1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
|
<?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!--
This file is part of systemd.
Copyright 2014 Tom Gundersen
systemd is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
(at your option) any later version.
systemd is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License
along with systemd; If not, see <http://www.gnu.org/licenses/>.
-->
<refentry id="resolved.conf" conditional='ENABLE_RESOLVED'
xmlns:xi="http://www.w3.org/2001/XInclude">
<refentryinfo>
<title>resolved.conf</title>
<productname>systemd</productname>
<authorgroup>
<author>
<contrib>Developer</contrib>
<firstname>Tom</firstname>
<surname>Gundersen</surname>
<email>teg@jklm.no</email>
</author>
</authorgroup>
</refentryinfo>
<refmeta>
<refentrytitle>resolved.conf</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>resolved.conf</refname>
<refname>resolved.conf.d</refname>
<refpurpose>Network Name Resolution configuration files</refpurpose>
</refnamediv>
<refsynopsisdiv>
<para><filename>/etc/systemd/resolved.conf</filename></para>
<para><filename>/etc/systemd/resolved.conf.d/*.conf</filename></para>
<para><filename>/run/systemd/resolved.conf.d/*.conf</filename></para>
<para><filename>/usr/lib/systemd/resolved.conf.d/*.conf</filename></para>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>These configuration files control local DNS and LLMNR
name resolution.</para>
</refsect1>
<xi:include href="standard-conf.xml" xpointer="main-conf" />
<refsect1>
<title>Options</title>
<variablelist class='network-directives'>
<varlistentry>
<term><varname>DNS=</varname></term>
<listitem><para>A space-separated list of IPv4 and IPv6
addresses to be used as system DNS servers. DNS requests are
sent to one of the listed DNS servers in parallel to any
per-interface DNS servers acquired from
<citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
For compatibility reasons, if this setting is not specified,
the DNS servers listed in
<filename>/etc/resolv.conf</filename> are used instead, if
that file exists and any servers are configured in it. This
setting defaults to the empty list.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>FallbackDNS=</varname></term>
<listitem><para>A space-separated list of IPv4 and IPv6
addresses to be used as the fallback DNS servers. Any
per-interface DNS servers obtained from
<citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
take precedence over this setting, as do any servers set via
<varname>DNS=</varname> above or
<filename>/etc/resolv.conf</filename>. This setting is hence
only used if no other DNS server information is known. If this
option is not given, a compiled-in list of DNS servers is used
instead.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>Domains=</varname></term>
<listitem><para>A space-separated list of search domains. For
compatibility reasons, if this setting is not specified, the
search domains listed in <filename>/etc/resolv.conf</filename>
are used instead, if that file exists and any domains are
configured in it. This setting defaults to the empty
list.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>LLMNR=</varname></term>
<listitem><para>Takes a boolean argument or
<literal>resolve</literal>. Controls Link-Local Multicast Name
Resolution support (<ulink
url="https://tools.ietf.org/html/rfc4795">RFC 4794</ulink>) on
the local host. If true, enables full LLMNR responder and
resolver support. If false, disables both. If set to
<literal>resolve</literal>, only resolution support is enabled,
but responding is disabled. Note that
<citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
also maintains per-interface LLMNR settings. LLMNR will be
enabled on an interface only if the per-interface and the
global setting is on.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>DNSSEC=</varname></term>
<listitem><para>Takes a boolean argument or
<literal>allow-downgrade</literal>. If true all DNS lookups are
DNSSEC-validated locally (excluding LLMNR and Multicast
DNS). If a response for a lookup request is detected invalid
this is returned as lookup failure to applications. Note that
this mode requires a DNS server that supports DNSSEC. If the
DNS server does not properly support DNSSEC all validations
will fail. If set to <literal>allow-downgrade</literal> DNSSEC
validation is attempted, but if the server does not support
DNSSEC properly, DNSSEC mode is automatically disabled. Note
that this mode makes DNSSEC validation vulnerable to
"downgrade" attacks, where an attacker might be able to
trigger a downgrade to non-DNSSEC mode by synthesizing a DNS
response that suggests DNSSEC was not supported. If set to
false, DNS lookups are not DNSSEC validated.</para>
<para>Note that DNSSEC validation requires retrieval of
additional DNS data, and thus results in a small DNS look-up
time penalty.</para>
<para>DNSSEC requires knowledge of "trust anchors" to prove
data integrity. The trust anchor for the Internet root domain
is built into the resolver, additional trust anchors may be
defined with
<citerefentry><refentrytitle>dnssec-trust-anchors.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
Trust anchors may change in regular intervals, and old trust
anchors may be revoked. In such a case DNSSEC validation is
not possible until new trust anchors are configured locally or
the resolver software package is updated with the new root
trust anchor. In effect, when the built-in trust anchor is
revoked and <varname>DNSSEC=</varname> is true, all further
lookups will fail, as it cannot be proved anymore whether
lookups are correctly signed, or validly unsigned. If
<varname>DNSSEC=</varname> is set to
<literal>allow-downgrade</literal> the resolver will
automatically turn off DNSSEC validation in such a case.</para>
<para>Client programs looking up DNS data will be informed
whether lookups could be verified using DNSSEC, or whether the
returned data could not be verified (either because the data
was found unsigned in the DNS, or the DNS server did not
support DNSSEC or no appropriate trust anchors were known). In
the latter case it is assumed that client programs employ a
secondary scheme to validate the returned DNS data, should
this be required.</para>
<para>It is recommended to set <varname>DNSSEC=</varname> to
true on systems where it is known that the DNS server supports
DNSSEC correctly, and where software or trust anchor updates
happen regularly. On other systems it is recommended to set
<varname>DNSSEC=</varname> to
<literal>allow-downgrade</literal>.</para>
<para>In addition to this global DNSSEC setting
<citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
also maintains per-interface DNSSEC settings. For system DNS
servers (see above), only the global DNSSEC setting is in
effect. For per-interface DNS servers the per-interface
setting is in effect, unless it is unset in which case the
global setting is used instead.</para>
<para>Site-private DNS zones generally conflict with DNSSEC
operation, unless a negative (if the private zone is not
signed) or positive (if the private zone is signed) trust
anchor is configured for them. If
<literal>allow-downgrade</literal> mode is selected, it is
attempted to detect site-private DNS zones using top-level
domains (TLDs) that are not known by the DNS root server. This
logic does not work in all private zone setups.</para>
<para>Defaults to off.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>See Also</title>
<para>
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>dnssec-trust-anchors.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry project='man-pages'><refentrytitle>resolv.conf</refentrytitle><manvolnum>4</manvolnum></citerefentry>
</para>
</refsect1>
</refentry>
|