From: Riccardo Schirone <sirmy15@gmail.com>
Date: Wed, 13 Nov 2019 16:37:15 +0000 (+0100)
Subject: Be more specific in resolved.conf man page with regard to DNSOverTLS
X-Git-Tag: v244-rc1~58
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2f2b28ab35e80855042c69e324feaf7418636aa2;p=thirdparty%2Fsystemd.git

Be more specific in resolved.conf man page with regard to DNSOverTLS

DNSOverTLS in strict mode (value yes) does check the server, as it is said in
the first few lines of the option documentation. The check is not performed in
"opportunistic" mode, however, as that is allowed by RFC 7858, section "4.1.
Opportunistic Privacy Profile".

> With such a discovered DNS server, the client might or might not validate the
> resolver. These choices maximize availability and performance, but they leave
> the client vulnerable to on-path attacks that remove privacy.
---

diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml
index 213be1d7b2c..818000145b9 100644
--- a/man/resolved.conf.xml
+++ b/man/resolved.conf.xml
@@ -210,8 +210,9 @@
         send for setting up an encrypted connection, and thus results
         in a small DNS look-up time penalty.</para>
 
-        <para>Note as the resolver is not capable of authenticating
-        the server, it is vulnerable for "man-in-the-middle" attacks.</para>
+        <para>Note that in <literal>opportunistic</literal> mode the
+        resolver is not capable of authenticating the server, so it is
+        vulnerable to "man-in-the-middle" attacks.</para>
 
         <para>In addition to this global DNSOverTLS setting
         <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>