man: document the new option

Also correct "stub resolver" → "systemd-resolved" in one other option.
2020-06-03 17:01:34 +02:00 · 2020-06-03 17:01:34 +02:00 · 2bd5e1b272
parent 3b5bd7d6b8
commit 2bd5e1b272
3 changed files with 36 additions and 13 deletions
--- a/8
+++ b/8
@ -87,6 +87,12 @@ CHANGES WITH 246 in spe:
          used, the DNS-over-TLS certificate is validated to match the
          specified hostname.

+        * systemd-resolved may be configured to forward single-label DNS names.
+          This is not standard-conformant, but may make sense in setups where
+          public DNS servers are not used.
+
+        * systemd-resolved's DNS-over-TLS support gained SNI validation.
+
        * The fs.suid_dumpable sysctl is set to 2 / "suidsafe". This allows
          systemd-coredump to save core files for suid processes. When saving
          the core file, systemd-coredump will use the effective uid and gid of
@ -528,8 +534,6 @@ CHANGES WITH 245:
        * systemd-sysusers gained support for creating users with the primary
          group named differently than the user.

-        * systemd-resolved's DNS-over-TLS support gained SNI validation.
-
        * systemd-growfs (i.e. the x-systemd.growfs mount option in /etc/fstab)
          gained support for growing XFS partitions. Previously it supported
          only ext4 and btrfs partitions.
--- a/man/resolved.conf.xml
+++ b/man/resolved.conf.xml
@ -266,11 +266,28 @@

      <varlistentry>
        <term><varname>ReadEtcHosts=</varname></term>
-        <listitem><para>Takes a boolean argument. If <literal>yes</literal> (the default), the DNS stub resolver will read
-        <filename>/etc/hosts</filename>, and try to resolve hosts or address by using the entries in the file before
-        sending query to DNS servers.</para></listitem>
+        <listitem><para>Takes a boolean argument. If <literal>yes</literal> (the default),
+        <command>systemd-resolved</command> will read <filename>/etc/hosts</filename>, and try to resolve
+        hosts or address by using the entries in the file before sending query to DNS servers.
+        </para></listitem>
      </varlistentry>

+      <varlistentry>
+        <term><varname>ResolveUnicastSingleLabel=</varname></term>
+        <listitem><para>Takes a boolean argument. When false (the default),
+        <command>systemd-resolved</command> will not resolve A and AAAA queries for single-label names over
+        classic DNS. Note that such names may still be resolved if search domains are specified (see
+        <varname>Domains=</varname> above), or using other mechanisms, in particular via LLMNR or from
+        <filename>/etc/hosts</filename>. When true, queries for single-label names will be forwarded to
+        global DNS servers even if no search domains are defined.
+        </para>
+
+        <para>This option is provided for compatibility with configurations where <emphasis>public DNS
+        servers are not used</emphasis>. Forwarding single-label names to servers not under your control is
+        not standard-conformant, see <ulink
+        url="https://www.iab.org/documents/correspondence-reports-documents/2013-2/iab-statement-dotless-domains-considered-harmful/">IAB
+        Statement</ulink>, and may create a privacy and security risk.</para></listitem>
+      </varlistentry>
    </variablelist>
  </refsect1>

--- a/man/systemd-resolved.service.xml
+++ b/man/systemd-resolved.service.xml
@ -135,14 +135,16 @@
      IPv6.</para></listitem>

      <listitem><para>Resolution of address records (A and AAAA) via unicast DNS (i.e. not LLMNR or
-      MulticastDNS) for non-synthesized single-label names is only allowed for non-top-level domains. This
-      means that such records can only be resolved when search domains are defined. For any interface which
-      defines search domains, such look-ups are routed to that interface, suffixed with each of the search
-      domains defined on that interface in turn. When global search domains are defined, such look-ups are
-      routed to all interfaces, suffixed by each of the global search domains in turn. The details of which
-      servers are queried and how the final reply is chosen are described below. Note that this means that
-      address queries for single-label names are never sent out to remote DNS servers, and if no search
-      domains are defined, resolution will fail.</para></listitem>
+      MulticastDNS) for non-synthesized single-label names is allowed for non-top-level domains. This means
+      that such records can be resolved when search domains are defined. For any interface which defines
+      search domains, such look-ups are routed to that interface, suffixed with each of the search domains
+      defined on that interface in turn. When global search domains are defined, such look-ups are routed to
+      all interfaces, suffixed by each of the global search domains in turn. Additionally, lookup of
+      single-label names via unicast DNS may be enabled with the
+      <varname>ResolveUnicastSingleLabel=yes</varname> setting. The details of which servers are queried and
+      how the final reply is chosen are described below. Note that this means that address queries for
+      single-label names are never sent out to remote DNS servers by default, and if no search domains are
+      defined, resolution will fail.</para></listitem>

      <listitem><para>Other multi-label names are routed to all local interfaces that have a DNS server
      configured, plus the globally configured DNS servers if there are any. Note that by default, lookups for