]> git.ipfire.org Git - thirdparty/systemd.git/commit - man/resolved.conf.xml
projects / thirdparty / systemd.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: fc9de36) | patch
Be more specific in resolved.conf man page with regard to DNSOverTLS
authorRiccardo Schirone <sirmy15@gmail.com>
Wed, 13 Nov 2019 16:37:15 +0000 (17:37 +0100)
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Wed, 13 Nov 2019 21:44:15 +0000 (22:44 +0100)
commit2f2b28ab35e80855042c69e324feaf7418636aa2
treec0f0f3baf26265867d6d7719ba5cc7eb543181fetree | snapshot
parentfc9de36a3b60c69a17442aabf215e2d87e697e6fcommit | diff
Be more specific in resolved.conf man page with regard to DNSOverTLS

DNSOverTLS in strict mode (value yes) does check the server, as it is said in
the first few lines of the option documentation. The check is not performed in
"opportunistic" mode, however, as that is allowed by RFC 7858, section "4.1.
Opportunistic Privacy Profile".

> With such a discovered DNS server, the client might or might not validate the
> resolver. These choices maximize availability and performance, but they leave
> the client vulnerable to on-path attacks that remove privacy.
man/resolved.conf.xml diff | blob | blame | history
Unnamed repository; edit this file 'description' to name the repository.