-<?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
+<?xml version='1.0'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!--
- This file is part of systemd.
-
- Copyright 2014 Tom Gundersen
-
- systemd is free software; you can redistribute it and/or modify it
- under the terms of the GNU Lesser General Public License as published by
- the Free Software Foundation; either version 2.1 of the License, or
- (at your option) any later version.
-
- systemd is distributed in the hope that it will be useful, but
- WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- Lesser General Public License for more details.
-
- You should have received a copy of the GNU Lesser General Public License
- along with systemd; If not, see <http://www.gnu.org/licenses/>.
+ SPDX-License-Identifier: LGPL-2.1+
-->
-<refentry id="resolved.conf" conditional='ENABLE_RESOLVED'
+<refentry id="resolved.conf" conditional='ENABLE_RESOLVE'
xmlns:xi="http://www.w3.org/2001/XInclude">
<refentryinfo>
<title>resolved.conf</title>
<productname>systemd</productname>
-
- <authorgroup>
- <author>
- <contrib>Developer</contrib>
- <firstname>Tom</firstname>
- <surname>Gundersen</surname>
- <email>teg@jklm.no</email>
- </author>
- </authorgroup>
</refentryinfo>
<refmeta>
<listitem><para>Takes a boolean argument or
<literal>resolve</literal>. Controls Link-Local Multicast Name
Resolution support (<ulink
- url="https://tools.ietf.org/html/rfc4795">RFC 4794</ulink>) on
+ url="https://tools.ietf.org/html/rfc4795">RFC 4795</ulink>) on
the local host. If true, enables full LLMNR responder and
resolver support. If false, disables both. If set to
<literal>resolve</literal>, only resolution support is enabled,
global setting is on.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>MulticastDNS=</varname></term>
+ <listitem><para>Takes a boolean argument or
+ <literal>resolve</literal>. Controls Multicast DNS support (<ulink
+ url="https://tools.ietf.org/html/rfc6762">RFC 6762</ulink>) on
+ the local host. If true, enables full Multicast DNS responder and
+ resolver support. If false, disables both. If set to
+ <literal>resolve</literal>, only resolution support is enabled,
+ but responding is disabled. Note that
+ <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ also maintains per-link Multicast DNS settings. Multicast DNS will be
+ enabled on a link only if the per-link and the
+ global setting is on.</para></listitem>
+ </varlistentry>
+
<varlistentry>
<term><varname>DNSSEC=</varname></term>
<listitem><para>Takes a boolean argument or
<literal>allow-downgrade</literal>. If true all DNS lookups are
DNSSEC-validated locally (excluding LLMNR and Multicast
- DNS). If a response for a lookup request is detected invalid
- this is returned as lookup failure to applications. Note that
+ DNS). If the response to a lookup request is detected to be invalid
+ a lookup failure is returned to applications. Note that
this mode requires a DNS server that supports DNSSEC. If the
DNS server does not properly support DNSSEC all validations
will fail. If set to <literal>allow-downgrade</literal> DNSSEC
is built into the resolver, additional trust anchors may be
defined with
<citerefentry><refentrytitle>dnssec-trust-anchors.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
- Trust anchors may change in regular intervals, and old trust
+ Trust anchors may change at regular intervals, and old trust
anchors may be revoked. In such a case DNSSEC validation is
not possible until new trust anchors are configured locally or
the resolver software package is updated with the new root
domains (TLDs) that are not known by the DNS root server. This
logic does not work in all private zone setups.</para>
+ <para>Defaults to <literal>allow-downgrade</literal></para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>DNSOverTLS=</varname></term>
+ <listitem>
+ <para>Takes false or
+ <literal>opportunistic</literal>. When set to <literal>opportunistic</literal>
+ DNS request are attempted to send encrypted with DNS-over-TLS.
+ If the DNS server does not support TLS, DNS-over-TLS is disabled.
+ Note that this mode makes DNS-over-TLS vulnerable to "downgrade"
+ attacks, where an attacker might be able to trigger a downgrade
+ to non-encrypted mode by synthesizing a response that suggests
+ DNS-over-TLS was not supported. If set to false, DNS lookups
+ are send over UDP.</para>
+
+ <para>Note that DNS-over-TLS requires additional data to be
+ send for setting up an encrypted connection, and thus results
+ in a small DNS look-up time penalty.</para>
+
+ <para>Note as the resolver is not capable of authenticating
+ the server, it is vulnerable for "man-in-the-middle" attacks.</para>
+
+ <para>In addition to this global DNSOverTLS setting
+ <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ also maintains per-link DNSOverTLS settings. For system DNS
+ servers (see above), only the global DNSOverTLS setting is in
+ effect. For per-link DNS servers the per-link
+ setting is in effect, unless it is unset in which case the
+ global setting is used instead.</para>
+
<para>Defaults to off.</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>Cache=</varname></term>
+ <listitem><para>Takes a boolean argument. If <literal>yes</literal> (the default), resolving a domain name
+ which already got queried earlier will return the previous result as long as it is still valid, and thus does
+ not result in a new network request. Be aware that turning off caching comes at a performance penalty, which
+ is particularly high when DNSSEC is used.</para>
+
+ <para>Note that caching is turned off implicitly if the configured DNS server is on a host-local IP address
+ (such as 127.0.0.1 or ::1), in order to avoid duplicate local caching.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>DNSStubListener=</varname></term>
+ <listitem><para>Takes a boolean argument or one of <literal>udp</literal> and <literal>tcp</literal>. If
+ <literal>udp</literal>, a DNS stub resolver will listen for UDP requests on address 127.0.0.53
+ port 53. If <literal>tcp</literal>, the stub will listen for TCP requests on the same address and port. If
+ <literal>yes</literal> (the default), the stub listens for both UDP and TCP requests. If <literal>no</literal>, the stub
+ listener is disabled.</para>
+
+ <para>Note that the DNS stub listener is turned off implicitly when its listening address and port are already
+ in use.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>ReadEtcHosts=</varname></term>
+ <listitem><para>Takes a boolean argument. If <literal>yes</literal> (the default), the DNS stub resolver will read
+ <filename>/etc/hosts</filename>, and try to resolve hosts or address by using the entries in the file before
+ sending query to DNS servers.</para></listitem>
+ </varlistentry>
+
</variablelist>
</refsect1>