diff options
author | Iwan Timmer <irtimmer@gmail.com> | 2019-02-18 20:41:46 +0100 |
---|---|---|
committer | Iwan Timmer <iwan.timmer@northwave.nl> | 2019-06-19 13:10:44 +0200 |
commit | 4310bfc20b84127e19bed68701caa3820c844682 (patch) | |
tree | ebe8291982d7903be331b1ef1136ebd58aef08e7 /man | |
parent | aedf00a2bd39d70306d76a15fa535123d6d277fd (diff) | |
download | systemd-4310bfc20b84127e19bed68701caa3820c844682.tar.gz |
resolved: add strict mode for DNS-over-TLS
Add strict mode for DNS-over-TLS, which will require TLS support from the server. Closes #10755
Diffstat (limited to 'man')
-rw-r--r-- | man/resolved.conf.xml | 7 | ||||
-rw-r--r-- | man/systemd.network.xml | 11 |
2 files changed, 12 insertions, 6 deletions
diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml index c8ab6942c1..a647a4ace7 100644 --- a/man/resolved.conf.xml +++ b/man/resolved.conf.xml @@ -193,8 +193,11 @@ <varlistentry> <term><varname>DNSOverTLS=</varname></term> <listitem> - <para>Takes false or - <literal>opportunistic</literal>. When set to <literal>opportunistic</literal> + <para>Takes a boolean argument or <literal>opportunistic</literal>. + If true all connections to the server will be encrypted. Note that + this mode requires a DNS server that supports DNS-over-TLS and has + a valid certificate for it's IP. If the DNS server does not support + DNS-over-TLS all DNS requests will fail. When set to <literal>opportunistic</literal> DNS request are attempted to send encrypted with DNS-over-TLS. If the DNS server does not support TLS, DNS-over-TLS is disabled. Note that this mode makes DNS-over-TLS vulnerable to "downgrade" diff --git a/man/systemd.network.xml b/man/systemd.network.xml index d832e68d71..bad673b44e 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -395,12 +395,15 @@ <varlistentry> <term><varname>DNSOverTLS=</varname></term> <listitem> - <para>Takes false or - <literal>opportunistic</literal>. When set to <literal>opportunistic</literal>, enables + <para>Takes a boolean or <literal>opportunistic</literal>. + When true, enables <ulink url="https://tools.ietf.org/html/rfc7858">DNS-over-TLS</ulink> - support on the link. This option defines a - per-interface setting for + support on the link. + When set to <literal>opportunistic</literal>, compatibility with + non-DNS-over-TLS servers is increased, by automatically + turning off DNS-over-TLS servers in this case. + This option defines a per-interface setting for <citerefentry><refentrytitle>resolved.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>'s global <varname>DNSOverTLS=</varname> option. Defaults to false. This setting is read by |