Include in manual what DNSSEC=no means in detail

https://www.rfc-editor.org/rfc/rfc4035.html#section-3.2.1 says security-aware recursive name server MUST set DO bit when sending requests. systemd-resolved does not do that by design. State it more clearly in manual page. Unlike other implementations it disables not only validation as it stated, but complete DNSSEC awareness. Signed-off-by: Petr Menšík <pemensik@redhat.com>
2024-09-20 00:21:55 +00:00 · 2023-07-15 04:11:25 +02:00 · 2023-07-15 04:11:25 +02:00 · 96d384ca4f
parent c46f5680ca
commit 96d384ca4f
1 changed files with 3 additions and 1 deletions
--- a/man/resolved.conf.xml
+++ b/man/resolved.conf.xml
@ -152,7 +152,9 @@
        "downgrade" attacks, where an attacker might be able to
        trigger a downgrade to non-DNSSEC mode by synthesizing a DNS
        response that suggests DNSSEC was not supported. If set to
-        false, DNS lookups are not DNSSEC validated.</para>
+        false, DNS lookups are not DNSSEC validated and the resolver
+        becomes security-unaware. All forwarded queries have DNSSEC OK (DO)
+        bit unset.</para>

        <para>Note that DNSSEC validation requires retrieval of
        additional DNS data, and thus results in a small DNS look-up