1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-25 23:21:33 +03:00
Commit Graph

67 Commits

Author SHA1 Message Date
Lennart Poettering
bb4cbb25d4 man: suffix settings name with = and enclose in <varname> 2020-11-19 16:16:17 +01:00
Lennart Poettering
a21f53219b man: add missing full stop 2020-11-16 21:08:38 +01:00
Yu Watanabe
db9ecf0501 license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
George Rawlinson
22c2f841db man: fix typo in resolved.conf 2020-09-05 21:38:01 +02:00
Yu Watanabe
6421194b31 man: update DNSStubListenerExtra= 2020-09-04 20:05:54 +09:00
Susant Sahani
1f05101fb6 resolve: allow configurable bind address 2020-09-03 08:27:41 +00:00
Yu Watanabe
711dd5db9e man: update explanation about the format to specify DNS servers 2020-07-21 04:12:16 +09:00
Zbigniew Jędrzejewski-Szmek
bdac560801 tree-wide: drop quotes from around [section]
For users, the square brackets already serve as markup and clearly delineate
the section name from surrounding text. Putting additional markup around that
only adds clutter. Also, we were very inconsistent in using the quotes. Let's
just drop them altogether.
2020-07-06 11:29:05 +02:00
Frantisek Sumsal
cb713f1696 tree-wide: spellcheck fixes
Most of them were reported by Fossies.org
2020-06-26 22:33:56 +02:00
Zbigniew Jędrzejewski-Szmek
2bd5e1b272 man: document the new option
Also correct "stub resolver" → "systemd-resolved" in one other option.
2020-06-18 21:28:52 +02:00
Zbigniew Jędrzejewski-Szmek
801d25ef0f man: rework description of Domains=
We said that ~domains "do not define a search path", which is mighty confusing,
because this is exactly what they do. So let's try to make this a bit easier
for the reader: start by saying that there are two things going on here, and
describe each one from user's POV.
2020-06-18 21:26:20 +02:00
Zbigniew Jędrzejewski-Szmek
38b38500c6 tree-wide: use "hostname" spelling everywhere
It's not that I think that "hostname" is vastly superior to "host name". Quite
the opposite — the difference is small, and in some context the two-word version
does fit better. But in the tree, there are ~200 occurrences of the first, and
>1600 of the other, and consistent spelling is more important than any particular
spelling choice.
2020-04-21 16:58:04 +02:00
Zbigniew Jędrzejewski-Szmek
d8c73cb7c2 man: fix formatting in resolved.conf(5) 2020-04-20 09:47:55 +02:00
Jörg Thalheim
eec394f10b systemd-resolved: use hostname for certificate validation in DoT
Widely accepted certificates for IP addresses are expensive and only
affordable for larger organizations. Therefore if the user provides
the hostname in the DNS= option, we should use it instead of the IP
address.
2020-03-07 01:37:30 +09:00
Guilhem Lettron
2e22a54f4e Implement SNI when using DNS-over-TLS
Some DNS providers need SNI to identify client.

This can be used by adding #name to a DNS.
Example:
[Resolve]
DNS=192.168.1.1#example.com
2019-12-04 23:24:06 +09:00
Riccardo Schirone
2f2b28ab35 Be more specific in resolved.conf man page with regard to DNSOverTLS
DNSOverTLS in strict mode (value yes) does check the server, as it is said in
the first few lines of the option documentation. The check is not performed in
"opportunistic" mode, however, as that is allowed by RFC 7858, section "4.1.
Opportunistic Privacy Profile".

> With such a discovered DNS server, the client might or might not validate the
> resolver. These choices maximize availability and performance, but they leave
> the client vulnerable to on-path attacks that remove privacy.
2019-11-13 22:44:15 +01:00
Jorge Niedbalski
37d7a7d984 resolved: switch cache option to a tri-state option (systemd#5552).
Change the resolved.conf Cache option to a tri-state "no, no-negative, yes" values.

If a lookup returns SERVFAIL systemd-resolved will cache the result for 30s (See 201d995),
however, there are several use cases on which this condition is not acceptable (See systemd#5552 comments)
and the only workaround would be to disable cache entirely or flush it , which isn't optimal.

This change adds the 'no-negative' option when set it avoids putting in cache
negative answers but still works the same heuristics for positive answers.

Signed-off-by: Jorge Niedbalski <jnr@metaklass.org>
2019-07-17 10:42:53 -04:00
Iwan Timmer
4310bfc20b resolved: add strict mode for DNS-over-TLS
Add strict mode for DNS-over-TLS, which will require TLS support from the server. Closes #10755
2019-06-19 13:10:44 +02:00
Zbigniew Jędrzejewski-Szmek
3a54a15760 man: use same header for all files
The "include" files had type "book" for some raeason. I don't think this
is meaningful. Let's just use the same everywhere.

$ perl -i -0pe 's^..DOCTYPE (book|refentry) PUBLIC "-//OASIS//DTD DocBook XML V4.[25]//EN"\s+"http^<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"\n  "http^gms' man/*.xml
2019-03-14 14:42:05 +01:00
Zbigniew Jędrzejewski-Szmek
0307f79171 man: standarize on one-line license header
No need to waste space, and uniformity is good.

$ perl -i -0pe 's|\n+<!--\s*SPDX-License-Identifier: LGPL-2.1..\s*-->|\n<!-- SPDX-License-Identifier: LGPL-2.1+ -->|gms' man/*.xml
2019-03-14 14:29:37 +01:00
Sam Morris
4b987478b0 resolved: have the stub resolver listen on both TCP and UDP by default
RFC7766 section 4 states that in the absence of EDNS0, a response that
is too large for a 512-byte UDP packet will have the 'truncated' bit
set. The client is expected to retry the query over TCP.

Fixes #10264.
2018-12-12 21:21:04 +01:00
Alexander Kurtz
f628e3eea7 man: fix default value in resolved.conf man page (#10733)
See https://github.com/systemd/systemd/blob/v239/meson_options.txt#L190
2018-11-12 15:44:55 +09:00
Todd Walton
eaaec6cc12 man: fix RFC ref in resolved.conf man page (#9976)
This is a simple one-character fix to reference the correct RFC for
LLMNR, which is RFC 4795, not RFC 4794.
2018-08-30 09:47:07 +09:00
Yu Watanabe
494c5676b3 man: use literal tag 2018-07-28 21:46:22 +09:00
Yu Watanabe
8631708741 resolve: add option to toggle reading /etc/hosts
Workaround for #9718.
2018-07-28 21:46:00 +09:00
Zbigniew Jędrzejewski-Szmek
514094f933 man: drop mode line in file headers
This is already included in .dir-locals, so we don't need it
in the files themselves.
2018-07-03 01:32:25 +02:00
Zbigniew Jędrzejewski-Szmek
d9b02e1697 tree-wide: drop copyright headers from frequent contributors
Fixes #9320.

for p in Shapovalov Chevalier Rozhkov Sievers Mack Herrmann Schmidt Rudenberg Sahani Landden Andersen Watanabe; do
  git grep -e 'Copyright.*'$p -l|xargs perl -i -0pe 's|/([*][*])?[*]\s+([*#]\s+)?Copyright[^\n]*'$p'[^\n]*\s*[*]([*][*])?/\n*|\n|gms; s|\s+([*#]\s+)?Copyright[^\n]*'$p'[^\n]*\n*|\n|gms'
done
2018-06-20 11:58:53 +02:00
Zbigniew Jędrzejewski-Szmek
fdbbee37d5 man: drop unused <authorgroup> tags from man sources
Docbook styles required those to be present, even though the templates that we
use did not show those names anywhere. But something changed semi-recently (I
would suspect docbook templates, but there was only a minor version bump in
recent years, and the changelog does not suggest anything related), and builds
now work without those entries. Let's drop this dead weight.

Tested with F26-F29, debian unstable.

$ perl -i -0pe 's/\s*<authorgroup>.*<.authorgroup>//gms' man/*xml
2018-06-14 12:22:18 +02:00
Lennart Poettering
96b2fb93c5 tree-wide: beautify remaining copyright statements
Let's unify an beautify our remaining copyright statements, with a
unicode ©. This means our copyright statements are now always formatted
the same way. Yay.
2018-06-14 10:20:21 +02:00
Lennart Poettering
818bf54632 tree-wide: drop 'This file is part of systemd' blurb
This part of the copyright blurb stems from the GPL use recommendations:

https://www.gnu.org/licenses/gpl-howto.en.html

The concept appears to originate in times where version control was per
file, instead of per tree, and was a way to glue the files together.
Ultimately, we nowadays don't live in that world anymore, and this
information is entirely useless anyway, as people are very welcome to
copy these files into any projects they like, and they shouldn't have to
change bits that are part of our copyright header for that.

hence, let's just get rid of this old cruft, and shorten our codebase a
bit.
2018-06-14 10:20:20 +02:00
Iwan Timmer
c9299be2f5 resolve: rename PrivateDNS to DNSOverTLS
PrivateDNS is not considered a good name for this option, so rename it to DNSOverTLS
2018-06-14 09:57:56 +02:00
Iwan Timmer
30e59c84d7 man: document DNS-over-TLS options 2018-06-12 18:50:30 +02:00
Zbigniew Jędrzejewski-Szmek
11a1589223 tree-wide: drop license boilerplate
Files which are installed as-is (any .service and other unit files, .conf
files, .policy files, etc), are left as is. My assumption is that SPDX
identifiers are not yet that well known, so it's better to retain the
extended header to avoid any doubt.

I also kept any copyright lines. We can probably remove them, but it'd nice to
obtain explicit acks from all involved authors before doing that.
2018-04-06 18:58:55 +02:00
Zbigniew Jędrzejewski-Szmek
572eb058cf Add SPDX license identifiers to man pages 2017-11-19 19:08:15 +01:00
Zbigniew Jędrzejewski-Szmek
1ec57f3394 build-sys: s/ENABLE_RESOLVED/ENABLE_RESOLVE/
The configuration option was called -Dresolve, but the internal define
was …RESOLVED. This options governs more than just resolved itself, so
let's settle on the version without "d".
2017-10-04 12:09:51 +02:00
Yu Watanabe
77525fdc8d resolved: add global config option to control mDNS stack 2017-03-21 13:35:08 +09:00
Lennart Poettering
3157b2d9d2 Merge pull request #4061 from dm0-/coreos-1545
resolved: add an option to disable the stub resolver
2016-10-07 23:38:03 +02:00
David Michael
1ae4329575 resolved: add an option to control the DNS stub listener 2016-10-07 12:14:38 -07:00
Stefan Schweter
cfaf4b75e0 man: remove consecutive duplicate words (#4268)
This PR removes consecutive duplicate words from the man pages of:

* `resolved.conf.xml`
* `systemd.exec.xml`
* `systemd.socket.xml`
2016-10-03 17:09:54 +02:00
Lennart Poettering
5bd7342617 man: rework resolved.conf's Cache= documentation
Let's not mention the supposed security benefit of turning off caching. It is
really questionnable, and I#d rather not create the impression that we actually
believed turning off caching would be a good idea.

Instead, mention that Cache=no is implicit if a DNS server on the local host is
used.
2016-07-22 20:17:23 +02:00
Martin Pitt
ceeddf79b8 resolved: add option to disable caching (#3592)
In some cases, caching DNS results locally is not desirable, a it makes DNS
cache poisoning attacks a tad easier and also allows users on the system to
determine whether or not a particular domain got visited by another user. Thus
provide a new "Cache" resolved.conf option to disable it.
2016-06-24 07:54:28 +02:00
Lennart Poettering
dcabda4155 Merge pull request #2469 from keszybz/resolved-2
Resolved 2
2016-01-30 15:04:56 +01:00
Zbigniew Jędrzejewski-Szmek
c542f805dd man: reword sentence 2016-01-29 12:24:15 -05:00
Lennart Poettering
dbc7bede4a man: actually say which section resolv.conf's setting should be placed in 2016-01-29 14:53:01 +01:00
Lennart Poettering
adc800a6e0 resolved: allow configuration of routing domains in Domains= 2016-01-26 14:42:04 +01:00
Zbigniew Jędrzejewski-Szmek
524f3e5c9d man: fix references to a few external man pages
Noticed in pull request #2067.
2016-01-25 20:04:58 -05:00
Daniel Mack
60402bdc52 resolved: remove configuration knobs for mDNS until it's ready
These bits were intenionally left out while mDNS is under development.

Remove the exposed knobs and man page entries again until this is settled.
2016-01-19 14:11:05 +01:00
Lennart Poettering
d33b6cf343 resolved: try to detect fritz.box-style private DNS zones, and downgrade to non-DNSSEC mode for them
This adds logic to detect cases like the Fritz!Box routers which serve
a private DNS domain "fritz.box" under the TLD "box" that does not
exist in the root servers. If this is detected DNSSEC validation is
turned off for this private domain, thus improving compatibility with
such private DNS zones.

This should be fairly secure as we first rely on the proof that .box
does not exist before this logic is applied. Nevertheless the logic is
only enabled for DNSSEC=allow-downgrade mode.

This logic does not work for routers that set up a full DNS zone directly
under a non-existing TLD, as in that case we cannot prove
that the domain is truly non-existing according to the root servers.
2016-01-05 22:13:56 +01:00
Lennart Poettering
ad6c047561 resolved,networkd: add a per-interface DNSSEC setting
This adds a DNSSEC= setting to .network files, and makes resolved honour
them.
2016-01-05 20:10:31 +01:00
Lennart Poettering
1ed8c0fbb4 resolved: rename "downgrade-ok" mode to "allow-downgrade"
After discussing this with Tom, we figured out "allow-downgrade" sounds
nicer.
2016-01-05 20:00:53 +01:00