1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-28 11:21:59 +03:00
Commit Graph

82 Commits

Author SHA1 Message Date
Zbigniew Jędrzejewski-Szmek
73e97bb064 man: use <simplelist> for file lists in synopsis
With <para><filename>…</filename></para>, we get a separate "paragraph" for
each line, i.e. entries separated by empty lines. This uses up a lot of space
and was only done because docbook makes it hard to insert a newline. In some
other places, <literallayout> was used, but then we cannot indent the source
text (because the whitespace would end up in the final page). We can get the
desired result with <simplelist>.

With <simplelist> the items are indented in roff output, but not in html
output. In some places this looks better then no indentation, and in others it
would probably be better to have no indent. But this is a minor issue and we
cannot control that.

(I didn't convert all spots. There's a bunch of other man pages which have two
lines, e.g. an executable and service file, and it doesn't matter there so
much.)
2023-12-15 14:27:28 +01:00
Lennart Poettering
28e3359fdc man: document that Domains=local bind the domain to unicast DNS, not mDNS
Fixes: #28983
2023-11-08 14:28:10 +01:00
Zbigniew Jędrzejewski-Szmek
bf63dadbc6 man: more hyperlinks and other fixes
Closes https://github.com/systemd/systemd/issues/29814.
2023-11-06 20:16:34 +01:00
Abderrahim Kitouni
ec07c3c80b man: add version info
This tries to add information about when each option was added. It goes
back to version 183.

The version info is included from a separate file to allow generating it,
which would allow more control on the formatting of the final output.
2023-08-29 14:07:24 +01:00
Zbigniew Jędrzejewski-Szmek
e51846adc0 man: clarify DNSSEC= again
https://github.com/systemd/systemd/pull/28407#issuecomment-1640900239
2023-07-19 15:13:01 +02:00
Petr Menšík
96d384ca4f Include in manual what DNSSEC=no means in detail
https://www.rfc-editor.org/rfc/rfc4035.html#section-3.2.1 says
security-aware recursive name server MUST set DO bit when sending
requests. systemd-resolved does not do that by design. State it more
clearly in manual page. Unlike other implementations it disables not
only validation as it stated, but complete DNSSEC awareness.

Signed-off-by: Petr Menšík <pemensik@redhat.com>
2023-07-18 17:28:32 +02:00
Kiran Vemula
5ed91481ab resolved: added serve stale feature implementation of RFC 8767
serve stale feature to keep the DNS resource records beyond TTL to return them as stale records in case of upstream server is not reachable or returns negative response.
SD_RESOLVED_NO_STALE flag has been added to disable serving stale records via dbus.
added serve stale test cases to TEST-75-RESOLVED
Fixes: #21815
2023-06-16 10:20:15 +01:00
Zbigniew Jędrzejewski-Szmek
87291a26f5 man: explain route-only domains a bit more
The details discussion of how search and route-only domains work is in
systemd-resolved.service(8). But users are more likely to look at
resolved.conf(5), because that's where Domains= is described. So let's add a
reference to the other man page there, and also strengthen the text a bit. In
particular, in systemd-resolved.service(8) we say "route-only", which makes
the distinction with search domains clearer. Let's use the same in the other
man page too.

This is based on feedback from Lukáš Nykrýn that the man page is not clear
enough.
2023-03-07 16:22:13 +01:00
Yu Watanabe
2ff7862bf2 resolve: drop remaining references for Monitor=
Follow-up for b25d819aee.
2022-10-03 08:26:05 +02:00
Suraj Krishnan
cb456374e0 Implement DNS notifications from resolved via varlink
* The new varlink interface exposes a method to subscribe to DNS
resolutions on the system. The socket permissions are open for owner and
group only.
* Notifications are sent to subscriber(s), if any, after successful
resolution of A and AAAA records.

This feature could be used by applications for auditing/logging services
downstream of the resolver. It could also be used to asynchronously
update the firewall. For example, a system that has a tightly configured
firewall could open up connections selectively to known good hosts based
on a known allow-list of hostnames. Of course, updating the firewall
asynchronously will require other design considerations (such as
queueing packets in the user space while a verdict is made).

See also:
https://lists.freedesktop.org/archives/systemd-devel/2022-August/048202.html
https://lists.freedesktop.org/archives/systemd-devel/2022-February/047441.html
2022-09-09 09:22:57 +01:00
Zbigniew Jędrzejewski-Szmek
e803cf2139 man: correctly document default for DNSSEC= and DNSoverTLS=
https://bugzilla.redhat.com/show_bug.cgi?id=1926323
2021-12-20 10:56:14 +01:00
Lennart Poettering
a8d0906344 resolved: add "proxy-only" stub on 127.0.0.54
This beefs up the DNS stub logic to listen on two IP addresses:
127.0.0.53 (as before) + 127.0.0.54 (new). When the latter is contact
our stub will operate in "bypass" mode only, i.e we'll try to pass DNS
requests as unmodified upstream as we can (and not do mDNS/LLMNR and
such, also no DNSSEC validation – but we'll still do DNS-over-TLS
wrapping).

This is supposed to be useful for container environments or tethering:
this stub could be exposed (via NAT redirect) to clients of this system
and we'll try to stay out of the way with doing too much DNS magic
ourselves, but still expose whatever the current DNS server is from
upstream under a stable address/port.

How to use this:

  # iptables -t nat -I PREROUTING -p udp -i <interface> --dport 53 -j DNAT --to 127.0.0.54:53
  # echo 1 > /proc/sys/net/ipv4/conf/<interface>/route_localnet
2021-11-22 22:33:24 +01:00
ml
84b10e536c man: remove unintentionally repetitive words 2021-11-11 14:36:50 +01:00
Raul Tambre
12c0bb31a7 resolved: Fix link to resolv.conf manpage
Seems to typically located in volume 5 these days on Linux systems that systemd targets.
2021-06-29 12:50:53 +01:00
Pavel Sapezhko
6d8325f66a resolved: allow cache responses from local DNS servers 2020-11-27 09:03:42 +09:00
Lennart Poettering
bb4cbb25d4 man: suffix settings name with = and enclose in <varname> 2020-11-19 16:16:17 +01:00
Lennart Poettering
a21f53219b man: add missing full stop 2020-11-16 21:08:38 +01:00
Yu Watanabe
db9ecf0501 license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
George Rawlinson
22c2f841db man: fix typo in resolved.conf 2020-09-05 21:38:01 +02:00
Yu Watanabe
6421194b31 man: update DNSStubListenerExtra= 2020-09-04 20:05:54 +09:00
Susant Sahani
1f05101fb6 resolve: allow configurable bind address 2020-09-03 08:27:41 +00:00
Yu Watanabe
711dd5db9e man: update explanation about the format to specify DNS servers 2020-07-21 04:12:16 +09:00
Zbigniew Jędrzejewski-Szmek
bdac560801 tree-wide: drop quotes from around [section]
For users, the square brackets already serve as markup and clearly delineate
the section name from surrounding text. Putting additional markup around that
only adds clutter. Also, we were very inconsistent in using the quotes. Let's
just drop them altogether.
2020-07-06 11:29:05 +02:00
Frantisek Sumsal
cb713f1696 tree-wide: spellcheck fixes
Most of them were reported by Fossies.org
2020-06-26 22:33:56 +02:00
Zbigniew Jędrzejewski-Szmek
2bd5e1b272 man: document the new option
Also correct "stub resolver" → "systemd-resolved" in one other option.
2020-06-18 21:28:52 +02:00
Zbigniew Jędrzejewski-Szmek
801d25ef0f man: rework description of Domains=
We said that ~domains "do not define a search path", which is mighty confusing,
because this is exactly what they do. So let's try to make this a bit easier
for the reader: start by saying that there are two things going on here, and
describe each one from user's POV.
2020-06-18 21:26:20 +02:00
Zbigniew Jędrzejewski-Szmek
38b38500c6 tree-wide: use "hostname" spelling everywhere
It's not that I think that "hostname" is vastly superior to "host name". Quite
the opposite — the difference is small, and in some context the two-word version
does fit better. But in the tree, there are ~200 occurrences of the first, and
>1600 of the other, and consistent spelling is more important than any particular
spelling choice.
2020-04-21 16:58:04 +02:00
Zbigniew Jędrzejewski-Szmek
d8c73cb7c2 man: fix formatting in resolved.conf(5) 2020-04-20 09:47:55 +02:00
Jörg Thalheim
eec394f10b systemd-resolved: use hostname for certificate validation in DoT
Widely accepted certificates for IP addresses are expensive and only
affordable for larger organizations. Therefore if the user provides
the hostname in the DNS= option, we should use it instead of the IP
address.
2020-03-07 01:37:30 +09:00
Guilhem Lettron
2e22a54f4e Implement SNI when using DNS-over-TLS
Some DNS providers need SNI to identify client.

This can be used by adding #name to a DNS.
Example:
[Resolve]
DNS=192.168.1.1#example.com
2019-12-04 23:24:06 +09:00
Riccardo Schirone
2f2b28ab35 Be more specific in resolved.conf man page with regard to DNSOverTLS
DNSOverTLS in strict mode (value yes) does check the server, as it is said in
the first few lines of the option documentation. The check is not performed in
"opportunistic" mode, however, as that is allowed by RFC 7858, section "4.1.
Opportunistic Privacy Profile".

> With such a discovered DNS server, the client might or might not validate the
> resolver. These choices maximize availability and performance, but they leave
> the client vulnerable to on-path attacks that remove privacy.
2019-11-13 22:44:15 +01:00
Jorge Niedbalski
37d7a7d984 resolved: switch cache option to a tri-state option (systemd#5552).
Change the resolved.conf Cache option to a tri-state "no, no-negative, yes" values.

If a lookup returns SERVFAIL systemd-resolved will cache the result for 30s (See 201d995),
however, there are several use cases on which this condition is not acceptable (See systemd#5552 comments)
and the only workaround would be to disable cache entirely or flush it , which isn't optimal.

This change adds the 'no-negative' option when set it avoids putting in cache
negative answers but still works the same heuristics for positive answers.

Signed-off-by: Jorge Niedbalski <jnr@metaklass.org>
2019-07-17 10:42:53 -04:00
Iwan Timmer
4310bfc20b resolved: add strict mode for DNS-over-TLS
Add strict mode for DNS-over-TLS, which will require TLS support from the server. Closes #10755
2019-06-19 13:10:44 +02:00
Zbigniew Jędrzejewski-Szmek
3a54a15760 man: use same header for all files
The "include" files had type "book" for some raeason. I don't think this
is meaningful. Let's just use the same everywhere.

$ perl -i -0pe 's^..DOCTYPE (book|refentry) PUBLIC "-//OASIS//DTD DocBook XML V4.[25]//EN"\s+"http^<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"\n  "http^gms' man/*.xml
2019-03-14 14:42:05 +01:00
Zbigniew Jędrzejewski-Szmek
0307f79171 man: standarize on one-line license header
No need to waste space, and uniformity is good.

$ perl -i -0pe 's|\n+<!--\s*SPDX-License-Identifier: LGPL-2.1..\s*-->|\n<!-- SPDX-License-Identifier: LGPL-2.1+ -->|gms' man/*.xml
2019-03-14 14:29:37 +01:00
Sam Morris
4b987478b0 resolved: have the stub resolver listen on both TCP and UDP by default
RFC7766 section 4 states that in the absence of EDNS0, a response that
is too large for a 512-byte UDP packet will have the 'truncated' bit
set. The client is expected to retry the query over TCP.

Fixes #10264.
2018-12-12 21:21:04 +01:00
Alexander Kurtz
f628e3eea7 man: fix default value in resolved.conf man page (#10733)
See https://github.com/systemd/systemd/blob/v239/meson_options.txt#L190
2018-11-12 15:44:55 +09:00
Todd Walton
eaaec6cc12 man: fix RFC ref in resolved.conf man page (#9976)
This is a simple one-character fix to reference the correct RFC for
LLMNR, which is RFC 4795, not RFC 4794.
2018-08-30 09:47:07 +09:00
Yu Watanabe
494c5676b3 man: use literal tag 2018-07-28 21:46:22 +09:00
Yu Watanabe
8631708741 resolve: add option to toggle reading /etc/hosts
Workaround for #9718.
2018-07-28 21:46:00 +09:00
Zbigniew Jędrzejewski-Szmek
514094f933 man: drop mode line in file headers
This is already included in .dir-locals, so we don't need it
in the files themselves.
2018-07-03 01:32:25 +02:00
Zbigniew Jędrzejewski-Szmek
d9b02e1697 tree-wide: drop copyright headers from frequent contributors
Fixes #9320.

for p in Shapovalov Chevalier Rozhkov Sievers Mack Herrmann Schmidt Rudenberg Sahani Landden Andersen Watanabe; do
  git grep -e 'Copyright.*'$p -l|xargs perl -i -0pe 's|/([*][*])?[*]\s+([*#]\s+)?Copyright[^\n]*'$p'[^\n]*\s*[*]([*][*])?/\n*|\n|gms; s|\s+([*#]\s+)?Copyright[^\n]*'$p'[^\n]*\n*|\n|gms'
done
2018-06-20 11:58:53 +02:00
Zbigniew Jędrzejewski-Szmek
fdbbee37d5 man: drop unused <authorgroup> tags from man sources
Docbook styles required those to be present, even though the templates that we
use did not show those names anywhere. But something changed semi-recently (I
would suspect docbook templates, but there was only a minor version bump in
recent years, and the changelog does not suggest anything related), and builds
now work without those entries. Let's drop this dead weight.

Tested with F26-F29, debian unstable.

$ perl -i -0pe 's/\s*<authorgroup>.*<.authorgroup>//gms' man/*xml
2018-06-14 12:22:18 +02:00
Lennart Poettering
96b2fb93c5 tree-wide: beautify remaining copyright statements
Let's unify an beautify our remaining copyright statements, with a
unicode ©. This means our copyright statements are now always formatted
the same way. Yay.
2018-06-14 10:20:21 +02:00
Lennart Poettering
818bf54632 tree-wide: drop 'This file is part of systemd' blurb
This part of the copyright blurb stems from the GPL use recommendations:

https://www.gnu.org/licenses/gpl-howto.en.html

The concept appears to originate in times where version control was per
file, instead of per tree, and was a way to glue the files together.
Ultimately, we nowadays don't live in that world anymore, and this
information is entirely useless anyway, as people are very welcome to
copy these files into any projects they like, and they shouldn't have to
change bits that are part of our copyright header for that.

hence, let's just get rid of this old cruft, and shorten our codebase a
bit.
2018-06-14 10:20:20 +02:00
Iwan Timmer
c9299be2f5 resolve: rename PrivateDNS to DNSOverTLS
PrivateDNS is not considered a good name for this option, so rename it to DNSOverTLS
2018-06-14 09:57:56 +02:00
Iwan Timmer
30e59c84d7 man: document DNS-over-TLS options 2018-06-12 18:50:30 +02:00
Zbigniew Jędrzejewski-Szmek
11a1589223 tree-wide: drop license boilerplate
Files which are installed as-is (any .service and other unit files, .conf
files, .policy files, etc), are left as is. My assumption is that SPDX
identifiers are not yet that well known, so it's better to retain the
extended header to avoid any doubt.

I also kept any copyright lines. We can probably remove them, but it'd nice to
obtain explicit acks from all involved authors before doing that.
2018-04-06 18:58:55 +02:00
Zbigniew Jędrzejewski-Szmek
572eb058cf Add SPDX license identifiers to man pages 2017-11-19 19:08:15 +01:00
Zbigniew Jędrzejewski-Szmek
1ec57f3394 build-sys: s/ENABLE_RESOLVED/ENABLE_RESOLVE/
The configuration option was called -Dresolve, but the internal define
was …RESOLVED. This options governs more than just resolved itself, so
let's settle on the version without "d".
2017-10-04 12:09:51 +02:00