mirror of
https://github.com/systemd/systemd
synced 2024-07-21 18:24:38 +00:00
man: describe flags for record resolving
This commit is contained in:
Zbigniew Jędrzejewski-Szmek
parent
1c4539afc0
commit
c6f20515ab
|
|
@ -440,16 +440,30 @@ node /org/freedesktop/resolve1 {
|
|||
and recommended. However, the following flags are defined to alter the look-up:</para>
|
||||
|
||||
<programlisting>
|
||||
#define SD_RESOLVED_DNS (UINT64_C(1) << 0)
|
||||
#define SD_RESOLVED_LLMNR_IPV4 (UINT64_C(1) << 1)
|
||||
#define SD_RESOLVED_LLMNR_IPV6 (UINT64_C(1) << 2)
|
||||
#define SD_RESOLVED_MDNS_IPV4 (UINT64_C(1) << 3)
|
||||
#define SD_RESOLVED_MDNS_IPV6 (UINT64_C(1) << 4)
|
||||
#define SD_RESOLVED_NO_CNAME (UINT64_C(1) << 5)
|
||||
#define SD_RESOLVED_NO_TXT (UINT64_C(1) << 6)
|
||||
#define SD_RESOLVED_NO_ADDRESS (UINT64_C(1) << 7)
|
||||
#define SD_RESOLVED_NO_SEARCH (UINT64_C(1) << 8)
|
||||
#define SD_RESOLVED_AUTHENTICATED (UINT64_C(1) << 9)
|
||||
#define SD_RESOLVED_DNS (UINT64_C(1) << 0)
|
||||
#define SD_RESOLVED_LLMNR_IPV4 (UINT64_C(1) << 1)
|
||||
#define SD_RESOLVED_LLMNR_IPV6 (UINT64_C(1) << 2)
|
||||
#define SD_RESOLVED_MDNS_IPV4 (UINT64_C(1) << 3)
|
||||
#define SD_RESOLVED_MDNS_IPV6 (UINT64_C(1) << 4)
|
||||
#define SD_RESOLVED_NO_CNAME (UINT64_C(1) << 5)
|
||||
#define SD_RESOLVED_NO_TXT (UINT64_C(1) << 6)
|
||||
#define SD_RESOLVED_NO_ADDRESS (UINT64_C(1) << 7)
|
||||
#define SD_RESOLVED_NO_SEARCH (UINT64_C(1) << 8)
|
||||
#define SD_RESOLVED_AUTHENTICATED (UINT64_C(1) << 9)
|
||||
#define SD_RESOLVED_NO_VALIDATE (UINT64_C(1) << 10)
|
||||
#define SD_RESOLVED_NO_SYNTHESIZE (UINT64_C(1) << 11)
|
||||
#define SD_RESOLVED_NO_CACHE (UINT64_C(1) << 12)
|
||||
#define SD_RESOLVED_NO_ZONE (UINT64_C(1) << 13)
|
||||
#define SD_RESOLVED_NO_TRUST_ANCHOR (UINT64_C(1) << 14)
|
||||
#define SD_RESOLVED_NO_NETWORK (UINT64_C(1) << 15)
|
||||
#define SD_RESOLVED_REQUIRE_PRIMARY (UINT64_C(1) << 16)
|
||||
#define SD_RESOLVED_CLAMP_TTL (UINT64_C(1) << 17)
|
||||
#define SD_RESOLVED_CONFIDENTIAL (UINT64_C(1) << 18)
|
||||
#define SD_RESOLVED_SYNTHETIC (UINT64_C(1) << 19)
|
||||
#define SD_RESOLVED_FROM_CACHE (UINT64_C(1) << 20)
|
||||
#define SD_RESOLVED_FROM_ZONE (UINT64_C(1) << 21)
|
||||
#define SD_RESOLVED_FROM_TRUST_ANCHOR (UINT64_C(1) << 22)
|
||||
#define SD_RESOLVED_FROM_NETWORK (UINT64_C(1) << 23)
|
||||
</programlisting>
|
||||
|
||||
<para>On input, the first five flags control the protocols to use for the look-up. They refer to
|
||||
|
|
@ -475,9 +489,9 @@ node /org/freedesktop/resolve1 {
|
|||
when the flag is off, CNAME/DNAME RRs are followed.</para>
|
||||
|
||||
<para>The NO_TXT and NO_ADDRESS flags only influence operation of the
|
||||
<function>ResolveService()</function> method. They are only defined for input, not output. If
|
||||
NO_TXT set, the DNS-SD TXT RR look-up is not done in the same operation. If NO_ADDRESS is specified,
|
||||
the hostnames discovered are not implicitly translated to their addresses.</para>
|
||||
<function>ResolveService()</function> method. They are only defined for input, not output. If NO_TXT
|
||||
is set, the DNS-SD TXT RR look-up is not done in the same operation. If NO_ADDRESS is set, the
|
||||
discovered hostnames are not implicitly translated to their addresses.</para>
|
||||
|
||||
<para>The NO_SEARCH flag turns off the search domain logic. It is only defined for input in
|
||||
<function>ResolveHostname()</function>. When specified, single-label hostnames are not qualified
|
||||
|
|
@ -486,15 +500,41 @@ node /org/freedesktop/resolve1 {
|
|||
multi-label hostnames are never subject to search list expansion.</para>
|
||||
|
||||
<para>The AUTHENTICATED bit is defined only in the output flags of the four functions. If set, the
|
||||
returned data has been fully authenticated. Specifically, this bit is set for all DNSSEC-protected data
|
||||
for which a full trust chain may be established to a trusted domain anchor. It is also set for locally
|
||||
synthesized data, such as <literal>localhost</literal> or data from
|
||||
<filename>/etc/hosts</filename>. Moreover, it is set for all LLMNR or mDNS RRs which originate from the
|
||||
local host. Applications that require authenticated RR data for operation should check this flag before
|
||||
trusting the data. Note that <filename>systemd-resolved</filename> will never return invalidated data, hence this flag
|
||||
simply allows to discern the cases where data is known to be trustable, or where there is proof that
|
||||
the data is "rightfully" unauthenticated (which includes cases where the underlying protocol or server
|
||||
does not support authenticating data).</para>
|
||||
returned data has been fully authenticated. Specifically, this bit is set for all DNSSEC-protected
|
||||
data for which a full trust chain may be established to a trusted domain anchor. It is also set for
|
||||
locally synthesized data, such as <literal>localhost</literal> or data from
|
||||
<filename>/etc/hosts</filename>. Moreover, it is set for all LLMNR or mDNS RRs which originate from
|
||||
the local host. Applications that require authenticated RR data for operation should check this flag
|
||||
before trusting the data. Note that <filename>systemd-resolved</filename> will never return
|
||||
invalidated data, hence this flag simply allows to discern the cases where data is known to be
|
||||
trusted, or where there is proof that the data is "rightfully" unauthenticated (which includes cases
|
||||
where the underlying protocol or server does not support authenticating data).</para>
|
||||
|
||||
<para>NO_VALIDATE can be set to disable validation via DNSSEC even if it would normally be used.
|
||||
</para>
|
||||
|
||||
<para>The next four flags allow disabling certain sources during resolution. NO_SYNTHESIZE disables
|
||||
synthetic records, e.g. the local host name, see section SYNTHETIC RECORDS in
|
||||
<citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
||||
for more information. NO_CACHE disables the use of the cache of previously resolved records. NO_ZONE
|
||||
disables answers using locally registered public LLMNR/mDNS resource records. NO_TRUST_ANCHOR
|
||||
disables answers using locally configured trust anchors. NO_NETWORK requires all answers to be
|
||||
provided without using the network, i.e. either from local sources or the cache.</para>
|
||||
|
||||
<para>With REQUIRE_PRIMARY the request must be answered from a "primary" answer, i.e. not from
|
||||
resource records acquired as a side-effect of a previous transaction.</para>
|
||||
|
||||
<para>With CLAMP_TTL, if reply is answered from cache, the TTLs will be adjusted by age of cache
|
||||
entry.</para>
|
||||
|
||||
<para>The next six bits flags are used in output and provide information about the source of the answer.
|
||||
CONFIDENTIAL means the query was resolved via encrypted channels or never left this system.
|
||||
FROM_SYNTHETIC means the query was (at least partially) synthesized.
|
||||
FROM_CACHE means the query was answered (at least partially) using the cache.
|
||||
FROM_ZONE means the query was answered (at least partially) using LLMNR/mDNS.
|
||||
FROM_TRUST_ANCHOR means the query was answered (at least partially) using local trust anchors.
|
||||
FROM_NETWORK means the query was answered (at least partially) using the network.
|
||||
</para>
|
||||
</refsect3>
|
||||
</refsect2>
|
||||
|
||||
|
|
|
|||
|
|
@ -39,7 +39,7 @@
|
|||
/* Input: Don't answer request from locally registered public LLMNR/mDNS RRs */
|
||||
#define SD_RESOLVED_NO_ZONE (UINT64_C(1) << 13)
|
||||
|
||||
/* Input: Don't answer request from locally registered public LLMNR/mDNS RRs */
|
||||
/* Input: Don't answer request from locally configured trust anchors. */
|
||||
#define SD_RESOLVED_NO_TRUST_ANCHOR (UINT64_C(1) << 14)
|
||||
|
||||
/* Input: Don't go to network for this request */
|
||||
|
|
|
|||
Loading…
Reference in a new issue