summaryrefslogtreecommitdiff
path: root/man
diff options
context:
space:
mode:
Diffstat (limited to 'man')
-rw-r--r--man/dnssec-trust-anchors.d.xml13
-rw-r--r--man/resolved.conf.xml71
-rw-r--r--man/systemd.network.xml71
3 files changed, 127 insertions, 28 deletions
diff --git a/man/dnssec-trust-anchors.d.xml b/man/dnssec-trust-anchors.d.xml
index 9a7cf3c881..51271abc16 100644
--- a/man/dnssec-trust-anchors.d.xml
+++ b/man/dnssec-trust-anchors.d.xml
@@ -175,6 +175,16 @@
<para><ulink url="https://tools.ietf.org/html/rfc7646">RFC
7646</ulink> for details on negative trust anchors.</para>
+
+ <para>If no negative trust anchor files are configured a built-in
+ set of well-known private DNS zone domains is used as negative
+ trust anchors.</para>
+
+ <para>It is also possibly to define per-interface negative trust
+ anchors using the <varname>DNSSECNegativeTrustAnchors=</varname>
+ setting in
+ <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ files.</para>
</refsect1>
<refsect1>
@@ -182,7 +192,8 @@
<para>
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>resolved.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ <citerefentry><refentrytitle>resolved.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
</para>
</refsect1>
diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml
index 8473bbe5c9..5da2d5488e 100644
--- a/man/resolved.conf.xml
+++ b/man/resolved.conf.xml
@@ -125,22 +125,38 @@
</varlistentry>
<varlistentry>
+ <term><varname>MulticastDNS=</varname></term>
+ <listitem><para>Takes a boolean argument or
+ <literal>resolve</literal>. Controls Multicast DNS support
+ (<ulink url="https://tools.ietf.org/html/rfc6762">RFC
+ 6762</ulink>) on the local host. If true, enables full
+ Multicast DNS responder and resolver support. If false,
+ disables both. If set to <literal>resolve</literal>, only
+ resolution support is enabled, but responding is
+ disabled. Note that
+ <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ also maintains per-interface Multicast DNS settings. Multicast
+ DNS will be enabled on an interface only if the per-interface
+ and the global setting is on.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><varname>DNSSEC=</varname></term>
<listitem><para>Takes a boolean argument or
- <literal>downgrade-ok</literal>. If true all DNS lookups are
- DNSSEC-validated locally. If a response for a lookup request
- is detected invalid this is returned as lookup failure to
- applications. Note that this mode requires a DNS server that
- supports DNSSEC. If the DNS server does not properly support
- DNSSEC all validations will fail. If set to
- <literal>downgrade-ok</literal> DNSSEC validation is
- attempted, but if the server does not support DNSSEC properly,
- DNSSEC mode is automatically disabled. Note that this mode
- makes DNSSEC validation vulnerable to "downgrade" attacks,
- where an attacker might be able to trigger a downgrade to
- non-DNSSEC mode by synthesizing a DNS response that suggests
- DNSSEC was not supported. If set to false, DNS lookups are not
- DNSSEC validated.</para>
+ <literal>allow-downgrade</literal>. If true all DNS lookups are
+ DNSSEC-validated locally (excluding LLMNR and Multicast
+ DNS). If a response for a lookup request is detected invalid
+ this is returned as lookup failure to applications. Note that
+ this mode requires a DNS server that supports DNSSEC. If the
+ DNS server does not properly support DNSSEC all validations
+ will fail. If set to <literal>allow-downgrade</literal> DNSSEC
+ validation is attempted, but if the server does not support
+ DNSSEC properly, DNSSEC mode is automatically disabled. Note
+ that this mode makes DNSSEC validation vulnerable to
+ "downgrade" attacks, where an attacker might be able to
+ trigger a downgrade to non-DNSSEC mode by synthesizing a DNS
+ response that suggests DNSSEC was not supported. If set to
+ false, DNS lookups are not DNSSEC validated.</para>
<para>Note that DNSSEC validation requires retrieval of
additional DNS data, and thus results in a small DNS look-up
@@ -160,8 +176,8 @@
lookups will fail, as it cannot be proved anymore whether
lookups are correctly signed, or validly unsigned. If
<varname>DNSSEC=</varname> is set to
- <literal>downgrade-ok</literal> the resolver will
- automatically turn of DNSSEC validation in such a case.</para>
+ <literal>allow-downgrade</literal> the resolver will
+ automatically turn off DNSSEC validation in such a case.</para>
<para>Client programs looking up DNS data will be informed
whether lookups could be verified using DNSSEC, or whether the
@@ -173,11 +189,30 @@
this be required.</para>
<para>It is recommended to set <varname>DNSSEC=</varname> to
- true on systems where it is kown that the DNS server supports
+ true on systems where it is known that the DNS server supports
DNSSEC correctly, and where software or trust anchor updates
happen regularly. On other systems it is recommended to set
<varname>DNSSEC=</varname> to
- <literal>missing-ok</literal>.</para>
+ <literal>allow-downgrade</literal>.</para>
+
+ <para>In addition to this global DNSSEC setting
+ <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ also maintains per-interface DNSSEC settings. For system DNS
+ servers (see above), only the global DNSSEC setting is in
+ effect. For per-interface DNS servers the per-interface
+ setting is in effect, unless it is unset in which case the
+ global setting is used instead.</para>
+
+ <para>Site-private DNS zones generally conflict with DNSSEC
+ operation, unless a negative (if the private zone is not
+ signed) or positive (if the private zone is signed) trust
+ anchor is configured for them. If
+ <literal>allow-downgrade</literal> mode is selected, it is
+ attempted to detect site-private DNS zones using top-level
+ domains (TLDs) that are not known by the DNS root server. This
+ logic does not work in all private zone setups.</para>
+
+ <para>Defaults to off.</para>
</listitem>
</varlistentry>
diff --git a/man/systemd.network.xml b/man/systemd.network.xml
index 5ad03f75e6..5a6383cfc2 100644
--- a/man/systemd.network.xml
+++ b/man/systemd.network.xml
@@ -277,10 +277,59 @@
<varlistentry>
<term><varname>LLMNR=</varname></term>
<listitem>
- <para>A boolean or <literal>resolve</literal>. When true, enables
- Link-Local Multicast Name Resolution on the link. When set to
- <literal>resolve</literal>, only resolution is enabled, but not
- announcement. Defaults to true.</para>
+ <para>A boolean or <literal>resolve</literal>. When true,
+ enables <ulink
+ url="https://tools.ietf.org/html/rfc4795">Link-Local
+ Multicast Name Resolution</ulink> on the link. When set to
+ <literal>resolve</literal>, only resolution is enabled,
+ but not host registration and announcement. Defaults to
+ true. This setting is read by
+ <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>MulticastDNS=</varname></term>
+ <listitem>
+ <para>A boolean or <literal>resolve</literal>. When true,
+ enables <ulink
+ url="https://tools.ietf.org/html/rfc6762">Multicast
+ DNS</ulink> support on the link. When set to
+ <literal>resolve</literal>, only resolution is enabled,
+ but not host or service registration and
+ announcement. Defaults to false. This setting is read by
+ <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>DNSSEC=</varname></term>
+ <listitem>
+ <para>A boolean or
+ <literal>allow-downgrade</literal>. When true, enables
+ <ulink
+ url="https://tools.ietf.org/html/rfc4033">DNSSEC</ulink>
+ DNS validation support on the link. When set to
+ <literal>allow-downgrade</literal>, compatibility with
+ non-DNSSEC capable networks is increased, by automatically
+ turning off DNSEC in this case. This option defines a
+ per-interface setting for
+ <citerefentry><refentrytitle>resolved.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>'s
+ global <varname>DNSSEC=</varname> option. Defaults to
+ false. This setting is read by
+ <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>DNSSECNegativeTrustAnchors=</varname></term>
+ <listitem><para>A space-separated list of DNSSEC negative
+ trust anchor domains. If specified and DNSSEC is enabled,
+ look-ups done via the interface's DNS server will be subject
+ to the list of negative trust anchors, and not require
+ authentication for the specified domains, or anything below
+ it. Use this to disable DNSSEC authentication for specific
+ private domains, that cannot be proven valid using the
+ Internet DNS hierarchy. Defaults to the empty list. This
+ setting is read by
+ <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
</listitem>
</varlistentry>
<varlistentry>
@@ -346,19 +395,22 @@
<para>A DNS server address, which must be in the format
described in
<citerefentry project='man-pages'><refentrytitle>inet_pton</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
- This option may be specified more than once.</para>
+ This option may be specified more than once. This setting is read by
+ <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>Domains=</varname></term>
<listitem>
- <para>The domains used for DNS resolution over this link.</para>
+ <para>The domains used for DNS resolution over this link. This setting is read by
+ <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>NTP=</varname></term>
<listitem>
- <para>An NTP server address. This option may be specified more than once.</para>
+ <para>An NTP server address. This option may be specified more than once. This setting is read by
+ <citerefentry><refentrytitle>systemd-timesyncd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></para>
</listitem>
</varlistentry>
<varlistentry>
@@ -1011,9 +1063,10 @@ DHCP=yes
<title>See Also</title>
<para>
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd-networkd</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.link</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd.netdev</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ <citerefentry><refentrytitle>systemd.netdev</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
</para>
</refsect1>
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2025-01-07 02:25:59 +0000