diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml index 3c1e698d33..c2c277b606 100644 --- a/man/resolved.conf.xml +++ b/man/resolved.conf.xml @@ -143,13 +143,13 @@ DNSSEC= Takes a boolean argument or - downgrade-ok. If true all DNS lookups are + allow-downgrade. If true all DNS lookups are DNSSEC-validated locally (excluding LLMNR and Multicast DNS). If a response for a lookup request is detected invalid this is returned as lookup failure to applications. Note that this mode requires a DNS server that supports DNSSEC. If the DNS server does not properly support DNSSEC all validations - will fail. If set to downgrade-ok DNSSEC + will fail. If set to allow-downgrade DNSSEC validation is attempted, but if the server does not support DNSSEC properly, DNSSEC mode is automatically disabled. Note that this mode makes DNSSEC validation vulnerable to @@ -176,7 +176,7 @@ lookups will fail, as it cannot be proved anymore whether lookups are correctly signed, or validly unsigned. If DNSSEC= is set to - downgrade-ok the resolver will + allow-downgrade the resolver will automatically turn off DNSSEC validation in such a case. Client programs looking up DNS data will be informed @@ -193,7 +193,7 @@ DNSSEC correctly, and where software or trust anchor updates happen regularly. On other systems it is recommended to set DNSSEC= to - downgrade-ok. + allow-downgrade. diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c index 32d4834aa1..ff571986c0 100644 --- a/src/resolve/resolved-dns-dnssec.c +++ b/src/resolve/resolved-dns-dnssec.c @@ -1568,7 +1568,7 @@ int dnssec_test_nsec(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *r static const char* const dnssec_mode_table[_DNSSEC_MODE_MAX] = { [DNSSEC_NO] = "no", - [DNSSEC_DOWNGRADE_OK] = "downgrade-ok", + [DNSSEC_ALLOW_DOWNGRADE] = "allow-downgrade", [DNSSEC_YES] = "yes", }; DEFINE_STRING_TABLE_LOOKUP(dnssec_mode, DnssecMode); diff --git a/src/resolve/resolved-dns-dnssec.h b/src/resolve/resolved-dns-dnssec.h index 94d0b23f80..d818d1a906 100644 --- a/src/resolve/resolved-dns-dnssec.h +++ b/src/resolve/resolved-dns-dnssec.h @@ -37,7 +37,7 @@ enum DnssecMode { * DNSSEC properly, downgrade to non-DNSSEC operation. Of * course, we then are vulnerable to a downgrade attack, but * that's life and what is configured. */ - DNSSEC_DOWNGRADE_OK, + DNSSEC_ALLOW_DOWNGRADE, /* Insist on DNSSEC server support, and rather fail than downgrading. */ DNSSEC_YES, diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c index 870b7586fd..44267c6b2d 100644 --- a/src/resolve/resolved-dns-transaction.c +++ b/src/resolve/resolved-dns-transaction.c @@ -939,7 +939,7 @@ static int dns_transaction_prepare(DnsTransaction *t, usec_t ts) { * this means we cannot do any DNSSEC logic * anymore. */ - if (t->scope->dnssec_mode == DNSSEC_DOWNGRADE_OK) { + if (t->scope->dnssec_mode == DNSSEC_ALLOW_DOWNGRADE) { /* We are in downgrade mode. In this * case, synthesize an unsigned empty * response, so that the any lookup @@ -2266,7 +2266,7 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) { dns_server_packet_rrsig_missing(t->server); - if (t->scope->dnssec_mode == DNSSEC_DOWNGRADE_OK) { + if (t->scope->dnssec_mode == DNSSEC_ALLOW_DOWNGRADE) { /* Downgrading is OK? If so, just consider the information unsigned */