dns_stream_free(DnsStream *s) {
 
         free(s);
 
-        return 0;
+        return NULL;
 }
 
-DEFINE_TRIVIAL_CLEANUP_FUNC(DnsStream*, dns_stream_free);
+DEFINE_TRIVIAL_CLEANUP_FUNC(DnsStream*, dns_stream_unref);
+
+DnsStream *dns_stream_ref(DnsStream *s) {
+        if (!s)
+                return NULL;
+
+        assert(s->n_ref > 0);
+        s->n_ref++;
+
+        return s;
+}
 
 int dns_stream_new(Manager *m, DnsStream **ret, DnsProtocol protocol, int fd) {
-        _cleanup_(dns_stream_freep) DnsStream *s = NULL;
+        _cleanup_(dns_stream_unrefp) DnsStream *s = NULL;
         int r;
 
         assert(m);
@@ -358,6 +374,7 @@ int dns_stream_new(Manager *m, DnsStream **ret, DnsProtocol protocol, int fd) {
         if (!s)
                 return -ENOMEM;
 
+        s->n_ref = 1;
         s->fd = -1;
         s->protocol = protocol;
 
diff --git a/src/resolve/resolved-dns-stream.h b/src/resolve/resolved-dns-stream.h
index 5ccc842249..e6569678fa 100644
--- a/src/resolve/resolved-dns-stream.h
+++ b/src/resolve/resolved-dns-stream.h
@@ -26,8 +26,16 @@ typedef struct DnsStream DnsStream;
 #include "resolved-dns-packet.h"
 #include "resolved-dns-transaction.h"
 
+/* Streams are used by three subsystems:
+ *
+ *   1. The normal transaction logic when doing a DNS or LLMNR lookup via TCP
+ *   2. The LLMNR logic when accepting a TCP-based lookup
+ *   3. The DNS stub logic when accepting a TCP-based lookup
+ */
+
 struct DnsStream {
         Manager *manager;
+        int n_ref;
 
         DnsProtocol protocol;
 
@@ -50,12 +58,23 @@ struct DnsStream {
         int (*on_packet)(DnsStream *s);
         int (*complete)(DnsStream *s, int error);
 
-        DnsTransaction *transaction;
+        DnsTransaction *transaction; /* when used by the transaction logic */
+        DnsQuery *query;             /* when used by the DNS stub logic */
 
         LIST_FIELDS(DnsStream, streams);
 };
 
 int dns_stream_new(Manager *m, DnsStream **s, DnsProtocol protocol, int fd);
-DnsStream *dns_stream_free(DnsStream *s);
+DnsStream *dns_stream_unref(DnsStream *s);
+DnsStream *dns_stream_ref(DnsStream *s);
 
 int dns_stream_write_packet(DnsStream *s, DnsPacket *p);
+
+static inline bool DNS_STREAM_QUEUED(DnsStream *s) {
+        assert(s);
+
+        if (s->fd < 0) /* already stopped? */
+                return false;
+
+        return !!s->write_packet;
+}
diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c
new file mode 100644
index 0000000000..d263cedcd9
--- /dev/null
+++ b/src/resolve/resolved-dns-stub.c
@@ -0,0 +1,572 @@
+/***
+  This file is part of systemd.
+
+  Copyright 2016 Lennart Poettering
+
+  systemd is free software; you can redistribute it and/or modify it
+  under the terms of the GNU Lesser General Public License as published by
+  the Free Software Foundation; either version 2.1 of the License, or
+  (at your option) any later version.
+
+  systemd is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  Lesser General Public License for more details.
+
+  You should have received a copy of the GNU Lesser General Public License
+  along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+#include "fd-util.h"
+#include "resolved-dns-stub.h"
+#include "socket-util.h"
+
+/* The MTU of the loopback device is 64K on Linux, advertise that as maximum datagram size, but subtract the Ethernet,
+ * IP and UDP header sizes */
+#define ADVERTISE_DATAGRAM_SIZE_MAX (65536U-14U-20U-8U)
+
+static int dns_stub_make_reply_packet(
+                uint16_t id,
+                int rcode,
+                DnsQuestion *q,
+                DnsAnswer *answer,
+                bool add_opt,   /* add an OPT RR to this packet */
+                bool edns0_do,  /* set the EDNS0 DNSSEC OK bit */
+                bool ad,        /* set the DNSSEC authenticated data bit */
+                DnsPacket **ret) {
+
+        _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
+        DnsResourceRecord *rr;
+        unsigned c = 0;
+        int r;
+
+        /* Note that we don't bother with any additional RRs, as this is stub is for local lookups only, and hence
+         * roundtrips aren't expensive. */
+
+        r = dns_packet_new(&p, DNS_PROTOCOL_DNS, 0);
+        if (r < 0)
+                return r;
+
+        /* If the client didn't do EDNS, clamp the rcode to 4 bit */
+        if (!add_opt && rcode > 0xF)
+                rcode = DNS_RCODE_SERVFAIL;
+
+        DNS_PACKET_HEADER(p)->id = id;
+        DNS_PACKET_HEADER(p)->flags = htobe16(DNS_PACKET_MAKE_FLAGS(
+                                                              1 /* qr */,
+                                                              0 /* opcode */,
+                                                              0 /* aa */,
+                                                              0 /* tc */,
+                                                              1 /* rd */,
+                                                              1 /* ra */,
+                                                              ad /* ad */,
+                                                              0 /* cd */,
+                                                              rcode));
+
+        r = dns_packet_append_question(p, q);
+        if (r < 0)
+                return r;
+        DNS_PACKET_HEADER(p)->qdcount = htobe16(dns_question_size(q));
+
+        DNS_ANSWER_FOREACH(rr, answer) {
+                r = dns_question_matches_rr(q, rr, NULL);
+                if (r < 0)
+                        return r;
+                if (r > 0)
+                        goto add;
+
+                r = dns_question_matches_cname_or_dname(q, rr, NULL);
+                if (r < 0)
+                        return r;
+                if (r > 0)
+                        goto add;
+
+                continue;
+        add:
+                r = dns_packet_append_rr(p, rr, NULL, NULL);
+                if (r < 0)
+                        return r;
+
+                c++;
+        }
+        DNS_PACKET_HEADER(p)->ancount = htobe16(c);
+
+        if (add_opt) {
+                r = dns_packet_append_opt(p, ADVERTISE_DATAGRAM_SIZE_MAX, edns0_do, rcode, NULL);
+                if (r < 0)
+                        return r;
+        }
+
+        *ret = p;
+        p = NULL;
+
+        return 0;
+}
+
+static void dns_stub_detach_stream(DnsStream *s) {
+        assert(s);
+
+        s->complete = NULL;
+        s->on_packet = NULL;
+        s->query = NULL;
+}
+
+static int dns_stub_send(Manager *m, DnsStream *s, DnsPacket *p, DnsPacket *reply) {
+        int r;
+
+        assert(m);
+        assert(p);
+        assert(reply);
+
+        if (s)
+                r = dns_stream_write_packet(s, reply);
+        else {
+                int fd;
+
+                /* Truncate the message to the right size */
+                if (reply->size > DNS_PACKET_PAYLOAD_SIZE_MAX(p)) {
+                        dns_packet_truncate(reply, DNS_PACKET_UNICAST_SIZE_MAX);
+                        DNS_PACKET_HEADER(reply)->flags = htobe16(be16toh(DNS_PACKET_HEADER(reply)->flags) | DNS_PACKET_FLAG_TC);
+                }
+
+                fd = manager_dns_stub_udp_fd(m);
+                if (fd < 0)
+                        return log_debug_errno(fd, "Failed to get reply socket: %m");
+
+                /* Note that it is essential here that we explicitly choose the source IP address for this packet. This
+                 * is because otherwise the kernel will choose it automatically based on the routing table and will
+                 * thus pick 127.0.0.1 rather than 127.0.0.53. */
+
+                r = manager_send(m, fd, LOOPBACK_IFINDEX, p->family, &p->sender, p->sender_port, &p->destination, reply);
+        }
+        if (r < 0)
+                return log_debug_errno(r, "Failed to send reply packet: %m");
+
+        return 0;
+}
+
+static int dns_stub_send_failure(Manager *m, DnsStream *s, DnsPacket *p, int rcode) {
+        _cleanup_(dns_packet_unrefp) DnsPacket *reply = NULL;
+        int r;
+
+        assert(m);
+        assert(p);
+
+        r = dns_stub_make_reply_packet(DNS_PACKET_ID(p), rcode, p->question, NULL, !!p->opt, DNS_PACKET_DO(p), false, &reply);
+        if (r < 0)
+                return log_debug_errno(r, "Failed to build failure packet: %m");
+
+        return dns_stub_send(m, s, p, reply);
+}
+
+static void dns_stub_query_complete(DnsQuery *q) {
+        int r;
+
+        assert(q);
+        assert(q->request_dns_packet);
+
+        switch (q->state) {
+
+        case DNS_TRANSACTION_SUCCESS: {
+                _cleanup_(dns_packet_unrefp) DnsPacket *reply = NULL;
+
+                r = dns_stub_make_reply_packet(
+                                DNS_PACKET_ID(q->request_dns_packet),
+                                q->answer_rcode,
+                                q->question_idna,
+                                q->answer,
+                                !!q->request_dns_packet->opt,
+                                DNS_PACKET_DO(q->request_dns_packet),
+                                DNS_PACKET_DO(q->request_dns_packet) && q->answer_authenticated,
+                                &reply);
+                if (r < 0) {
+                        log_debug_errno(r, "Failed to build reply packet: %m");
+                        break;
+                }
+
+                (void) dns_stub_send(q->manager, q->request_dns_stream, q->request_dns_packet, reply);
+                break;
+        }
+
+        case DNS_TRANSACTION_RCODE_FAILURE:
+                (void) dns_stub_send_failure(q->manager, q->request_dns_stream, q->request_dns_packet, q->answer_rcode);
+                break;
+
+        case DNS_TRANSACTION_NOT_FOUND:
+                (void) dns_stub_send_failure(q->manager, q->request_dns_stream, q->request_dns_packet, DNS_RCODE_NXDOMAIN);
+                break;
+
+        case DNS_TRANSACTION_TIMEOUT:
+        case DNS_TRANSACTION_ATTEMPTS_MAX_REACHED:
+                /* Propagate a timeout as a no packet, i.e. that the client also gets a timeout */
+                break;
+
+        case DNS_TRANSACTION_NO_SERVERS:
+        case DNS_TRANSACTION_INVALID_REPLY:
+        case DNS_TRANSACTION_ERRNO:
+        case DNS_TRANSACTION_ABORTED:
+        case DNS_TRANSACTION_DNSSEC_FAILED:
+        case DNS_TRANSACTION_NO_TRUST_ANCHOR:
+        case DNS_TRANSACTION_RR_TYPE_UNSUPPORTED:
+        case DNS_TRANSACTION_NETWORK_DOWN:
+                (void) dns_stub_send_failure(q->manager, q->request_dns_stream, q->request_dns_packet, DNS_RCODE_SERVFAIL);
+                break;
+
+        case DNS_TRANSACTION_NULL:
+        case DNS_TRANSACTION_PENDING:
+        case DNS_TRANSACTION_VALIDATING:
+        default:
+                assert_not_reached("Impossible state");
+        }
+
+        /* If there's a packet to write set, let's leave the stream around */
+        if (q->request_dns_stream && DNS_STREAM_QUEUED(q->request_dns_stream)) {
+
+                /* Detach the stream from our query (make it an orphan), but do not drop the reference to it. The
+                 * default completion action of the stream will drop the reference. */
+
+                dns_stub_detach_stream(q->request_dns_stream);
+                q->request_dns_stream = NULL;
+        }
+
+        dns_query_free(q);
+}
+
+static int dns_stub_stream_complete(DnsStream *s, int error) {
+        assert(s);
+
+        log_debug_errno(error, "DNS TCP connection terminated, destroying query: %m");
+
+        assert(s->query);
+        dns_query_free(s->query);
+
+        return 0;
+}
+
+static void dns_stub_process_query(Manager *m, DnsStream *s, DnsPacket *p) {
+        DnsQuery *q = NULL;
+        int r;
+
+        assert(m);
+        assert(p);
+        assert(p->protocol == DNS_PROTOCOL_DNS);
+
+        /* Takes ownership of the *s stream object */
+
+        if (in_addr_is_localhost(p->family, &p->sender) <= 0 ||
+            in_addr_is_localhost(p->family, &p->destination) <= 0) {
+                log_error("Got packet on unexpected IP range, refusing.");
+                dns_stub_send_failure(m, s, p, DNS_RCODE_SERVFAIL);
+                goto fail;
+        }
+
+        r = dns_packet_extract(p);
+        if (r < 0) {
+                log_debug_errno(r, "Failed to extract resources from incoming packet, ignoring packet: %m");
+                dns_stub_send_failure(m, s, p, DNS_RCODE_FORMERR);
+                goto fail;
+        }
+
+        if (!DNS_PACKET_VERSION_SUPPORTED(p)) {
+                log_debug("Got EDNS OPT field with unsupported version number.");
+                dns_stub_send_failure(m, s, p, DNS_RCODE_BADVERS);
+                goto fail;
+        }
+
+        if (dns_type_is_obsolete(p->question->keys[0]->type)) {
+                log_debug("Got message with obsolete key type, refusing.");
+                dns_stub_send_failure(m, s, p, DNS_RCODE_NOTIMP);
+                goto fail;
+        }
+
+        if (dns_type_is_zone_transer(p->question->keys[0]->type)) {
+                log_debug("Got request for zone transfer, refusing.");
+                dns_stub_send_failure(m, s, p, DNS_RCODE_NOTIMP);
+                goto fail;
+        }
+
+        if (!DNS_PACKET_RD(p))  {
+                /* If the "rd" bit is off (i.e. recursion was not requested), then refuse operation */
+                log_debug("Got request with recursion disabled, refusing.");
+                dns_stub_send_failure(m, s, p, DNS_RCODE_REFUSED);
+                goto fail;
+        }
+
+        if (DNS_PACKET_DO(p) && DNS_PACKET_CD(p)) {
+                log_debug("Got request with DNSSEC CD bit set, refusing.");
+                dns_stub_send_failure(m, s, p, DNS_RCODE_NOTIMP);
+                goto fail;
+        }
+
+        r = dns_query_new(m, &q, p->question, p->question, 0, SD_RESOLVED_PROTOCOLS_ALL|SD_RESOLVED_NO_SEARCH|SD_RESOLVED_NO_CNAME);
+        if (r < 0) {
+                log_error_errno(r, "Failed to generate query object: %m");
+                dns_stub_send_failure(m, s, p, DNS_RCODE_SERVFAIL);
+                goto fail;
+        }
+
+        /* Request that the TTL is corrected by the cached time for this lookup, so that we return vaguely useful TTLs */
+        q->clamp_ttl = true;
+
+        q->request_dns_packet = dns_packet_ref(p);
+        q->request_dns_stream = dns_stream_ref(s); /* make sure the stream stays around until we can send a reply through it */
+        q->complete = dns_stub_query_complete;
+
+        if (s) {
+                s->on_packet = NULL;
+                s->complete = dns_stub_stream_complete;
+                s->query = q;
+        }
+
+        r = dns_query_go(q);
+        if (r < 0) {
+                log_error_errno(r, "Failed to start query: %m");
+                dns_stub_send_failure(m, s, p, DNS_RCODE_SERVFAIL);
+                goto fail;
+        }
+
+        log_info("Processing query...");
+        return;
+
+fail:
+        if (s && DNS_STREAM_QUEUED(s))
+                dns_stub_detach_stream(s);
+
+        dns_query_free(q);
+}
+
+static int on_dns_stub_packet(sd_event_source *s, int fd, uint32_t revents, void *userdata) {
+        _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
+        Manager *m = userdata;
+        int r;
+
+        r = manager_recv(m, fd, DNS_PROTOCOL_DNS, &p);
+        if (r <= 0)
+                return r;
+
+        if (dns_packet_validate_query(p) > 0) {
+                log_debug("Got DNS stub UDP query packet for id %u", DNS_PACKET_ID(p));
+
+                dns_stub_process_query(m, NULL, p);
+        } else
+                log_debug("Invalid DNS stub UDP packet, ignoring.");
+
+        return 0;
+}
+
+int manager_dns_stub_udp_fd(Manager *m) {
+        static const int one = 1;
+
+        union sockaddr_union sa = {
+                .in.sin_family = AF_INET,
+                .in.sin_port = htobe16(53),
+                .in.sin_addr.s_addr = htobe32(INADDR_DNS_STUB),
+        };
+
+        int r;
+
+        if (m->dns_stub_udp_fd >= 0)
+                return m->dns_stub_udp_fd;
+
+        m->dns_stub_udp_fd = socket(AF_INET, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);
+        if (m->dns_stub_udp_fd < 0)
+                return -errno;
+
+        r = setsockopt(m->dns_stub_udp_fd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one));
+        if (r < 0) {
+                r = -errno;
+                goto fail;
+        }
+
+        r = setsockopt(m->dns_stub_udp_fd, IPPROTO_IP, IP_PKTINFO, &one, sizeof(one));
+        if (r < 0) {
+                r = -errno;
+                goto fail;
+        }
+
+        r = setsockopt(m->dns_stub_udp_fd, IPPROTO_IP, IP_RECVTTL, &one, sizeof(one));
+        if (r < 0) {
+                r = -errno;
+                goto fail;
+        }
+
+        /* Make sure no traffic from outside the local host can leak to onto this socket */
+        r = setsockopt(m->dns_stub_udp_fd, SOL_SOCKET, SO_BINDTODEVICE, "lo", 3);
+        if (r < 0) {
+                r = -errno;
+                goto fail;
+        }
+
+        r = bind(m->dns_stub_udp_fd, &sa.sa, sizeof(sa.in));
+        if (r < 0) {
+                r = -errno;
+                goto fail;
+        }
+
+        r = sd_event_add_io(m->event, &m->dns_stub_udp_event_source, m->dns_stub_udp_fd, EPOLLIN, on_dns_stub_packet, m);
+        if (r < 0)
+                goto fail;
+
+        (void) sd_event_source_set_description(m->dns_stub_udp_event_source, "dns-stub-udp");
+
+        return m->dns_stub_udp_fd;
+
+fail:
+        m->dns_stub_udp_fd = safe_close(m->dns_stub_udp_fd);
+        return r;
+}
+
+static int on_dns_stub_stream_packet(DnsStream *s) {
+        assert(s);
+        assert(s->read_packet);
+
+        if (dns_packet_validate_query(s->read_packet) > 0) {
+                log_debug("Got DNS stub TCP query packet for id %u", DNS_PACKET_ID(s->read_packet));
+
+                dns_stub_process_query(s->manager, s, s->read_packet);
+        } else
+                log_debug("Invalid DNS stub TCP packet, ignoring.");
+
+        /* Drop the reference to the stream. Either a query was created and added its own reference to the stream now,
+         * or that didn't happen in which case we want to free the stream */
+        dns_stream_unref(s);
+
+        return 0;
+}
+
+static int on_dns_stub_stream(sd_event_source *s, int fd, uint32_t revents, void *userdata) {
+        DnsStream *stream;
+        Manager *m = userdata;
+        int cfd, r;
+
+        cfd = accept4(fd, NULL, NULL, SOCK_NONBLOCK|SOCK_CLOEXEC);
+        if (cfd < 0) {
+                if (errno == EAGAIN || errno == EINTR)
+                        return 0;
+
+                return -errno;
+        }
+
+        r = dns_stream_new(m, &stream, DNS_PROTOCOL_DNS, cfd);
+        if (r < 0) {
+                safe_close(cfd);
+                return r;
+        }
+
+        stream->on_packet = on_dns_stub_stream_packet;
+
+        /* We let the reference to the stream dangling here, it will either be dropped by the default "complete" action
+         * of the stream, or by our packet callback, or when the manager is shut down. */
+
+        return 0;
+}
+
+int manager_dns_stub_tcp_fd(Manager *m) {
+        static const int one = 1;
+
+        union sockaddr_union sa = {
+                .in.sin_family = AF_INET,
+                .in.sin_addr.s_addr = htobe32(INADDR_DNS_STUB),
+                .in.sin_port = htobe16(53),
+        };
+
+        int r;
+
+        if (m->dns_stub_tcp_fd >= 0)
+                return m->dns_stub_tcp_fd;
+
+        m->dns_stub_tcp_fd = socket(AF_INET, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);
+        if (m->dns_stub_tcp_fd < 0)
+                return -errno;
+
+        r = setsockopt(m->dns_stub_tcp_fd, IPPROTO_IP, IP_TTL, &one, sizeof(one));
+        if (r < 0) {
+                r = -errno;
+                goto fail;
+        }
+
+        r = setsockopt(m->dns_stub_tcp_fd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one));
+        if (r < 0) {
+                r = -errno;
+                goto fail;
+        }
+
+        r = setsockopt(m->dns_stub_tcp_fd, IPPROTO_IP, IP_PKTINFO, &one, sizeof(one));
+        if (r < 0) {
+                r = -errno;
+                goto fail;
+        }
+
+        r = setsockopt(m->dns_stub_tcp_fd, IPPROTO_IP, IP_RECVTTL, &one, sizeof(one));
+        if (r < 0) {
+                r = -errno;
+                goto fail;
+        }
+
+        /* Make sure no traffic from outside the local host can leak to onto this socket */
+        r = setsockopt(m->dns_stub_tcp_fd, SOL_SOCKET, SO_BINDTODEVICE, "lo", 3);
+        if (r < 0) {
+                r = -errno;
+                goto fail;
+        }
+
+        r = bind(m->dns_stub_tcp_fd, &sa.sa, sizeof(sa.in));
+        if (r < 0) {
+                r = -errno;
+                goto fail;
+        }
+
+        r = listen(m->dns_stub_tcp_fd, SOMAXCONN);
+        if (r < 0) {
+                r = -errno;
+                goto fail;
+        }
+
+        r = sd_event_add_io(m->event, &m->dns_stub_tcp_event_source, m->dns_stub_tcp_fd, EPOLLIN, on_dns_stub_stream, m);
+        if (r < 0)
+                goto fail;
+
+        (void) sd_event_source_set_description(m->dns_stub_tcp_event_source, "dns-stub-tcp");
+
+        return m->dns_stub_tcp_fd;
+
+fail:
+        m->dns_stub_tcp_fd = safe_close(m->dns_stub_tcp_fd);
+        return r;
+}
+
+int manager_dns_stub_start(Manager *m) {
+        int r;
+
+        assert(m);
+
+        r = manager_dns_stub_udp_fd(m);
+        if (r == -EADDRINUSE)
+                goto eaddrinuse;
+        if (r < 0)
+                return r;
+
+        r = manager_dns_stub_tcp_fd(m);
+        if (r == -EADDRINUSE)
+                goto eaddrinuse;
+        if (r < 0)
+                return r;
+
+        return 0;
+
+eaddrinuse:
+        log_warning("Another process is already listening on 127.0.0.53:53. Turning off local DNS stub support.");
+        manager_dns_stub_stop(m);
+
+        return 0;
+}
+
+void manager_dns_stub_stop(Manager *m) {
+        assert(m);
+
+        m->dns_stub_udp_event_source = sd_event_source_unref(m->dns_stub_udp_event_source);
+        m->dns_stub_tcp_event_source = sd_event_source_unref(m->dns_stub_tcp_event_source);
+
+        m->dns_stub_udp_fd = safe_close(m->dns_stub_udp_fd);
+        m->dns_stub_tcp_fd = safe_close(m->dns_stub_tcp_fd);
+}
diff --git a/src/resolve/resolved-dns-stub.h b/src/resolve/resolved-dns-stub.h
new file mode 100644
index 0000000000..fce4d25ede
--- /dev/null
+++ b/src/resolve/resolved-dns-stub.h
@@ -0,0 +1,31 @@
+#pragma once
+
+/***
+  This file is part of systemd.
+
+  Copyright 2016 Lennart Poettering
+
+  systemd is free software; you can redistribute it and/or modify it
+  under the terms of the GNU Lesser General Public License as published by
+  the Free Software Foundation; either version 2.1 of the License, or
+  (at your option) any later version.
+
+  systemd is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  Lesser General Public License for more details.
+
+  You should have received a copy of the GNU Lesser General Public License
+  along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+#include "resolved-manager.h"
+
+/* 127.0.0.53 in native endian */
+#define INADDR_DNS_STUB ((in_addr_t) 0x7f000035U)
+
+int manager_dns_stub_udp_fd(Manager *m);
+int manager_dns_stub_tcp_fd(Manager *m);
+
+void manager_dns_stub_stop(Manager *m);
+int manager_dns_stub_start(Manager *m);
diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
index bcb1b6d8a7..d455b6b1fa 100644
--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@@ -60,7 +60,14 @@ static void dns_transaction_flush_dnssec_transactions(DnsTransaction *t) {
 static void dns_transaction_close_connection(DnsTransaction *t) {
         assert(t);
 
-        t->stream = dns_stream_free(t->stream);
+        if (t->stream) {
+                /* Let's detach the stream from our transaction, in case something else keeps a reference to it. */
+                t->stream->complete = NULL;
+                t->stream->on_packet = NULL;
+                t->stream->transaction = NULL;
+                t->stream = dns_stream_unref(t->stream);
+        }
+
         t->dns_udp_event_source = sd_event_source_unref(t->dns_udp_event_source);
         t->dns_udp_fd = safe_close(t->dns_udp_fd);
 }
@@ -207,6 +214,7 @@ int dns_transaction_new(DnsTransaction **ret, DnsScope *s, DnsResourceKey *key)
         t->answer_nsec_ttl = (uint32_t) -1;
         t->key = dns_resource_key_ref(key);
         t->current_feature_level = _DNS_SERVER_FEATURE_LEVEL_INVALID;
+        t->clamp_feature_level = _DNS_SERVER_FEATURE_LEVEL_INVALID;
 
         t->id = pick_new_id(s->manager);
 
@@ -371,22 +379,38 @@ static int dns_transaction_pick_server(DnsTransaction *t) {
         assert(t);
         assert(t->scope->protocol == DNS_PROTOCOL_DNS);
 
+        /* Pick a DNS server and a feature level for it. */
+
         server = dns_scope_get_dns_server(t->scope);
         if (!server)
                 return -ESRCH;
 
+        /* If we changed the server invalidate the feature level clamping, as the new server might have completely
+         * different properties. */
+        if (server != t->server)
+                t->clamp_feature_level = _DNS_SERVER_FEATURE_LEVEL_INVALID;
+
         t->current_feature_level = dns_server_possible_feature_level(server);
 
+        /* Clamp the feature level if that is requested. */
+        if (t->clamp_feature_level != _DNS_SERVER_FEATURE_LEVEL_INVALID &&
+            t->current_feature_level > t->clamp_feature_level)
+                t->current_feature_level = t->clamp_feature_level;
+
+        log_debug("Using feature level %s for transaction %u.", dns_server_feature_level_to_string(t->current_feature_level), t->id);
+
         if (server == t->server)
                 return 0;
 
         dns_server_unref(t->server);
         t->server = dns_server_ref(server);
 
+        log_debug("Using DNS server %s for transaction %u.", dns_server_string(t->server), t->id);
+
         return 1;
 }
 
-static void dns_transaction_retry(DnsTransaction *t) {
+static void dns_transaction_retry(DnsTransaction *t, bool next_server) {
         int r;
 
         assert(t);
@@ -394,7 +418,8 @@ static void dns_transaction_retry(DnsTransaction *t) {
         log_debug("Retrying transaction %" PRIu16 ".", t->id);
 
         /* Before we try again, switch to a new server. */
-        dns_scope_next_dns_server(t->scope);
+        if (next_server)
+                dns_scope_next_dns_server(t->scope);
 
         r = dns_transaction_go(t);
         if (r < 0) {
@@ -444,7 +469,7 @@ static int on_stream_complete(DnsStream *s, int error) {
         t = s->transaction;
         p = dns_packet_ref(s->read_packet);
 
-        t->stream = dns_stream_free(t->stream);
+        dns_transaction_close_connection(t);
 
         if (ERRNO_IS_DISCONNECT(error)) {
                 usec_t usec;
@@ -460,7 +485,7 @@ static int on_stream_complete(DnsStream *s, int error) {
                 assert_se(sd_event_now(t->scope->manager->event, clock_boottime_or_monotonic(), &usec) >= 0);
                 dns_server_packet_lost(t->server, IPPROTO_TCP, t->current_feature_level, usec - t->start_usec);
 
-                dns_transaction_retry(t);
+                dns_transaction_retry(t, true);
                 return 0;
         }
         if (error != 0) {
@@ -556,7 +581,7 @@ static int dns_transaction_open_tcp(DnsTransaction *t) {
 
         r = dns_stream_write_packet(t->stream, t->sent);
         if (r < 0) {
-                t->stream = dns_stream_free(t->stream);
+                t->stream = dns_stream_unref(t->stream);
                 return r;
         }
 
@@ -583,6 +608,10 @@ static void dns_transaction_cache_answer(DnsTransaction *t) {
         if (!IN_SET(t->scope->protocol, DNS_PROTOCOL_DNS, DNS_PROTOCOL_LLMNR))
                 return;
 
+        /* Caching disabled? */
+        if (!t->scope->manager->enable_cache)
+                return;
+
         /* We never cache if this packet is from the local host, under
          * the assumption that a locally running DNS server would
          * cache this anyway, and probably knows better when to flush
@@ -634,14 +663,15 @@ static int dns_transaction_dnssec_ready(DnsTransaction *t) {
                         return 0;
 
                 case DNS_TRANSACTION_RCODE_FAILURE:
-                        if (dt->answer_rcode != DNS_RCODE_NXDOMAIN) {
+                        if (!IN_SET(dt->answer_rcode, DNS_RCODE_NXDOMAIN, DNS_RCODE_SERVFAIL)) {
                                 log_debug("Auxiliary DNSSEC RR query failed with rcode=%s.", dns_rcode_to_string(dt->answer_rcode));
                                 goto fail;
                         }
 
-                        /* Fall-through: NXDOMAIN is good enough for us. This is because some DNS servers erronously
-                         * return NXDOMAIN for empty non-terminals (Akamai...), and we need to handle that nicely, when
-                         * asking for parent SOA or similar RRs to make unsigned proofs. */
+                        /* Fall-through: NXDOMAIN/SERVFAIL is good enough for us. This is because some DNS servers
+                         * erronously return NXDOMAIN/SERVFAIL for empty non-terminals (Akamai...) or missing DS
+                         * records (Facebook), and we need to handle that nicely, when asking for parent SOA or similar
+                         * RRs to make unsigned proofs. */
 
                 case DNS_TRANSACTION_SUCCESS:
                         /* All good. */
@@ -878,10 +908,22 @@ void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p) {
                 if (IN_SET(DNS_PACKET_RCODE(p), DNS_RCODE_FORMERR, DNS_RCODE_SERVFAIL, DNS_RCODE_NOTIMP)) {
 
                         /* Request failed, immediately try again with reduced features */
-                        log_debug("Server returned error: %s", dns_rcode_to_string(DNS_PACKET_RCODE(p)));
 
-                        dns_server_packet_failed(t->server, t->current_feature_level);
-                        dns_transaction_retry(t);
+                        if (t->current_feature_level <= DNS_SERVER_FEATURE_LEVEL_WORST) {
+                                /* This was already at the lowest possible feature level? If so, we can't downgrade
+                                 * this transaction anymore, hence let's process the response, and accept the rcode. */
+                                log_debug("Server returned error: %s", dns_rcode_to_string(DNS_PACKET_RCODE(p)));
+                                break;
+                        }
+
+                        /* Reduce this feature level by one and try again. */
+                        t->clamp_feature_level = t->current_feature_level - 1;
+
+                        log_debug("Server returned error %s, retrying transaction with reduced feature level %s.",
+                                  dns_rcode_to_string(DNS_PACKET_RCODE(p)),
+                                  dns_server_feature_level_to_string(t->clamp_feature_level));
+
+                        dns_transaction_retry(t, false /* use the same server */);
                         return;
                 } else if (DNS_PACKET_TC(p))
                         dns_server_packet_truncated(t->server, t->current_feature_level);
@@ -926,7 +968,7 @@ void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p) {
                                 goto fail;
 
                         /* On DNS, couldn't send? Try immediately again, with a new server */
-                        dns_transaction_retry(t);
+                        dns_transaction_retry(t, true);
                 }
 
                 return;
@@ -939,11 +981,19 @@ void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p) {
                 return;
         }
 
-        /* Report that the OPT RR was missing */
         if (t->server) {
+                /* Report that we successfully received a valid packet with a good rcode after we initially got a bad
+                 * rcode and subsequently downgraded the protocol */
+
+                if (IN_SET(DNS_PACKET_RCODE(p), DNS_RCODE_SUCCESS, DNS_RCODE_NXDOMAIN) &&
+                    t->clamp_feature_level != _DNS_SERVER_FEATURE_LEVEL_INVALID)
+                        dns_server_packet_rcode_downgrade(t->server, t->clamp_feature_level);
+
+                /* Report that the OPT RR was missing */
                 if (!p->opt)
                         dns_server_packet_bad_opt(t->server, t->current_feature_level);
 
+                /* Report that we successfully received a packet */
                 dns_server_packet_received(t->server, p->ipproto, t->current_feature_level, ts - t->start_usec, p->size);
         }
 
@@ -1030,7 +1080,7 @@ static int on_dns_packet(sd_event_source *s, int fd, uint32_t revents, void *use
                 assert_se(sd_event_now(t->scope->manager->event, clock_boottime_or_monotonic(), &usec) >= 0);
                 dns_server_packet_lost(t->server, IPPROTO_UDP, t->current_feature_level, usec - t->start_usec);
 
-                dns_transaction_retry(t);
+                dns_transaction_retry(t, true);
                 return 0;
         }
         if (r < 0) {
@@ -1139,7 +1189,7 @@ static int on_transaction_timeout(sd_event_source *s, usec_t usec, void *userdat
 
         log_debug("Timeout reached on transaction %" PRIu16 ".", t->id);
 
-        dns_transaction_retry(t);
+        dns_transaction_retry(t, true);
         return 0;
 }
 
@@ -1274,7 +1324,7 @@ static int dns_transaction_prepare(DnsTransaction *t, usec_t ts) {
                 /* Let's then prune all outdated entries */
                 dns_cache_prune(&t->scope->cache);
 
-                r = dns_cache_lookup(&t->scope->cache, t->key, &t->answer_rcode, &t->answer, &t->answer_authenticated);
+                r = dns_cache_lookup(&t->scope->cache, t->key, t->clamp_ttl, &t->answer_rcode, &t->answer, &t->answer_authenticated);
                 if (r < 0)
                         return r;
                 if (r > 0) {
@@ -1770,8 +1820,10 @@ static bool dns_transaction_dnssec_supported(DnsTransaction *t) {
         if (!t->server)
                 return true;
 
-        if (t->current_feature_level < DNS_SERVER_FEATURE_LEVEL_DO)
-                return false;
+        /* Note that we do not check the feature level actually used for the transaction but instead the feature level
+         * the server is known to support currently, as the transaction feature level might be lower than what the
+         * server actually supports, since we might have downgraded this transaction's feature level because we got a
+         * SERVFAIL earlier and wanted to check whether downgrading fixes it. */
 
         return dns_server_dnssec_supported(t->server);
 }
@@ -2863,7 +2915,7 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {
         if (!dns_transaction_dnssec_supported_full(t)) {
                 /* The server does not support DNSSEC, or doesn't augment responses with RRSIGs. */
                 t->answer_dnssec_result = DNSSEC_INCOMPATIBLE_SERVER;
-                log_debug("Not validating response for %" PRIu16 ", server lacks DNSSEC support.", t->id);
+                log_debug("Not validating response for %" PRIu16 ", used server feature level does not support DNSSEC.", t->id);
                 return 0;
         }
 
diff --git a/src/resolve/resolved-dns-transaction.h b/src/resolve/resolved-dns-transaction.h
index eaece91533..96b066845d 100644
--- a/src/resolve/resolved-dns-transaction.h
+++ b/src/resolve/resolved-dns-transaction.h
@@ -74,6 +74,8 @@ struct DnsTransaction {
         bool initial_jitter_scheduled:1;
         bool initial_jitter_elapsed:1;
 
+        bool clamp_ttl:1;
+
         DnsPacket *sent, *received;
 
         DnsAnswer *answer;
@@ -115,6 +117,9 @@ struct DnsTransaction {
         /* The features of the DNS server at time of transaction start */
         DnsServerFeatureLevel current_feature_level;
 
+        /* If we got SERVFAIL back, we retry the lookup, using a lower feature level than we used before. */
+        DnsServerFeatureLevel clamp_feature_level;
+
         /* Query candidates this transaction is referenced by and that
          * shall be notified about this specific transaction
          * completing. */
diff --git a/src/resolve/resolved-gperf.gperf b/src/resolve/resolved-gperf.gperf
index 82f26215df..2fd56bce26 100644
--- a/src/resolve/resolved-gperf.gperf
+++ b/src/resolve/resolved-gperf.gperf
@@ -19,3 +19,4 @@ Resolve.FallbackDNS,  config_parse_dns_servers,     DNS_SERVER_FALLBACK, 0
 Resolve.Domains,      config_parse_search_domains,  0,                   0
 Resolve.LLMNR,        config_parse_resolve_support, 0,                   offsetof(Manager, llmnr_support)
 Resolve.DNSSEC,       config_parse_dnssec_mode,     0,                   offsetof(Manager, dnssec_mode)
+Resolve.Cache,        config_parse_bool,            0,                   offsetof(Manager, enable_cache)
diff --git a/src/resolve/resolved-link-bus.c b/src/resolve/resolved-link-bus.c
index bfb87d78e7..364812250f 100644
--- a/src/resolve/resolved-link-bus.c
+++ b/src/resolve/resolved-link-bus.c
@@ -28,7 +28,23 @@
 #include "strv.h"
 
 static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_resolve_support, resolve_support, ResolveSupport);
-static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_dnssec_mode, dnssec_mode, DnssecMode);
+
+static int property_get_dnssec_mode(
+                sd_bus *bus,
+                const char *path,
+                const char *interface,
+                const char *property,
+                sd_bus_message *reply,
+                void *userdata,
+                sd_bus_error *error) {
+
+        Link *l = userdata;
+
+        assert(reply);
+        assert(l);
+
+        return sd_bus_message_append(reply, "s", dnssec_mode_to_string(link_get_dnssec_mode(l)));
+}
 
 static int property_get_dns(
                 sd_bus *bus,
@@ -214,6 +230,9 @@ int bus_link_method_set_dns_servers(sd_bus_message *message, void *userdata, sd_
                 if (sz != FAMILY_ADDRESS_SIZE(family))
                         return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid address size");
 
+                if (!dns_server_address_valid(family, d))
+                        return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid DNS server address");
+
                 r = sd_bus_message_exit_container(message);
                 if (r < 0)
                         return r;
@@ -249,6 +268,7 @@ int bus_link_method_set_dns_servers(sd_bus_message *message, void *userdata, sd_
         dns_server_unlink_marked(l->dns_servers);
         link_allocate_scopes(l);
 
+        (void) link_save_user(l);
         (void) manager_write_resolv_conf(l->manager);
 
         return sd_bus_reply_method_return(message, NULL);
@@ -330,6 +350,7 @@ int bus_link_method_set_domains(sd_bus_message *message, void *userdata, sd_bus_
 
         dns_search_domain_unlink_marked(l->search_domains);
 
+        (void) link_save_user(l);
         (void) manager_write_resolv_conf(l->manager);
 
         return sd_bus_reply_method_return(message, NULL);
@@ -368,6 +389,8 @@ int bus_link_method_set_llmnr(sd_bus_message *message, void *userdata, sd_bus_er
         link_allocate_scopes(l);
         link_add_rrs(l, false);
 
+        (void) link_save_user(l);
+
         return sd_bus_reply_method_return(message, NULL);
 }
 
@@ -400,6 +423,8 @@ int bus_link_method_set_mdns(sd_bus_message *message, void *userdata, sd_bus_err
         link_allocate_scopes(l);
         link_add_rrs(l, false);
 
+        (void) link_save_user(l);
+
         return sd_bus_reply_method_return(message, NULL);
 }
 
@@ -430,6 +455,8 @@ int bus_link_method_set_dnssec(sd_bus_message *message, void *userdata, sd_bus_e
 
         link_set_dnssec_mode(l, mode);
 
+        (void) link_save_user(l);
+
         return sd_bus_reply_method_return(message, NULL);
 }
 
@@ -473,6 +500,8 @@ int bus_link_method_set_dnssec_negative_trust_anchors(sd_bus_message *message, v
         l->dnssec_negative_trust_anchors = ns;
         ns = NULL;
 
+        (void) link_save_user(l);
+
         return sd_bus_reply_method_return(message, NULL);
 }
 
@@ -491,6 +520,7 @@ int bus_link_method_revert(sd_bus_message *message, void *userdata, sd_bus_error
         link_allocate_scopes(l);
         link_add_rrs(l, false);
 
+        (void) link_save_user(l);
         (void) manager_write_resolv_conf(l->manager);
 
         return sd_bus_reply_method_return(message, NULL);
@@ -504,7 +534,7 @@ const sd_bus_vtable link_vtable[] = {
         SD_BUS_PROPERTY("Domains", "a(sb)", property_get_domains, 0, 0),
         SD_BUS_PROPERTY("LLMNR", "s", property_get_resolve_support, offsetof(Link, llmnr_support), 0),
         SD_BUS_PROPERTY("MulticastDNS", "s", property_get_resolve_support, offsetof(Link, mdns_support), 0),
-        SD_BUS_PROPERTY("DNSSEC", "s", property_get_dnssec_mode, offsetof(Link, dnssec_mode), 0),
+        SD_BUS_PROPERTY("DNSSEC", "s", property_get_dnssec_mode, 0, 0),
         SD_BUS_PROPERTY("DNSSECNegativeTrustAnchors", "as", property_get_ntas, 0, 0),
         SD_BUS_PROPERTY("DNSSECSupported", "b", property_get_dnssec_supported, 0, 0),
 
diff --git a/src/resolve/resolved-link.c b/src/resolve/resolved-link.c
index b189c21920..ea4a007139 100644
--- a/src/resolve/resolved-link.c
+++ b/src/resolve/resolved-link.c
@@ -22,7 +22,10 @@
 #include "sd-network.h"
 
 #include "alloc-util.h"
+#include "fd-util.h"
+#include "fileio.h"
 #include "missing.h"
+#include "mkdir.h"
 #include "parse-util.h"
 #include "resolved-link.h"
 #include "string-util.h"
@@ -49,6 +52,9 @@ int link_new(Manager *m, Link **ret, int ifindex) {
         l->dnssec_mode = _DNSSEC_MODE_INVALID;
         l->operstate = IF_OPER_UNKNOWN;
 
+        if (asprintf(&l->state_file, "/run/systemd/resolve/netif/%i", ifindex) < 0)
+                return -ENOMEM;
+
         r = hashmap_put(m->links, INT_TO_PTR(ifindex), l);
         if (r < 0)
                 return r;
@@ -93,6 +99,8 @@ Link *link_free(Link *l) {
         dns_scope_free(l->mdns_ipv4_scope);
         dns_scope_free(l->mdns_ipv6_scope);
 
+        free(l->state_file);
+
         free(l);
         return NULL;
 }
@@ -165,7 +173,7 @@ void link_add_rrs(Link *l, bool force_remove) {
                 link_address_add_rrs(a, force_remove);
 }
 
-int link_update_rtnl(Link *l, sd_netlink_message *m) {
+int link_process_rtnl(Link *l, sd_netlink_message *m) {
         const char *n = NULL;
         int r;
 
@@ -190,6 +198,27 @@ int link_update_rtnl(Link *l, sd_netlink_message *m) {
         return 0;
 }
 
+static int link_update_dns_server_one(Link *l, const char *name) {
+        union in_addr_union a;
+        DnsServer *s;
+        int family, r;
+
+        assert(l);
+        assert(name);
+
+        r = in_addr_from_string_auto(name, &family, &a);
+        if (r < 0)
+                return r;
+
+        s = dns_server_find(l->dns_servers, family, &a, 0);
+        if (s) {
+                dns_server_move_back_and_unmark(s);
+                return 0;
+        }
+
+        return dns_server_new(l->manager, NULL, DNS_SERVER_LINK, l, family, &a, 0);
+}
+
 static int link_update_dns_servers(Link *l) {
         _cleanup_strv_free_ char **nameservers = NULL;
         char **nameserver;
@@ -208,22 +237,9 @@ static int link_update_dns_servers(Link *l) {
         dns_server_mark_all(l->dns_servers);
 
         STRV_FOREACH(nameserver, nameservers) {
-                union in_addr_union a;
-                DnsServer *s;
-                int family;
-
-                r = in_addr_from_string_auto(*nameserver, &family, &a);
+                r = link_update_dns_server_one(l, *nameserver);
                 if (r < 0)
                         goto clear;
-
-                s = dns_server_find(l->dns_servers, family, &a, 0);
-                if (s)
-                        dns_server_move_back_and_unmark(s);
-                else {
-                        r = dns_server_new(l->manager, NULL, DNS_SERVER_LINK, l, family, &a, 0);
-                        if (r < 0)
-                                goto clear;
-                }
         }
 
         dns_server_unlink_marked(l->dns_servers);
@@ -341,7 +357,6 @@ clear:
 static int link_update_dnssec_negative_trust_anchors(Link *l) {
         _cleanup_strv_free_ char **ntas = NULL;
         _cleanup_set_free_free_ Set *ns = NULL;
-        char **i;
         int r;
 
         assert(l);
@@ -358,11 +373,9 @@ static int link_update_dnssec_negative_trust_anchors(Link *l) {
         if (!ns)
                 return -ENOMEM;
 
-        STRV_FOREACH(i, ntas) {
-                r = set_put_strdup(ns, *i);
-                if (r < 0)
-                        return r;
-        }
+        r = set_put_strdupv(ns, ntas);
+        if (r < 0)
+                return r;
 
         set_free_free(l->dnssec_negative_trust_anchors);
         l->dnssec_negative_trust_anchors = ns;
@@ -379,6 +392,9 @@ static int link_update_search_domain_one(Link *l, const char *name, bool route_o
         DnsSearchDomain *d;
         int r;
 
+        assert(l);
+        assert(name);
+
         r = dns_search_domain_find(l->search_domains, name, &d);
         if (r < 0)
                 return r;
@@ -439,7 +455,7 @@ clear:
         return r;
 }
 
-static int link_is_unmanaged(Link *l) {
+static int link_is_managed(Link *l) {
         _cleanup_free_ char *state = NULL;
         int r;
 
@@ -447,11 +463,11 @@ static int link_is_unmanaged(Link *l) {
 
         r = sd_network_link_get_setup_state(l->ifindex, &state);
         if (r == -ENODATA)
-                return 1;
+                return 0;
         if (r < 0)
                 return r;
 
-        return STR_IN_SET(state, "pending", "unmanaged");
+        return !STR_IN_SET(state, "pending", "unmanaged");
 }
 
 static void link_read_settings(Link *l) {
@@ -461,12 +477,12 @@ static void link_read_settings(Link *l) {
 
         /* Read settings from networkd, except when networkd is not managing this interface. */
 
-        r = link_is_unmanaged(l);
+        r = link_is_managed(l);
         if (r < 0) {
                 log_warning_errno(r, "Failed to determine whether interface %s is managed: %m", l->name);
                 return;
         }
-        if (r > 0) {
+        if (r == 0) {
 
                 /* If this link used to be managed, but is now unmanaged, flush all our settings — but only once. */
                 if (l->is_managed)
@@ -503,10 +519,11 @@ static void link_read_settings(Link *l) {
                 log_warning_errno(r, "Failed to read search domains for interface %s, ignoring: %m", l->name);
 }
 
-int link_update_monitor(Link *l) {
+int link_update(Link *l) {
         assert(l);
 
         link_read_settings(l);
+        link_load_user(l);
         link_allocate_scopes(l);
         link_add_rrs(l, false);
 
@@ -838,3 +855,261 @@ bool link_address_relevant(LinkAddress *a, bool local_multicast) {
 
         return true;
 }
+
+static bool link_needs_save(Link *l) {
+        assert(l);
+
+        /* Returns true if any of the settings where set different from the default */
+
+        if (l->is_managed)
+                return false;
+
+        if (l->llmnr_support != RESOLVE_SUPPORT_YES ||
+            l->mdns_support != RESOLVE_SUPPORT_NO ||
+            l->dnssec_mode != _DNSSEC_MODE_INVALID)
+                return true;
+
+        if (l->dns_servers ||
+            l->search_domains)
+                return true;
+
+        if (!set_isempty(l->dnssec_negative_trust_anchors))
+                return true;
+
+        return false;
+}
+
+int link_save_user(Link *l) {
+        _cleanup_free_ char *temp_path = NULL;
+        _cleanup_fclose_ FILE *f = NULL;
+        const char *v;
+        int r;
+
+        assert(l);
+        assert(l->state_file);
+
+        if (!link_needs_save(l)) {
+                (void) unlink(l->state_file);
+                return 0;
+        }
+
+        r = mkdir_parents(l->state_file, 0700);
+        if (r < 0)
+                goto fail;
+
+        r = fopen_temporary(l->state_file, &f, &temp_path);
+        if (r < 0)
+                goto fail;
+
+        fputs("# This is private data. Do not parse.\n", f);
+
+        v = resolve_support_to_string(l->llmnr_support);
+        if (v)
+                fprintf(f, "LLMNR=%s\n", v);
+
+        v = resolve_support_to_string(l->mdns_support);
+        if (v)
+                fprintf(f, "MDNS=%s\n", v);
+
+        v = dnssec_mode_to_string(l->dnssec_mode);
+        if (v)
+                fprintf(f, "DNSSEC=%s\n", v);
+
+        if (l->dns_servers) {
+                DnsServer *server;
+
+                fputs("SERVERS=", f);
+                LIST_FOREACH(servers, server, l->dns_servers) {
+
+                        if (server != l->dns_servers)
+                                fputc(' ', f);
+
+                        v = dns_server_string(server);
+                        if (!v) {
+                                r = -ENOMEM;
+                                goto fail;
+                        }
+
+                        fputs(v, f);
+                }
+                fputc('\n', f);
+        }
+
+        if (l->search_domains) {
+                DnsSearchDomain *domain;
+
+                fputs("DOMAINS=", f);
+                LIST_FOREACH(domains, domain, l->search_domains) {
+
+                        if (domain != l->search_domains)
+                                fputc(' ', f);
+
+                        if (domain->route_only)
+                                fputc('~', f);
+
+                        fputs(DNS_SEARCH_DOMAIN_NAME(domain), f);
+                }
+                fputc('\n', f);
+        }
+
+        if (!set_isempty(l->dnssec_negative_trust_anchors)) {
+                bool space = false;
+                Iterator i;
+                char *nta;
+
+                fputs("NTAS=", f);
+                SET_FOREACH(nta, l->dnssec_negative_trust_anchors, i) {
+
+                        if (space)
+                                fputc(' ', f);
+
+                        fputs(nta, f);
+                        space = true;
+                }
+                fputc('\n', f);
+        }
+
+        r = fflush_and_check(f);
+        if (r < 0)
+                goto fail;
+
+        if (rename(temp_path, l->state_file) < 0) {
+                r = -errno;
+                goto fail;
+        }
+
+        return 0;
+
+fail:
+        (void) unlink(l->state_file);
+
+        if (temp_path)
+                (void) unlink(temp_path);
+
+        return log_error_errno(r, "Failed to save link data %s: %m", l->state_file);
+}
+
+int link_load_user(Link *l) {
+        _cleanup_free_ char
+                *llmnr = NULL,
+                *mdns = NULL,
+                *dnssec = NULL,
+                *servers = NULL,
+                *domains = NULL,
+                *ntas = NULL;
+
+        ResolveSupport s;
+        int r;
+
+        assert(l);
+        assert(l->state_file);
+
+        /* Try to load only a single time */
+        if (l->loaded)
+                return 0;
+        l->loaded = true;
+
+        if (l->is_managed)
+                return 0; /* if the device is managed, then networkd is our configuration source, not the bus API */
+
+        r = parse_env_file(l->state_file, NEWLINE,
+                           "LLMNR", &llmnr,
+                           "MDNS", &mdns,
+                           "DNSSEC", &dnssec,
+                           "SERVERS", &servers,
+                           "DOMAINS", &domains,
+                           "NTAS", &ntas,
+                           NULL);
+        if (r == -ENOENT)
+                return 0;
+        if (r < 0)
+                goto fail;
+
+        link_flush_settings(l);
+
+        /* If we can't recognize the LLMNR or MDNS setting we don't override the default */
+        s = resolve_support_from_string(llmnr);
+        if (s >= 0)
+                l->llmnr_support = s;
+
+        s = resolve_support_from_string(mdns);
+        if (s >= 0)
+                l->mdns_support = s;
+
+        /* If we can't recognize the DNSSEC setting, then set it to invalid, so that the daemon default is used. */
+        l->dnssec_mode = dnssec_mode_from_string(dnssec);
+
+        if (servers) {
+                const char *p = servers;
+
+                for (;;) {
+                        _cleanup_free_ char *word = NULL;
+
+                        r = extract_first_word(&p, &word, NULL, 0);
+                        if (r < 0)
+                                goto fail;
+                        if (r == 0)
+                                break;
+
+                        r = link_update_dns_server_one(l, word);
+                        if (r < 0) {
+                                log_debug_errno(r, "Failed to load DNS server '%s', ignoring: %m", word);
+                                continue;
+                        }
+                }
+        }
+
+        if (domains) {
+                const char *p = domains;
+
+                for (;;) {
+                        _cleanup_free_ char *word = NULL;
+                        const char *n;
+                        bool is_route;
+
+                        r = extract_first_word(&p, &word, NULL, 0);
+                        if (r < 0)
+                                goto fail;
+                        if (r == 0)
+                                break;
+
+                        is_route = word[0] == '~';
+                        n = is_route ? word + 1 : word;
+
+                        r = link_update_search_domain_one(l, n, is_route);
+                        if (r < 0) {
+                                log_debug_errno(r, "Failed to load search domain '%s', ignoring: %m", word);
+                                continue;
+                        }
+                }
+        }
+
+        if (ntas) {
+                _cleanup_set_free_free_ Set *ns = NULL;
+
+                ns = set_new(&dns_name_hash_ops);
+                if (!ns) {
+                        r = -ENOMEM;
+                        goto fail;
+                }
+
+                r = set_put_strsplit(ns, ntas, NULL, 0);
+                if (r < 0)
+                        goto fail;
+
+                l->dnssec_negative_trust_anchors = ns;
+                ns = NULL;
+        }
+
+        return 0;
+
+fail:
+        return log_error_errno(r, "Failed to load link data %s: %m", l->state_file);
+}
+
+void link_remove_user(Link *l) {
+        assert(l);
+        assert(l->state_file);
+
+        (void) unlink(l->state_file);
+}
diff --git a/src/resolve/resolved-link.h b/src/resolve/resolved-link.h
index f534c12824..6a2343f9f7 100644
--- a/src/resolve/resolved-link.h
+++ b/src/resolve/resolved-link.h
@@ -81,12 +81,15 @@ struct Link {
         char name[IF_NAMESIZE];
         uint32_t mtu;
         uint8_t operstate;
+
+        bool loaded;
+        char *state_file;
 };
 
 int link_new(Manager *m, Link **ret, int ifindex);
 Link *link_free(Link *l);
-int link_update_rtnl(Link *l, sd_netlink_message *m);
-int link_update_monitor(Link *l);
+int link_process_rtnl(Link *l, sd_netlink_message *m);
+int link_update(Link *l);
 bool link_relevant(Link *l, int family, bool local_multicast);
 LinkAddress* link_find_address(Link *l, int family, const union in_addr_union *in_addr);
 void link_add_rrs(Link *l, bool force_remove);
@@ -102,6 +105,10 @@ void link_next_dns_server(Link *l);
 DnssecMode link_get_dnssec_mode(Link *l);
 bool link_dnssec_supported(Link *l);
 
+int link_save_user(Link *l);
+int link_load_user(Link *l);
+void link_remove_user(Link *l);
+
 int link_address_new(Link *l, LinkAddress **ret, int family, const union in_addr_union *in_addr);
 LinkAddress *link_address_free(LinkAddress *a);
 int link_address_update_rtnl(LinkAddress *a, sd_netlink_message *m);
diff --git a/src/resolve/resolved-llmnr.c b/src/resolve/resolved-llmnr.c
index 8b1d71a3eb..3516af58ee 100644
--- a/src/resolve/resolved-llmnr.c
+++ b/src/resolve/resolved-llmnr.c
@@ -91,18 +91,19 @@ static int on_llmnr_packet(sd_event_source *s, int fd, uint32_t revents, void *u
         DnsScope *scope;
         int r;
 
+        assert(s);
+        assert(fd >= 0);
+        assert(m);
+
         r = manager_recv(m, fd, DNS_PROTOCOL_LLMNR, &p);
         if (r <= 0)
                 return r;
 
         scope = manager_find_scope(m, p);
-        if (!scope) {
+        if (!scope)
                 log_warning("Got LLMNR UDP packet on unknown scope. Ignoring.");
-                return 0;
-        }
-
-        if (dns_packet_validate_reply(p) > 0) {
-                log_debug("Got LLMNR reply packet for id %u", DNS_PACKET_ID(p));
+        else if (dns_packet_validate_reply(p) > 0) {
+                log_debug("Got LLMNR UDP reply packet for id %u", DNS_PACKET_ID(p));
 
                 dns_scope_check_conflicts(scope, p);
 
@@ -111,7 +112,7 @@ static int on_llmnr_packet(sd_event_source *s, int fd, uint32_t revents, void *u
                         dns_transaction_process_reply(t, p);
 
         } else if (dns_packet_validate_query(p) > 0)  {
-                log_debug("Got LLMNR query packet for id %u", DNS_PACKET_ID(p));
+                log_debug("Got LLMNR UDP query packet for id %u", DNS_PACKET_ID(p));
 
                 dns_scope_process_query(scope, NULL, p);
         } else
@@ -283,25 +284,19 @@ static int on_llmnr_stream_packet(DnsStream *s) {
         DnsScope *scope;
 
         assert(s);
+        assert(s->read_packet);
 
         scope = manager_find_scope(s->manager, s->read_packet);
-        if (!scope) {
+        if (!scope)
                 log_warning("Got LLMNR TCP packet on unknown scope. Ignoring.");
-                return 0;
-        }
-
-        if (dns_packet_validate_query(s->read_packet) > 0) {
-                log_debug("Got query packet for id %u", DNS_PACKET_ID(s->read_packet));
+        else if (dns_packet_validate_query(s->read_packet) > 0) {
+                log_debug("Got LLMNR TCP query packet for id %u", DNS_PACKET_ID(s->read_packet));
 
                 dns_scope_process_query(scope, s, s->read_packet);
-
-                /* If no reply packet was set, we free the stream */
-                if (s->write_packet)
-                        return 0;
         } else
-                log_debug("Invalid LLMNR TCP packet.");
+                log_debug("Invalid LLMNR TCP packet, ignoring.");
 
-        dns_stream_free(s);
+        dns_stream_unref(s);
         return 0;
 }
 
diff --git a/src/resolve/resolved-manager.c b/src/resolve/resolved-manager.c
index 23101cb760..add463b6a9 100644
--- a/src/resolve/resolved-manager.c
+++ b/src/resolve/resolved-manager.c
@@ -23,6 +23,7 @@
 
 #include "af-list.h"
 #include "alloc-util.h"
+#include "dirent-util.h"
 #include "dns-domain.h"
 #include "fd-util.h"
 #include "fileio-label.h"
@@ -35,6 +36,7 @@
 #include "random-util.h"
 #include "resolved-bus.h"
 #include "resolved-conf.h"
+#include "resolved-dns-stub.h"
 #include "resolved-etc-hosts.h"
 #include "resolved-llmnr.h"
 #include "resolved-manager.h"
@@ -78,11 +80,11 @@ static int manager_process_link(sd_netlink *rtnl, sd_netlink_message *mm, void *
                                 goto fail;
                 }
 
-                r = link_update_rtnl(l, mm);
+                r = link_process_rtnl(l, mm);
                 if (r < 0)
                         goto fail;
 
-                r = link_update_monitor(l);
+                r = link_update(l);
                 if (r < 0)
                         goto fail;
 
@@ -95,6 +97,7 @@ static int manager_process_link(sd_netlink *rtnl, sd_netlink_message *mm, void *
         case RTM_DELLINK:
                 if (l) {
                         log_debug("Removing link %i/%s", l->ifindex, l->name);
+                        link_remove_user(l);
                         link_free(l);
                 }
 
@@ -279,7 +282,7 @@ static int on_network_event(sd_event_source *s, int fd, uint32_t revents, void *
         sd_network_monitor_flush(m->network_monitor);
 
         HASHMAP_FOREACH(l, m->links, i) {
-                r = link_update_monitor(l);
+                r = link_update(l);
                 if (r < 0)
                         log_warning_errno(r, "Failed to update monitor information for %i: %m", l->ifindex);
         }
@@ -491,11 +494,13 @@ int manager_new(Manager **ret) {
         m->llmnr_ipv4_udp_fd = m->llmnr_ipv6_udp_fd = -1;
         m->llmnr_ipv4_tcp_fd = m->llmnr_ipv6_tcp_fd = -1;
         m->mdns_ipv4_fd = m->mdns_ipv6_fd = -1;
+        m->dns_stub_udp_fd = m->dns_stub_tcp_fd = -1;
         m->hostname_fd = -1;
 
         m->llmnr_support = RESOLVE_SUPPORT_YES;
         m->mdns_support = RESOLVE_SUPPORT_NO;
         m->dnssec_mode = DEFAULT_DNSSEC_MODE;
+        m->enable_cache = true;
         m->read_resolv_conf = true;
         m->need_builtin_fallbacks = true;
         m->etc_hosts_last = m->etc_hosts_mtime = USEC_INFINITY;
@@ -540,6 +545,8 @@ int manager_new(Manager **ret) {
         (void) sd_event_add_signal(m->event, &m->sigusr1_event_source, SIGUSR1, manager_sigusr1, m);
         (void) sd_event_add_signal(m->event, &m->sigusr2_event_source, SIGUSR2, manager_sigusr2, m);
 
+        manager_cleanup_saved_user(m);
+
         *ret = m;
         m = NULL;
 
@@ -551,6 +558,10 @@ int manager_start(Manager *m) {
 
         assert(m);
 
+        r = manager_dns_stub_start(m);
+        if (r < 0)
+                return r;
+
         r = manager_llmnr_start(m);
         if (r < 0)
                 return r;
@@ -580,6 +591,11 @@ Manager *manager_free(Manager *m) {
 
         dns_scope_free(m->unicast_scope);
 
+        /* At this point only orphaned streams should remain. All others should have been freed already by their
+         * owners */
+        while (m->dns_streams)
+                dns_stream_unref(m->dns_streams);
+
         hashmap_free(m->links);
         hashmap_free(m->dns_transactions);
 
@@ -591,6 +607,7 @@ Manager *manager_free(Manager *m) {
 
         manager_llmnr_stop(m);
         manager_mdns_stop(m);
+        manager_dns_stub_stop(m);
 
         sd_bus_slot_unref(m->prepare_for_sleep_slot);
         sd_event_source_unref(m->bus_retry_event_source);
@@ -805,7 +822,14 @@ int manager_write(Manager *m, int fd, DnsPacket *p) {
         return 0;
 }
 
-static int manager_ipv4_send(Manager *m, int fd, int ifindex, const struct in_addr *addr, uint16_t port, DnsPacket *p) {
+static int manager_ipv4_send(
+                Manager *m,
+                int fd,
+                int ifindex,
+                const struct in_addr *destination,
+                uint16_t port,
+                const struct in_addr *source,
+                DnsPacket *p) {
         union sockaddr_union sa = {
                 .in.sin_family = AF_INET,
         };
@@ -818,14 +842,14 @@ static int manager_ipv4_send(Manager *m, int fd, int ifindex, const struct in_ad
 
         assert(m);
         assert(fd >= 0);
-        assert(addr);
+        assert(destination);
         assert(port > 0);
         assert(p);
 
         iov.iov_base = DNS_PACKET_DATA(p);
         iov.iov_len = p->size;
 
-        sa.in.sin_addr = *addr;
+        sa.in.sin_addr = *destination;
         sa.in.sin_port = htobe16(port),
 
         mh.msg_iov = &iov;
@@ -849,12 +873,23 @@ static int manager_ipv4_send(Manager *m, int fd, int ifindex, const struct in_ad
 
                 pi = (struct in_pktinfo*) CMSG_DATA(cmsg);
                 pi->ipi_ifindex = ifindex;
+
+                if (source)
+                        pi->ipi_spec_dst = *source;
         }
 
         return sendmsg_loop(fd, &mh, 0);
 }
 
-static int manager_ipv6_send(Manager *m, int fd, int ifindex, const struct in6_addr *addr, uint16_t port, DnsPacket *p) {
+static int manager_ipv6_send(
+                Manager *m,
+                int fd,
+                int ifindex,
+                const struct in6_addr *destination,
+                uint16_t port,
+                const struct in6_addr *source,
+                DnsPacket *p) {
+
         union sockaddr_union sa = {
                 .in6.sin6_family = AF_INET6,
         };
@@ -867,14 +902,14 @@ static int manager_ipv6_send(Manager *m, int fd, int ifindex, const struct in6_a
 
         assert(m);
         assert(fd >= 0);
-        assert(addr);
+        assert(destination);
         assert(port > 0);
         assert(p);
 
         iov.iov_base = DNS_PACKET_DATA(p);
         iov.iov_len = p->size;
 
-        sa.in6.sin6_addr = *addr;
+        sa.in6.sin6_addr = *destination;
         sa.in6.sin6_port = htobe16(port),
         sa.in6.sin6_scope_id = ifindex;
 
@@ -899,24 +934,36 @@ static int manager_ipv6_send(Manager *m, int fd, int ifindex, const struct in6_a
 
                 pi = (struct in6_pktinfo*) CMSG_DATA(cmsg);
                 pi->ipi6_ifindex = ifindex;
+
+                if (source)
+                        pi->ipi6_addr = *source;
         }
 
         return sendmsg_loop(fd, &mh, 0);
 }
 
-int manager_send(Manager *m, int fd, int ifindex, int family, const union in_addr_union *addr, uint16_t port, DnsPacket *p) {
+int manager_send(
+                Manager *m,
+                int fd,
+                int ifindex,
+                int family,
+                const union in_addr_union *destination,
+                uint16_t port,
+                const union in_addr_union *source,
+                DnsPacket *p) {
+
         assert(m);
         assert(fd >= 0);
-        assert(addr);
+        assert(destination);
         assert(port > 0);
         assert(p);
 
         log_debug("Sending %s packet with id %" PRIu16 " on interface %i/%s.", DNS_PACKET_QR(p) ? "response" : "query", DNS_PACKET_ID(p), ifindex, af_to_name(family));
 
         if (family == AF_INET)
-                return manager_ipv4_send(m, fd, ifindex, &addr->in, port, p);
+                return manager_ipv4_send(m, fd, ifindex, &destination->in, port, &source->in, p);
         if (family == AF_INET6)
-                return manager_ipv6_send(m, fd, ifindex, &addr->in6, port, p);
+                return manager_ipv6_send(m, fd, ifindex, &destination->in6, port, &source->in6, p);
 
         return -EAFNOSUPPORT;
 }
@@ -1153,7 +1200,7 @@ int manager_compile_dns_servers(Manager *m, OrderedSet **dns) {
         return 0;
 }
 
-int manager_compile_search_domains(Manager *m, OrderedSet **domains) {
+int manager_compile_search_domains(Manager *m, OrderedSet **domains, int filter_route) {
         DnsSearchDomain *d;
         Iterator i;
         Link *l;
@@ -1167,6 +1214,11 @@ int manager_compile_search_domains(Manager *m, OrderedSet **domains) {
                 return r;
 
         LIST_FOREACH(domains, d, m->search_domains) {
+
+                if (filter_route >= 0 &&
+                    d->route_only != !!filter_route)
+                        continue;
+
                 r = ordered_set_put(*domains, d->name);
                 if (r == -EEXIST)
                         continue;
@@ -1177,6 +1229,11 @@ int manager_compile_search_domains(Manager *m, OrderedSet **domains) {
         HASHMAP_FOREACH(l, m->links, i) {
 
                 LIST_FOREACH(domains, d, l->search_domains) {
+
+                        if (filter_route >= 0 &&
+                            d->route_only != !!filter_route)
+                                continue;
+
                         r = ordered_set_put(*domains, d->name);
                         if (r == -EEXIST)
                                 continue;
@@ -1259,3 +1316,58 @@ void manager_flush_caches(Manager *m) {
 
         log_info("Flushed all caches.");
 }
+
+void manager_cleanup_saved_user(Manager *m) {
+        _cleanup_closedir_ DIR *d = NULL;
+        struct dirent *de;
+        int r;
+
+        assert(m);
+
+        /* Clean up all saved per-link files in /run/systemd/resolve/netif/ that don't have a matching interface
+         * anymore. These files are created to persist settings pushed in by the user via the bus, so that resolved can
+         * be restarted without losing this data. */
+
+        d = opendir("/run/systemd/resolve/netif/");
+        if (!d) {
+                if (errno == ENOENT)
+                        return;
+
+                log_warning_errno(errno, "Failed to open interface directory: %m");
+                return;
+        }
+
+        FOREACH_DIRENT_ALL(de, d, log_error_errno(errno, "Failed to read interface directory: %m")) {
+                _cleanup_free_ char *p = NULL;
+                int ifindex;
+                Link *l;
+
+                if (!IN_SET(de->d_type, DT_UNKNOWN, DT_REG))
+                        continue;
+
+                if (STR_IN_SET(de->d_name, ".", ".."))
+                        continue;
+
+                r = parse_ifindex(de->d_name, &ifindex);
+                if (r < 0) /* Probably some temporary file from a previous run. Delete it */
+                        goto rm;
+
+                l = hashmap_get(m->links, INT_TO_PTR(ifindex));
+                if (!l) /* link vanished */
+                        goto rm;
+
+                if (l->is_managed) /* now managed by networkd, hence the bus settings are useless */
+                        goto rm;
+
+                continue;
+
+        rm:
+                p = strappend("/run/systemd/resolve/netif/", de->d_name);
+                if (!p) {
+                        log_oom();
+                        return;
+                }
+
+                (void) unlink(p);
+        }
+}
diff --git a/src/resolve/resolved-manager.h b/src/resolve/resolved-manager.h
index ef71202ef9..deebd8e484 100644
--- a/src/resolve/resolved-manager.h
+++ b/src/resolve/resolved-manager.h
@@ -46,6 +46,7 @@ struct Manager {
         ResolveSupport llmnr_support;
         ResolveSupport mdns_support;
         DnssecMode dnssec_mode;
+        bool enable_cache;
 
         /* Network */
         Hashmap *links;
@@ -72,7 +73,6 @@ struct Manager {
 
         LIST_HEAD(DnsSearchDomain, search_domains);
         unsigned n_search_domains;
-        bool permit_domain_search;
 
         bool need_builtin_fallbacks:1;
 
@@ -129,6 +129,13 @@ struct Manager {
         Set* etc_hosts_by_address;
         Hashmap* etc_hosts_by_name;
         usec_t etc_hosts_last, etc_hosts_mtime;
+
+        /* Local DNS stub on 127.0.0.53:53 */
+        int dns_stub_udp_fd;
+        int dns_stub_tcp_fd;
+
+        sd_event_source *dns_stub_udp_event_source;
+        sd_event_source *dns_stub_tcp_event_source;
 };
 
 /* Manager */
@@ -141,7 +148,7 @@ int manager_start(Manager *m);
 uint32_t manager_find_mtu(Manager *m);
 
 int manager_write(Manager *m, int fd, DnsPacket *p);
-int manager_send(Manager *m, int fd, int ifindex, int family, const union in_addr_union *addr, uint16_t port, DnsPacket *p);
+int manager_send(Manager *m, int fd, int ifindex, int family, const union in_addr_union *destination, uint16_t port, const union in_addr_union *source, DnsPacket *p);
 int manager_recv(Manager *m, int fd, DnsProtocol protocol, DnsPacket **ret);
 
 int manager_find_ifindex(Manager *m, int family, const union in_addr_union *in_addr);
@@ -162,7 +169,7 @@ DEFINE_TRIVIAL_CLEANUP_FUNC(Manager*, manager_free);
 int manager_is_own_hostname(Manager *m, const char *name);
 
 int manager_compile_dns_servers(Manager *m, OrderedSet **servers);
-int manager_compile_search_domains(Manager *m, OrderedSet **domains);
+int manager_compile_search_domains(Manager *m, OrderedSet **domains, int filter_route);
 
 DnssecMode manager_get_dnssec_mode(Manager *m);
 bool manager_dnssec_supported(Manager *m);
@@ -172,3 +179,5 @@ void manager_dnssec_verdict(Manager *m, DnssecVerdict verdict, const DnsResource
 bool manager_routable(Manager *m, int family);
 
 void manager_flush_caches(Manager *m);
+
+void manager_cleanup_saved_user(Manager *m);
diff --git a/src/resolve/resolved-resolv-conf.c b/src/resolve/resolved-resolv-conf.c
index ae17aef3ab..31b25ca50f 100644
--- a/src/resolve/resolved-resolv-conf.c
+++ b/src/resolve/resolved-resolv-conf.c
@@ -194,10 +194,13 @@ static int write_resolv_conf_contents(FILE *f, OrderedSet *dns, OrderedSet *doma
         Iterator i;
 
         fputs("# This file is managed by systemd-resolved(8). Do not edit.\n#\n"
-              "# Third party programs must not access this file directly, but\n"
-              "# only through the symlink at /etc/resolv.conf. To manage\n"
-              "# resolv.conf(5) in a different way, replace the symlink by a\n"
-              "# static file or a different symlink.\n\n", f);
+              "# This is a dynamic resolv.conf file for connecting local clients directly to\n"
+              "# all known DNS servers.\n#\n"
+              "# Third party programs must not access this file directly, but only through the\n"
+              "# symlink at /etc/resolv.conf. To manage resolv.conf(5) in a different way,\n"
+              "# replace this symlink by a static file or a different symlink.\n#\n"
+              "# See systemd-resolved.service(8) for details about the supported modes of\n"
+              "# operation for /etc/resolv.conf.\n\n", f);
 
         if (ordered_set_isempty(dns))
                 fputs("# No DNS servers known.\n", f);
@@ -232,7 +235,7 @@ int manager_write_resolv_conf(Manager *m) {
         if (r < 0)
                 return log_warning_errno(r, "Failed to compile list of DNS servers: %m");
 
-        r = manager_compile_search_domains(m, &domains);
+        r = manager_compile_search_domains(m, &domains, false);
         if (r < 0)
                 return log_warning_errno(r, "Failed to compile list of search domains: %m");
 
diff --git a/src/resolve/resolved.c b/src/resolve/resolved.c
index 3a47b82d8a..deb75f9ae5 100644
--- a/src/resolve/resolved.c
+++ b/src/resolve/resolved.c
@@ -67,7 +67,11 @@ int main(int argc, char *argv[]) {
                 goto finish;
         }
 
-        r = drop_privileges(uid, gid, 0);
+        /* Drop privileges, but keep three caps. Note that we drop those too, later on (see below) */
+        r = drop_privileges(uid, gid,
+                            (UINT64_C(1) << CAP_NET_RAW)|          /* needed for SO_BINDTODEVICE */
+                            (UINT64_C(1) << CAP_NET_BIND_SERVICE)| /* needed to bind on port 53 */
+                            (UINT64_C(1) << CAP_SETPCAP)           /* needed in order to drop the caps later */);
         if (r < 0)
                 goto finish;
 
@@ -88,6 +92,13 @@ int main(int argc, char *argv[]) {
         /* Write finish default resolv.conf to avoid a dangling symlink */
         (void) manager_write_resolv_conf(m);
 
+        /* Let's drop the remaining caps now */
+        r = capability_bounding_set_drop(0, true);
+        if (r < 0) {
+                log_error_errno(r, "Failed to drop remaining caps: %m");
+                goto finish;
+        }
+
         sd_notify(false,
                   "READY=1\n"
                   "STATUS=Processing requests...");
diff --git a/src/resolve/resolved.conf.in b/src/resolve/resolved.conf.in
index a288588924..3bd8389c88 100644
--- a/src/resolve/resolved.conf.in
+++ b/src/resolve/resolved.conf.in
@@ -17,3 +17,4 @@
 #Domains=
 #LLMNR=yes
 #DNSSEC=@DEFAULT_DNSSEC_MODE@
+#Cache=yes
diff --git a/src/resolve/test-dns-packet.c b/src/resolve/test-dns-packet.c
index 41e5c1caa5..956b155872 100644
--- a/src/resolve/test-dns-packet.c
+++ b/src/resolve/test-dns-packet.c
@@ -33,6 +33,19 @@
 
 #define HASH_KEY SD_ID128_MAKE(d3,1e,48,90,4b,fa,4c,fe,af,9d,d5,a1,d7,2e,8a,b1)
 
+static void verify_rr_copy(DnsResourceRecord *rr) {
+        _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *copy = NULL;
+        const char *a, *b;
+
+        assert_se(copy = dns_resource_record_copy(rr));
+        assert_se(dns_resource_record_equal(copy, rr) > 0);
+
+        assert_se(a = dns_resource_record_to_string(rr));
+        assert_se(b = dns_resource_record_to_string(copy));
+
+        assert_se(streq(a, b));
+}
+
 static uint64_t hash(DnsResourceRecord *rr) {
         struct siphash state;
 
@@ -66,6 +79,8 @@ static void test_packet_from_file(const char* filename, bool canonical) {
                 assert_se(dns_packet_append_blob(p, data + offset + 8, packet_size, NULL) >= 0);
                 assert_se(dns_packet_read_rr(p, &rr, NULL, NULL) >= 0);
 
+                verify_rr_copy(rr);
+
                 s = dns_resource_record_to_string(rr);
                 assert_se(s);
                 puts(s);
@@ -78,6 +93,8 @@ static void test_packet_from_file(const char* filename, bool canonical) {
                 assert_se(dns_packet_append_blob(p2, rr->wire_format, rr->wire_format_size, NULL) >= 0);
                 assert_se(dns_packet_read_rr(p2, &rr2, NULL, NULL) >= 0);
 
+                verify_rr_copy(rr);
+
                 s2 = dns_resource_record_to_string(rr);
                 assert_se(s2);
                 assert_se(streq(s, s2));
diff --git a/src/shared/bus-util.c b/src/shared/bus-util.c
index 8e3307dc24..52410999cf 100644
--- a/src/shared/bus-util.c
+++ b/src/shared/bus-util.c
@@ -1048,7 +1048,7 @@ static int map_basic(sd_bus *bus, const char *member, sd_bus_message *m, sd_bus_
 
         case SD_BUS_TYPE_BOOLEAN: {
                 unsigned b;
-                bool *p = userdata;
+                int *p = userdata;
 
                 r = sd_bus_message_read_basic(m, type, &b);
                 if (r < 0)
diff --git a/src/basic/fdset.c b/src/shared/fdset.c
index 527f27bc67..527f27bc67 100644
--- a/src/basic/fdset.c
+++ b/src/shared/fdset.c
diff --git a/src/basic/fdset.h b/src/shared/fdset.h
index 16efe5bdf2..16efe5bdf2 100644
--- a/src/basic/fdset.h
+++ b/src/shared/fdset.h
diff --git a/src/systemctl/systemctl.c b/src/systemctl/systemctl.c
index 0dfdae4538..c0b285b58f 100644
--- a/src/systemctl/systemctl.c
+++ b/src/systemctl/systemctl.c
@@ -2499,7 +2499,7 @@ static int unit_find_paths(
                 r = 1;
         }
 
-        if (r == 0)
+        if (r == 0 && !arg_force)
                 log_error("No files found for %s.", unit_name);
 
         return r;
@@ -6070,7 +6070,7 @@ static int create_edit_temp_file(const char *new_path, const char *original_path
                         return log_error_errno(r, "Failed to create temporary file \"%s\": %m", t);
 
         } else if (r < 0)
-                return log_error_errno(r, "Failed to copy \"%s\" to \"%s\": %m", original_path, t);
+                return log_error_errno(r, "Failed to create temporary file for \"%s\": %m", new_path);
 
         *ret_tmp_fn = t;
         t = NULL;
@@ -6093,7 +6093,7 @@ static int get_file_to_edit(
                 return log_oom();
 
         if (arg_runtime) {
-                run = strjoin(paths->runtime_config, name, NULL);
+                run = strjoin(paths->runtime_config, "/", name, NULL);
                 if (!run)
                         return log_oom();
         }
@@ -6114,9 +6114,10 @@ static int get_file_to_edit(
         return 0;
 }
 
-static int unit_file_create_dropin(
+static int unit_file_create_new(
                 const LookupPaths *paths,
                 const char *unit_name,
+                const char *suffix,
                 char **ret_new_path,
                 char **ret_tmp_path) {
 
@@ -6127,7 +6128,7 @@ static int unit_file_create_dropin(
         assert(ret_new_path);
         assert(ret_tmp_path);
 
-        ending = strjoina(unit_name, ".d/override.conf");
+        ending = strjoina(unit_name, suffix);
         r = get_file_to_edit(paths, ending, &tmp_new_path);
         if (r < 0)
                 return r;
@@ -6174,13 +6175,12 @@ static int unit_file_create_copy(
                 if (response != 'y') {
                         log_warning("%s ignored", unit_name);
                         free(tmp_new_path);
-                        return -1;
+                        return -EKEYREJECTED;
                 }
         }
 
         r = create_edit_temp_file(tmp_new_path, fragment_path, &tmp_tmp_path);
         if (r < 0) {
-                log_error_errno(r, "Failed to create temporary file for \"%s\": %m", tmp_new_path);
                 free(tmp_new_path);
                 return r;
         }
@@ -6291,18 +6291,24 @@ static int find_paths_to_edit(sd_bus *bus, char **names, char ***paths) {
                 r = unit_find_paths(bus, *name, &lp, &path, NULL);
                 if (r < 0)
                         return r;
-                else if (r == 0)
-                        return -ENOENT;
-                else if (!path) {
-                        // FIXME: support units with path==NULL (no FragmentPath)
-                        log_error("No fragment exists for %s.", *name);
-                        return -ENOENT;
+                else if (!arg_force) {
+                        if (r == 0) {
+                                log_error("Run 'systemctl edit --force %s' to create a new unit.", *name);
+                                return -ENOENT;
+                        } else if (!path) {
+                                // FIXME: support units with path==NULL (no FragmentPath)
+                                log_error("No fragment exists for %s.", *name);
+                                return -ENOENT;
+                        }
                 }
 
-                if (arg_full)
-                        r = unit_file_create_copy(&lp, *name, path, &new_path, &tmp_path);
-                else
-                        r = unit_file_create_dropin(&lp, *name, &new_path, &tmp_path);
+                if (path) {
+                        if (arg_full)
+                                r = unit_file_create_copy(&lp, *name, path, &new_path, &tmp_path);
+                        else
+                                r = unit_file_create_new(&lp, *name, ".d/override.conf", &new_path, &tmp_path);
+                } else
+                        r = unit_file_create_new(&lp, *name, NULL, &new_path, &tmp_path);
                 if (r < 0)
                         return r;
 
diff --git a/src/systemd/sd-daemon.h b/src/systemd/sd-daemon.h
index e6787b0a64..740b176903 100644
--- a/src/systemd/sd-daemon.h
+++ b/src/systemd/sd-daemon.h
@@ -196,6 +196,11 @@ int sd_is_mq(int fd, const char *path);
                   invocation. This variable is only supported with
                   sd_pid_notify_with_fds().
 
+     WATCHDOG_USEC=...
+                  Reset watchdog_usec value during runtime.
+                  To reset watchdog_usec value, start the service again.
+                  Example: "WATCHDOG_USEC=20000000"
+
   Daemons can choose to send additional variables. However, it is
   recommended to prefix variable names not listed above with X_.
 
diff --git a/src/timedate/timedatectl.c b/src/timedate/timedatectl.c
index 7f61cf0181..553ef67011 100644
--- a/src/timedate/timedatectl.c
+++ b/src/timedate/timedatectl.c
@@ -57,11 +57,11 @@ typedef struct StatusInfo {
         char *timezone;
 
         usec_t rtc_time;
-        bool rtc_local;
+        int rtc_local;
 
-        bool ntp_enabled;
-        bool ntp_capable;
-        bool ntp_synced;
+        int ntp_enabled;
+        int ntp_capable;
+        int ntp_synced;
 } StatusInfo;
 
 static void status_info_clear(StatusInfo *info) {
diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
index 79ccf9fad9..bfb6293b3d 100644
--- a/src/tmpfiles/tmpfiles.c
+++ b/src/tmpfiles/tmpfiles.c
@@ -2178,7 +2178,7 @@ static int read_config_file(const char *fn, bool ignore_enoent) {
         Iterator iterator;
         unsigned v = 0;
         Item *i;
-        int r;
+        int r = 0;
 
         assert(fn);
 
diff --git a/test/TEST-01-BASIC/test.sh b/test/TEST-01-BASIC/test.sh
index 21eed9b22a..041195dcd8 100755
--- a/test/TEST-01-BASIC/test.sh
+++ b/test/TEST-01-BASIC/test.sh
@@ -25,8 +25,7 @@ test_run() {
     else
         dwarn "can't run QEMU, skipping"
     fi
-    if check_nspawn; then
-        run_nspawn
+    if run_nspawn; then
         check_result_nspawn || return 1
     else
         dwarn "can't run systemd-nspawn, skipping"
diff --git a/test/TEST-03-JOBS/test.sh b/test/TEST-03-JOBS/test.sh
index 83393435f0..ab0de0bfd1 100755
--- a/test/TEST-03-JOBS/test.sh
+++ b/test/TEST-03-JOBS/test.sh
@@ -25,8 +25,7 @@ test_run() {
     else
         dwarn "can't run QEMU, skipping"
     fi
-    if check_nspawn; then
-        run_nspawn
+    if run_nspawn; then
         check_result_nspawn || return 1
     else
         dwarn "can't run systemd-nspawn, skipping"
diff --git a/test/TEST-04-JOURNAL/test.sh b/test/TEST-04-JOURNAL/test.sh
index 1a14f76060..3ccf113019 100755
--- a/test/TEST-04-JOURNAL/test.sh
+++ b/test/TEST-04-JOURNAL/test.sh
@@ -25,8 +25,7 @@ test_run() {
     else
         dwarn "can't run QEMU, skipping"
     fi
-    if check_nspawn; then
-        run_nspawn
+    if run_nspawn; then
         check_result_nspawn || return 1
     else
         dwarn "can't run systemd-nspawn, skipping"
diff --git a/test/TEST-05-RLIMITS/test.sh b/test/TEST-05-RLIMITS/test.sh
index 6eaa0b8f34..a5f7e8de0b 100755
--- a/test/TEST-05-RLIMITS/test.sh
+++ b/test/TEST-05-RLIMITS/test.sh
@@ -25,8 +25,7 @@ test_run() {
     else
         dwarn "can't run QEMU, skipping"
     fi
-    if check_nspawn; then
-        run_nspawn
+    if run_nspawn; then
         check_result_nspawn || return 1
     else
         dwarn "can't run systemd-nspawn, skipping"
diff --git a/test/TEST-06-SELINUX/test.sh b/test/TEST-06-SELINUX/test.sh
index 4f5895be66..1ae4a7c0d9 100755
--- a/test/TEST-06-SELINUX/test.sh
+++ b/test/TEST-06-SELINUX/test.sh
@@ -10,7 +10,7 @@ TEST_DESCRIPTION="SELinux tests"
 
 . $TEST_BASE_DIR/test-functions
 SETUP_SELINUX=yes
-KERNEL_APPEND="$KERNEL_APPEND selinux=1"
+KERNEL_APPEND="$KERNEL_APPEND selinux=1 security=selinux"
 
 check_result_qemu() {
     ret=1
diff --git a/test/TEST-07-ISSUE-1981/test.sh b/test/TEST-07-ISSUE-1981/test.sh
index d97c4ec27d..2f7f01058e 100755
--- a/test/TEST-07-ISSUE-1981/test.sh
+++ b/test/TEST-07-ISSUE-1981/test.sh
@@ -5,11 +5,11 @@ TEST_DESCRIPTION="https://github.com/systemd/systemd/issues/1981"
 
 . $TEST_BASE_DIR/test-functions
 
+NSPAWN_TIMEOUT=30s
+
 test_run() {
     dwarn "skipping QEMU"
-    if check_nspawn; then
-        NSPAWN_TIMEOUT=30s
-        run_nspawn
+    if run_nspawn; then
         check_result_nspawn || return 1
     else
         dwarn "can't run systemd-nspawn, skipping"
diff --git a/test/TEST-08-ISSUE-2730/test.sh b/test/TEST-08-ISSUE-2730/test.sh
index 409140157a..44831983b3 100755
--- a/test/TEST-08-ISSUE-2730/test.sh
+++ b/test/TEST-08-ISSUE-2730/test.sh
@@ -19,12 +19,16 @@ check_result_qemu() {
     [[ -f $TESTDIR/failed ]] && cat $TESTDIR/failed
     ls -l $TESTDIR/journal/*/*.journal
     test -s $TESTDIR/failed && ret=$(($ret+1))
+    [ -n "$TIMED_OUT" ] && ret=$(($ret+1))
     return $ret
 }
 
 test_run() {
-    run_qemu || return 1
-    check_result_qemu || return 1
+    if run_qemu; then
+        check_result_qemu || return 1
+    else
+        dwarn "can't run QEMU, skipping"
+    fi
     return 0
 }
 
diff --git a/test/TEST-09-ISSUE-2691/test.sh b/test/TEST-09-ISSUE-2691/test.sh
index e247694f01..8ae02e61ac 100755
--- a/test/TEST-09-ISSUE-2691/test.sh
+++ b/test/TEST-09-ISSUE-2691/test.sh
@@ -18,12 +18,16 @@ check_result_qemu() {
     [[ -f $TESTDIR/failed ]] && cat $TESTDIR/failed
     ls -l $TESTDIR/journal/*/*.journal
     test -s $TESTDIR/failed && ret=$(($ret+1))
+    [ -n "$TIMED_OUT" ] && ret=$(($ret+1))
     return $ret
 }
 
 test_run() {
-    run_qemu || return 1
-    check_result_qemu || return 1
+    if run_qemu; then
+        check_result_qemu || return 1
+    else
+        dwarn "can't run QEMU, skipping"
+    fi
     return 0
 }
 
diff --git a/test/TEST-10-ISSUE-2467/test.sh b/test/TEST-10-ISSUE-2467/test.sh
index a652b0d812..4eca6784bc 100755
--- a/test/TEST-10-ISSUE-2467/test.sh
+++ b/test/TEST-10-ISSUE-2467/test.sh
@@ -21,8 +21,11 @@ check_result_qemu() {
 }
 
 test_run() {
-    run_qemu || return 1
-    check_result_qemu || return 1
+    if run_qemu; then
+        check_result_qemu || return 1
+    else
+        dwarn "can't run QEMU, skipping"
+    fi
     return 0
 }
 
diff --git a/test/TEST-11-ISSUE-3166/test.sh b/test/TEST-11-ISSUE-3166/test.sh
index 7913537e9b..0f269c8211 100755
--- a/test/TEST-11-ISSUE-3166/test.sh
+++ b/test/TEST-11-ISSUE-3166/test.sh
@@ -21,8 +21,11 @@ check_result_qemu() {
 }
 
 test_run() {
-    run_qemu || return 1
-    check_result_qemu || return 1
+    if run_qemu; then
+        check_result_qemu || return 1
+    else
+        dwarn "can't run QEMU, skipping"
+    fi
     return 0
 }
 
diff --git a/test/TEST-12-ISSUE-3171/test.sh b/test/TEST-12-ISSUE-3171/test.sh
index 925dcad9ea..e20f470143 100755
--- a/test/TEST-12-ISSUE-3171/test.sh
+++ b/test/TEST-12-ISSUE-3171/test.sh
@@ -6,8 +6,11 @@ TEST_DESCRIPTION="https://github.com/systemd/systemd/issues/3171"
 . $TEST_BASE_DIR/test-functions
 
 test_run() {
-    run_nspawn || return 1
-    check_result_nspawn || return 1
+    if run_nspawn; then
+        check_result_nspawn || return 1
+    else
+        dwarn "can't run systemd-nspawn, skipping"
+    fi
     return 0
 }
 
diff --git a/test/test-functions b/test/test-functions
index 5f95a8129e..4583c02f97 100644
--- a/test/test-functions
+++ b/test/test-functions
@@ -9,6 +9,7 @@ KERNEL_VER=${KERNEL_VER-$(uname -r)}
 KERNEL_MODS="/lib/modules/$KERNEL_VER/"
 QEMU_TIMEOUT="${QEMU_TIMEOUT:-infinity}"
 NSPAWN_TIMEOUT="${NSPAWN_TIMEOUT:-infinity}"
+TIMED_OUT=  # will be 1 after run_* if *_TIMEOUT is set and test timed out
 FSTYPE="${FSTYPE:-ext3}"
 UNIFIED_CGROUP_HIERARCHY="${UNIFIED_CGROUP_HIERARCHY:-no}"
 
@@ -46,6 +47,8 @@ function find_qemu_bin() {
     fi
 }
 
+# Return 0 if QEMU did run (then you must check the result state/logs for actual
+# success), or 1 if QEMU is not available.
 run_qemu() {
     if [ -f /etc/machine-id ]; then
         read MACHINE_ID < /etc/machine-id
@@ -94,11 +97,22 @@ $KERNEL_APPEND \
     if [[ "$QEMU_TIMEOUT" != "infinity" ]]; then
         QEMU_BIN="timeout --foreground $QEMU_TIMEOUT $QEMU_BIN"
     fi
-    ( set -x
-      $QEMU_BIN $QEMU_OPTIONS -append "$KERNEL_APPEND" ) || return 1
+    (set -x; $QEMU_BIN $QEMU_OPTIONS -append "$KERNEL_APPEND")
+    rc=$?
+    if [ "$rc" = 124 ] && [ "$QEMU_TIMEOUT" != "infinity" ]; then
+        derror "test timed out after $QEMU_TIMEOUT s"
+        TIMED_OUT=1
+    else
+        [ "$rc" != 0 ] && derror "QEMU failed with exit code $rc"
+    fi
+    return 0
 }
 
+# Return 0 if nspawn did run (then you must check the result state/logs for actual
+# success), or 1 if nspawn is not available.
 run_nspawn() {
+    [[ -d /run/systemd/system ]] || return 1
+
     local _nspawn_cmd="../../systemd-nspawn --register=no --kill-signal=SIGKILL --directory=$TESTDIR/nspawn-root $ROOTLIBDIR/systemd $KERNEL_APPEND"
     if [[ "$NSPAWN_TIMEOUT" != "infinity" ]]; then
         _nspawn_cmd="timeout --foreground $NSPAWN_TIMEOUT $_nspawn_cmd"
@@ -106,8 +120,15 @@ run_nspawn() {
 
     _nspawn_cmd="env UNIFIED_CGROUP_HIERARCHY=$UNIFIED_CGROUP_HIERARCHY $_nspawn_cmd"
 
-    set -x
-    $_nspawn_cmd
+    (set -x; $_nspawn_cmd)
+    rc=$?
+    if [ "$rc" = 124 ] && [ "$NSPAWN_TIMEOUT" != "infinity" ]; then
+        derror "test timed out after $NSPAWN_TIMEOUT s"
+        TIMED_OUT=1
+    else
+        [ "$rc" != 0 ] && derror "nspawn failed with exit code $rc"
+    fi
+    return 0
 }
 
 setup_basic_environment() {
@@ -290,6 +311,7 @@ check_result_nspawn() {
     [[ -f $TESTDIR/failed ]] && cat $TESTDIR/failed
     ls -l $TESTDIR/journal/*/*.journal
     test -s $TESTDIR/failed && ret=$(($ret+1))
+    [ -n "$TIMED_OUT" ] && ret=$(($ret+1))
     return $ret
 }
 
@@ -1266,11 +1288,6 @@ inst_libdir_file() {
     fi
 }
 
-check_nspawn() {
-    [[ -d /run/systemd/system ]]
-}
-
-
 do_test() {
     if [[ $UID != "0" ]]; then
         echo "TEST: $TEST_DESCRIPTION [SKIPPED]: not root" >&2
diff --git a/tmpfiles.d/etc.conf.m4 b/tmpfiles.d/etc.conf.m4
index ef7b9b9541..064eae94f1 100644
--- a/tmpfiles.d/etc.conf.m4
+++ b/tmpfiles.d/etc.conf.m4
@@ -14,7 +14,7 @@ m4_ifdef(`HAVE_SMACK_RUN_LABEL',
 t /etc/mtab - - - - security.SMACK64=_
 )m4_dnl
 m4_ifdef(`ENABLE_RESOLVED',
-L! /etc/resolv.conf - - - - ../run/systemd/resolve/resolv.conf
+L! /etc/resolv.conf - - - - ../usr/lib/systemd/resolv.conf
 )m4_dnl
 C /etc/nsswitch.conf - - - -
 m4_ifdef(`HAVE_PAM',
diff --git a/units/systemd-resolved.service.m4.in b/units/systemd-resolved.service.m4.in
index a9cc3988ed..15ab56a066 100644
--- a/units/systemd-resolved.service.m4.in
+++ b/units/systemd-resolved.service.m4.in
@@ -23,7 +23,7 @@ Type=notify
 Restart=always
 RestartSec=0
 ExecStart=@rootlibexecdir@/systemd-resolved
-CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
+CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_NET_RAW CAP_NET_BIND_SERVICE
 ProtectSystem=full
 ProtectHome=yes
 WatchdogSec=3min
diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in
index 79f28c87c6..67e4c5fcd7 100644
--- a/units/systemd-udevd.service.in
+++ b/units/systemd-udevd.service.in
@@ -24,3 +24,4 @@ ExecStart=@rootlibexecdir@/systemd-udevd
 MountFlags=slave
 KillMode=mixed
 WatchdogSec=3min
+TasksMax=infinity
diff --git a/units/tmp.mount.m4 b/units/tmp.mount.m4
index 1448bd268a..0baecfd22f 100644
--- a/units/tmp.mount.m4
+++ b/units/tmp.mount.m4
@@ -19,4 +19,4 @@ After=swap.target
 What=tmpfs
 Where=/tmp
 Type=tmpfs
-Options=mode=1777,strictatime
+Options=mode=1777,strictatime,nosuid,nodev