From 8a516214c4412e8a40544bd725a6d499a30cbbbf Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 6 Jan 2016 18:36:32 +0100 Subject: resolved: introduce support for per-interface negative trust anchors --- man/dnssec-trust-anchors.d.xml | 9 ++++++++- man/systemd.network.xml | 14 ++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) (limited to 'man') diff --git a/man/dnssec-trust-anchors.d.xml b/man/dnssec-trust-anchors.d.xml index 5f15d7cd59..51271abc16 100644 --- a/man/dnssec-trust-anchors.d.xml +++ b/man/dnssec-trust-anchors.d.xml @@ -179,6 +179,12 @@ If no negative trust anchor files are configured a built-in set of well-known private DNS zone domains is used as negative trust anchors. + + It is also possibly to define per-interface negative trust + anchors using the DNSSECNegativeTrustAnchors= + setting in + systemd.network5 + files. @@ -186,7 +192,8 @@ systemd1, systemd-resolved.service8, - resolved.conf5 + resolved.conf5, + systemd.network5 diff --git a/man/systemd.network.xml b/man/systemd.network.xml index 1dfa559c8b..5a6383cfc2 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -318,6 +318,20 @@ systemd-resolved.service8. + + DNSSECNegativeTrustAnchors= + A space-separated list of DNSSEC negative + trust anchor domains. If specified and DNSSEC is enabled, + look-ups done via the interface's DNS server will be subject + to the list of negative trust anchors, and not require + authentication for the specified domains, or anything below + it. Use this to disable DNSSEC authentication for specific + private domains, that cannot be proven valid using the + Internet DNS hierarchy. Defaults to the empty list. This + setting is read by + systemd-resolved.service8. + + LLDP= -- cgit v1.2.3-54-g00ecf