Include in manual what DNSSEC=no means in detail

https://www.rfc-editor.org/rfc/rfc4035.html#section-3.2.1 says
security-aware recursive name server MUST set DO bit when sending
requests. systemd-resolved does not do that by design. State it more
clearly in manual page. Unlike other implementations it disables not
only validation as it stated, but complete DNSSEC awareness.

Signed-off-by: Petr Menšík <pemensik@redhat.com>

diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml
index 81401043a37ebb3e5c03e9c029ec921acaaa99f0..df2a8599de16e9ef87507073a27666e09f82d92b 100644 (file)
--- a/man/resolved.conf.xml
+++ b/man/resolved.conf.xml
@@ -152,7 +152,9 @@
         "downgrade" attacks, where an attacker might be able to
         trigger a downgrade to non-DNSSEC mode by synthesizing a DNS
         response that suggests DNSSEC was not supported. If set to
-        false, DNS lookups are not DNSSEC validated.</para>
+        false, DNS lookups are not DNSSEC validated and the resolver
+        becomes security-unaware. All forwarded queries have DNSSEC OK (DO)
+        bit unset.</para>
 
         <para>Note that DNSSEC validation requires retrieval of
         additional DNS data, and thus results in a small DNS look-up