From 2bd5e1b272cf6f639e024794cb236de1a2f9835e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 3 Jun 2020 17:01:34 +0200 Subject: [PATCH] man: document the new option MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Also correct "stub resolver" → "systemd-resolved" in one other option. --- NEWS | 8 ++++++-- man/resolved.conf.xml | 23 ++++++++++++++++++++--- man/systemd-resolved.service.xml | 18 ++++++++++-------- 3 files changed, 36 insertions(+), 13 deletions(-) diff --git a/NEWS b/NEWS index b27d38be77..da9402867e 100644 --- a/NEWS +++ b/NEWS @@ -87,6 +87,12 @@ CHANGES WITH 246 in spe: used, the DNS-over-TLS certificate is validated to match the specified hostname. + * systemd-resolved may be configured to forward single-label DNS names. + This is not standard-conformant, but may make sense in setups where + public DNS servers are not used. + + * systemd-resolved's DNS-over-TLS support gained SNI validation. + * The fs.suid_dumpable sysctl is set to 2 / "suidsafe". This allows systemd-coredump to save core files for suid processes. When saving the core file, systemd-coredump will use the effective uid and gid of @@ -528,8 +534,6 @@ CHANGES WITH 245: * systemd-sysusers gained support for creating users with the primary group named differently than the user. - * systemd-resolved's DNS-over-TLS support gained SNI validation. - * systemd-growfs (i.e. the x-systemd.growfs mount option in /etc/fstab) gained support for growing XFS partitions. Previously it supported only ext4 and btrfs partitions. diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml index 33265f755c..0e9b90c1cd 100644 --- a/man/resolved.conf.xml +++ b/man/resolved.conf.xml @@ -266,11 +266,28 @@ ReadEtcHosts= - Takes a boolean argument. If yes (the default), the DNS stub resolver will read - /etc/hosts, and try to resolve hosts or address by using the entries in the file before - sending query to DNS servers. + Takes a boolean argument. If yes (the default), + systemd-resolved will read /etc/hosts, and try to resolve + hosts or address by using the entries in the file before sending query to DNS servers. + + + ResolveUnicastSingleLabel= + Takes a boolean argument. When false (the default), + systemd-resolved will not resolve A and AAAA queries for single-label names over + classic DNS. Note that such names may still be resolved if search domains are specified (see + Domains= above), or using other mechanisms, in particular via LLMNR or from + /etc/hosts. When true, queries for single-label names will be forwarded to + global DNS servers even if no search domains are defined. + + + This option is provided for compatibility with configurations where public DNS + servers are not used. Forwarding single-label names to servers not under your control is + not standard-conformant, see IAB + Statement, and may create a privacy and security risk. + diff --git a/man/systemd-resolved.service.xml b/man/systemd-resolved.service.xml index 6e1ee9f4a5..914607e3f8 100644 --- a/man/systemd-resolved.service.xml +++ b/man/systemd-resolved.service.xml @@ -135,14 +135,16 @@ IPv6. Resolution of address records (A and AAAA) via unicast DNS (i.e. not LLMNR or - MulticastDNS) for non-synthesized single-label names is only allowed for non-top-level domains. This - means that such records can only be resolved when search domains are defined. For any interface which - defines search domains, such look-ups are routed to that interface, suffixed with each of the search - domains defined on that interface in turn. When global search domains are defined, such look-ups are - routed to all interfaces, suffixed by each of the global search domains in turn. The details of which - servers are queried and how the final reply is chosen are described below. Note that this means that - address queries for single-label names are never sent out to remote DNS servers, and if no search - domains are defined, resolution will fail. + MulticastDNS) for non-synthesized single-label names is allowed for non-top-level domains. This means + that such records can be resolved when search domains are defined. For any interface which defines + search domains, such look-ups are routed to that interface, suffixed with each of the search domains + defined on that interface in turn. When global search domains are defined, such look-ups are routed to + all interfaces, suffixed by each of the global search domains in turn. Additionally, lookup of + single-label names via unicast DNS may be enabled with the + ResolveUnicastSingleLabel=yes setting. The details of which servers are queried and + how the final reply is chosen are described below. Note that this means that address queries for + single-label names are never sent out to remote DNS servers by default, and if no search domains are + defined, resolution will fail. Other multi-label names are routed to all local interfaces that have a DNS server configured, plus the globally configured DNS servers if there are any. Note that by default, lookups for