man: clarify DNSSEC= again

https://github.com/systemd/systemd/pull/28407#issuecomment-1640900239
2025-02-03 17:47:28 +03:00 · 2023-07-19 14:16:15 +02:00 · 2023-07-19 14:16:15 +02:00 · e51846adc0
commit e51846adc0
parent f0406e118f
1 changed files with 18 additions and 20 deletions
--- a/man/resolved.conf.xml
+++ b/man/resolved.conf.xml
@ -138,27 +138,25 @@

      <varlistentry>
        <term><varname>DNSSEC=</varname></term>
-        <listitem><para>Takes a boolean argument or
-        <literal>allow-downgrade</literal>. If true all DNS lookups are
-        DNSSEC-validated locally (excluding LLMNR and Multicast
-        DNS). If the response to a lookup request is detected to be invalid
-        a lookup failure is returned to applications. Note that
-        this mode requires a DNS server that supports DNSSEC. If the
-        DNS server does not properly support DNSSEC all validations
-        will fail. If set to <literal>allow-downgrade</literal> DNSSEC
-        validation is attempted, but if the server does not support
-        DNSSEC properly, DNSSEC mode is automatically disabled. Note
-        that this mode makes DNSSEC validation vulnerable to
-        "downgrade" attacks, where an attacker might be able to
-        trigger a downgrade to non-DNSSEC mode by synthesizing a DNS
-        response that suggests DNSSEC was not supported. If set to
-        false, DNS lookups are not DNSSEC validated and the resolver
-        becomes security-unaware. All forwarded queries have DNSSEC OK (DO)
-        bit unset.</para>
+        <listitem><para>Takes a boolean argument or <literal>allow-downgrade</literal>.</para>

-        <para>Note that DNSSEC validation requires retrieval of
-        additional DNS data, and thus results in a small DNS look-up
-        time penalty.</para>
+        <para>If set to true, all DNS lookups are DNSSEC-validated locally (excluding LLMNR and Multicast
+        DNS). If the response to a lookup request is detected to be invalid a lookup failure is returned to
+        applications. Note that this mode requires a DNS server that supports DNSSEC. If the DNS server does
+        not properly support DNSSEC all validations will fail.</para>
+
+        <para>If set to <literal>allow-downgrade</literal>, DNSSEC validation is attempted, but if the server
+        does not support DNSSEC properly, DNSSEC mode is automatically disabled. Note that this mode makes
+        DNSSEC validation vulnerable to "downgrade" attacks, where an attacker might be able to trigger a
+        downgrade to non-DNSSEC mode by synthesizing a DNS response that suggests DNSSEC was not
+        supported.</para>
+
+        <para>If set to false, DNS lookups are not DNSSEC validated. In this mode, or when set to
+        <literal>allow-downgrade</literal> and the downgrade has happened, the resolver becomes
+        security-unaware and all forwarded queries have DNSSEC OK (DO) bit unset.</para>
+
+        <para>Note that DNSSEC validation requires retrieval of additional DNS data, and thus results in a
+        small DNS lookup time penalty.</para>

        <para>DNSSEC requires knowledge of "trust anchors" to prove
        data integrity. The trust anchor for the Internet root domain