returned.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--validate=</option><replaceable>BOOL</replaceable></term>
+
+ <listitem><para>Takes a boolean parameter; used in conjunction with <command>query</command>. If true
+ (the default), DNSSEC validation is applied as usual — under the condition that it is enabled for the
+ network and for <filename>systemd-resolved.service</filename> as a whole. If false, DNSSEC validation
+ is disabled for the specific query, regardless of whether it is enabled for the network or in the
+ service. Note that setting this option to true does not force DNSSEC validation on systems/networks
+ where DNSSEC is turned off. This option is only suitable to turn off such validation where otherwise
+ enabled, not enable validation where otherwise disabled.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--synthesize=</option><replaceable>BOOL</replaceable></term>
+
+ <listitem><para>Takes a boolean parameter; used in conjunction with <command>query</command>. If true
+ (the default), select domains are resolved on the local system, among them
+ <literal>localhost</literal> and <literal>_gateway</literal> or entries from
+ <filename>/etc/hosts</filename>. If false these domains are not resolved locally, and either fail (in
+ case of <literal>localhost</literal> or <literal>_gateway</literal> and suchlike) or go to the
+ network via regular DNS/mDNS/LLMNR lookups (in case of <filename>/etc/hosts</filename>
+ entries).</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--cache=</option><replaceable>BOOL</replaceable></term>
+
+ <listitem><para>Takes a boolean parameter; used in conjunction with <command>query</command>. If true
+ (the default), lookups use the local DNS resource record cache. If false, lookups are routed to the
+ network instead, regardless if already available in the local cache.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--zone=</option><replaceable>BOOL</replaceable></term>
+
+ <listitem><para>Takes a boolean parameter; used in conjunction with <command>query</command>. If true
+ (the default), lookups are answered from locally registered LLMNR or mDNS resource records, if
+ defined. If false, locally registered LLMNR/mDNS records are not considered for the lookup
+ request.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--trust-anchor=</option><replaceable>BOOL</replaceable></term>
+
+ <listitem><para>Takes a boolean parameter; used in conjunction with <command>query</command>. If true
+ (the default), lookups for DS and DNSKEY are answered from the local DNSSEC trust anchors if
+ possible. If false, the local trust store is not considered for the lookup request.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--network=</option><replaceable>BOOL</replaceable></term>
+
+ <listitem><para>Takes a boolean parameter; used in conjunction with <command>query</command>. If true
+ (the default), lookups are answered via DNS, LLMNR or mDNS network requests if they cannot be
+ synthesized locally, or be answered from the local cache, zone or trust anchors (see above). If false,
+ the request is not answered from the network and will thus fail if none of the indicated sources can
+ answer them.</para></listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>--search=</option><replaceable>BOOL</replaceable></term>
" --service-address=BOOL Resolve address for services (default: yes)\n"
" --service-txt=BOOL Resolve TXT records for services (default: yes)\n"
" --cname=BOOL Follow CNAME redirects (default: yes)\n"
- " --search=BOOL Use search domains for single-label names\n"
- " (default: yes)\n"
+ " --validate=BOOL Allow DNSSEC validation (default: yes)\n"
+ " --synthesize=BOOL Allow synthetic response (default: yes)\n"
+ " --cache=BOOL Allow response from cache (default: yes)\n"
+ " --zone=BOOL Allow response from locally registered mDNS/LLMNR\n"
+ " records (default: yes)\n"
+ " --trust-anchor=BOOL Allow response from local trust anchor (default: yes)\n"
+ " --network=BOOL Allow response from network (default: yes)\n"
+ " --search=BOOL Use search domains for single-label names (default: yes)\n"
" --raw[=payload|packet] Dump the answer as binary data\n"
" --legend=BOOL Print headers and additional info (default: yes)\n"
"\nSee the %s for details.\n",
ARG_VERSION = 0x100,
ARG_LEGEND,
ARG_CNAME,
+ ARG_VALIDATE,
+ ARG_SYNTHESIZE,
+ ARG_CACHE,
+ ARG_ZONE,
+ ARG_TRUST_ANCHOR,
+ ARG_NETWORK,
ARG_SERVICE_ADDRESS,
ARG_SERVICE_TXT,
ARG_RAW,
{ "interface", required_argument, NULL, 'i' },
{ "protocol", required_argument, NULL, 'p' },
{ "cname", required_argument, NULL, ARG_CNAME },
+ { "validate", required_argument, NULL, ARG_VALIDATE },
+ { "synthesize", required_argument, NULL, ARG_SYNTHESIZE },
+ { "cache", required_argument, NULL, ARG_CACHE },
+ { "zone", required_argument, NULL, ARG_ZONE },
+ { "trust-anchor", required_argument, NULL, ARG_TRUST_ANCHOR },
+ { "network", required_argument, NULL, ARG_NETWORK },
{ "service-address", required_argument, NULL, ARG_SERVICE_ADDRESS },
{ "service-txt", required_argument, NULL, ARG_SERVICE_TXT },
{ "raw", optional_argument, NULL, ARG_RAW },
SET_FLAG(arg_flags, SD_RESOLVED_NO_CNAME, r == 0);
break;
+ case ARG_VALIDATE:
+ r = parse_boolean(optarg);
+ if (r < 0)
+ return log_error_errno(r, "Failed to parse --validate= argument.");
+ SET_FLAG(arg_flags, SD_RESOLVED_NO_VALIDATE, r == 0);
+ break;
+
+ case ARG_SYNTHESIZE:
+ r = parse_boolean(optarg);
+ if (r < 0)
+ return log_error_errno(r, "Failed to parse --synthesize= argument.");
+ SET_FLAG(arg_flags, SD_RESOLVED_NO_SYNTHESIZE, r == 0);
+ break;
+
+ case ARG_CACHE:
+ r = parse_boolean(optarg);
+ if (r < 0)
+ return log_error_errno(r, "Failed to parse --cache= argument.");
+ SET_FLAG(arg_flags, SD_RESOLVED_NO_CACHE, r == 0);
+ break;
+
+ case ARG_ZONE:
+ r = parse_boolean(optarg);
+ if (r < 0)
+ return log_error_errno(r, "Failed to parse --zone= argument.");
+ SET_FLAG(arg_flags, SD_RESOLVED_NO_ZONE, r == 0);
+ break;
+
+ case ARG_TRUST_ANCHOR:
+ r = parse_boolean(optarg);
+ if (r < 0)
+ return log_error_errno(r, "Failed to parse --trust-anchor= argument.");
+ SET_FLAG(arg_flags, SD_RESOLVED_NO_TRUST_ANCHOR, r == 0);
+ break;
+
+ case ARG_NETWORK:
+ r = parse_boolean(optarg);
+ if (r < 0)
+ return log_error_errno(r, "Failed to parse --network= argument.");
+ SET_FLAG(arg_flags, SD_RESOLVED_NO_NETWORK, r == 0);
+ break;
+
case ARG_SERVICE_ADDRESS:
r = parse_boolean(optarg);
if (r < 0)