From: Petr Menšík <pemensik@redhat.com>
Date: Sat, 15 Jul 2023 02:11:25 +0000 (+0200)
Subject: Include in manual what DNSSEC=no means in detail
X-Git-Tag: v254-rc3~30
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=96d384ca4fdf472df5f1946f0d148cac3a5409ca;p=thirdparty%2Fsystemd.git

Include in manual what DNSSEC=no means in detail

https://www.rfc-editor.org/rfc/rfc4035.html#section-3.2.1 says
security-aware recursive name server MUST set DO bit when sending
requests. systemd-resolved does not do that by design. State it more
clearly in manual page. Unlike other implementations it disables not
only validation as it stated, but complete DNSSEC awareness.

Signed-off-by: Petr Menšík <pemensik@redhat.com>
---

diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml
index 81401043a37..df2a8599de1 100644
--- a/man/resolved.conf.xml
+++ b/man/resolved.conf.xml
@@ -152,7 +152,9 @@
         "downgrade" attacks, where an attacker might be able to
         trigger a downgrade to non-DNSSEC mode by synthesizing a DNS
         response that suggests DNSSEC was not supported. If set to
-        false, DNS lookups are not DNSSEC validated.</para>
+        false, DNS lookups are not DNSSEC validated and the resolver
+        becomes security-unaware. All forwarded queries have DNSSEC OK (DO)
+        bit unset.</para>
 
         <para>Note that DNSSEC validation requires retrieval of
         additional DNS data, and thus results in a small DNS look-up