mirror of
https://github.com/systemd/systemd.git
synced 2024-12-25 01:34:28 +03:00
73e97bb064
With <para><filename>…</filename></para>, we get a separate "paragraph" for each line, i.e. entries separated by empty lines. This uses up a lot of space and was only done because docbook makes it hard to insert a newline. In some other places, <literallayout> was used, but then we cannot indent the source text (because the whitespace would end up in the final page). We can get the desired result with <simplelist>. With <simplelist> the items are indented in roff output, but not in html output. In some places this looks better then no indentation, and in others it would probably be better to have no indent. But this is a minor issue and we cannot control that. (I didn't convert all spots. There's a bunch of other man pages which have two lines, e.g. an executable and service file, and it doesn't matter there so much.)
175 lines
8.8 KiB
XML
175 lines
8.8 KiB
XML
<?xml version='1.0'?>
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
|
|
|
|
<refentry id="dnssec-trust-anchors.d" conditional='ENABLE_RESOLVE'
|
|
xmlns:xi="http://www.w3.org/2001/XInclude">
|
|
<refentryinfo>
|
|
<title>dnssec-trust-anchors.d</title>
|
|
<productname>systemd</productname>
|
|
</refentryinfo>
|
|
|
|
<refmeta>
|
|
<refentrytitle>dnssec-trust-anchors.d</refentrytitle>
|
|
<manvolnum>5</manvolnum>
|
|
</refmeta>
|
|
|
|
<refnamediv>
|
|
<refname>dnssec-trust-anchors.d</refname>
|
|
<refname>systemd.positive</refname>
|
|
<refname>systemd.negative</refname>
|
|
<refpurpose>DNSSEC trust anchor configuration files</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsynopsisdiv>
|
|
<para><simplelist>
|
|
<member><filename>/etc/dnssec-trust-anchors.d/*.positive</filename></member>
|
|
<member><filename>/run/dnssec-trust-anchors.d/*.positive</filename></member>
|
|
<member><filename>/usr/lib/dnssec-trust-anchors.d/*.positive</filename></member>
|
|
<member><filename>/etc/dnssec-trust-anchors.d/*.negative</filename></member>
|
|
<member><filename>/run/dnssec-trust-anchors.d/*.negative</filename></member>
|
|
<member><filename>/usr/lib/dnssec-trust-anchors.d/*.negative</filename></member>
|
|
</simplelist></para>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1>
|
|
<title>Description</title>
|
|
|
|
<para>The DNSSEC trust anchor configuration files define positive
|
|
and negative trust anchors
|
|
<citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
bases DNSSEC integrity proofs on.</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Positive Trust Anchors</title>
|
|
|
|
<para>Positive trust anchor configuration files contain <constant class='dns'>DNSKEY</constant> and
|
|
<constant class='dns'>DS</constant> resource record definitions to use as base for DNSSEC integrity
|
|
proofs. See <ulink url="https://tools.ietf.org/html/rfc4035#section-4.4">RFC 4035, Section 4.4</ulink>
|
|
for more information about DNSSEC trust anchors.</para>
|
|
|
|
<para>Positive trust anchors are read from files with the suffix
|
|
<filename>.positive</filename> located in
|
|
<filename>/etc/dnssec-trust-anchors.d/</filename>,
|
|
<filename>/run/dnssec-trust-anchors.d/</filename> and
|
|
<filename>/usr/lib/dnssec-trust-anchors.d/</filename>. These
|
|
directories are searched in the specified order, and a trust
|
|
anchor file of the same name in an earlier path overrides a trust
|
|
anchor files in a later path. To disable a trust anchor file
|
|
shipped in <filename>/usr/lib/dnssec-trust-anchors.d/</filename>
|
|
it is sufficient to provide an identically-named file in
|
|
<filename>/etc/dnssec-trust-anchors.d/</filename> or
|
|
<filename>/run/dnssec-trust-anchors.d/</filename> that is either
|
|
empty or a symlink to <filename>/dev/null</filename> ("masked").</para>
|
|
|
|
<para>Positive trust anchor files are simple text files resembling DNS zone files, as documented in
|
|
<ulink url="https://tools.ietf.org/html/rfc1035#section-5">RFC 1035, Section 5</ulink>. One <constant
|
|
class='dns'>DS</constant> or <constant class='dns'>DNSKEY</constant> resource record may be listed per
|
|
line. Empty lines and lines starting with <literal>#</literal> or <literal>;</literal> are ignored, which
|
|
may be used for commenting. A <constant class='dns'>DS</constant> resource record is specified like in the
|
|
following example:</para>
|
|
|
|
<programlisting>. IN DS 19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5</programlisting>
|
|
|
|
<para>The first word specifies the domain, use
|
|
<literal>.</literal> for the root domain. The domain may be
|
|
specified with or without trailing dot, which is considered
|
|
equivalent. The second word must be <literal>IN</literal> the
|
|
third word <literal>DS</literal>. The following words specify the
|
|
key tag, signature algorithm, digest algorithm, followed by the
|
|
hex-encoded key fingerprint. See <ulink
|
|
url="https://tools.ietf.org/html/rfc4034#section-5">RFC 4034,
|
|
Section 5</ulink> for details about the precise syntax and meaning
|
|
of these fields.</para>
|
|
|
|
<para>Alternatively, <constant class='dns'>DNSKEY</constant> resource records may be used to define trust
|
|
anchors, like in the following example:</para>
|
|
|
|
<programlisting>. IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=</programlisting>
|
|
|
|
<para>The first word specifies the domain again, the second word must be <literal>IN</literal>, followed
|
|
by <literal>DNSKEY</literal>. The subsequent words encode the <constant class='dns'>DNSKEY</constant>
|
|
flags, protocol and algorithm fields, followed by the key data encoded in Base64. See <ulink
|
|
url="https://tools.ietf.org/html/rfc4034#section-2">RFC 4034, Section 2</ulink> for details about the
|
|
precise syntax and meaning of these fields.</para>
|
|
|
|
<para>If multiple <constant class='dns'>DS</constant> or <constant class='dns'>DNSKEY</constant> records
|
|
are defined for the same domain (possibly even in different trust anchor files), all keys are used and
|
|
are considered equivalent as base for DNSSEC proofs.</para>
|
|
|
|
<para>Note that <filename>systemd-resolved</filename> will
|
|
automatically use a built-in trust anchor key for the Internet
|
|
root domain if no positive trust anchors are defined for the root
|
|
domain. In most cases it is hence unnecessary to define an
|
|
explicit key with trust anchor files. The built-in key is disabled
|
|
as soon as at least one trust anchor key for the root domain is
|
|
defined in trust anchor files.</para>
|
|
|
|
<para>It is generally recommended to encode trust anchors in <constant class='dns'>DS</constant> resource
|
|
records, rather than <constant class='dns'>DNSKEY</constant> resource records.</para>
|
|
|
|
<para>If a trust anchor specified via a <constant class='dns'>DS</constant> record is found revoked it is
|
|
automatically removed from the trust anchor database for the runtime. See <ulink
|
|
url="https://tools.ietf.org/html/rfc5011">RFC 5011</ulink> for details about revoked trust anchors. Note
|
|
that <filename>systemd-resolved</filename> will not update its trust anchor database from DNS servers
|
|
automatically. Instead, it is recommended to update the resolver software or update the new trust anchor
|
|
via adding in new trust anchor files.</para>
|
|
|
|
<para>The current DNSSEC trust anchor for the Internet's root
|
|
domain is available at the <ulink
|
|
url="https://data.iana.org/root-anchors/root-anchors.xml">IANA
|
|
Trust Anchor and Keys</ulink> page.</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Negative Trust Anchors</title>
|
|
|
|
<para>Negative trust anchors define domains where DNSSEC validation shall be turned
|
|
off. Negative trust anchor files are found at the same location as positive trust anchor files,
|
|
and follow the same overriding rules. They are text files with the
|
|
<filename>.negative</filename> suffix. Empty lines and lines whose first character is
|
|
<literal>;</literal> are ignored. Each line specifies one domain name which is the root of a DNS
|
|
subtree where validation shall be disabled. For example:</para>
|
|
|
|
<programlisting># Reverse IPv4 mappings
|
|
10.in-addr.arpa
|
|
16.172.in-addr.arpa
|
|
168.192.in-addr.arpa
|
|
...
|
|
# Some custom domains
|
|
prod
|
|
stag
|
|
</programlisting>
|
|
|
|
<para>Negative trust anchors are useful to support private DNS
|
|
subtrees that are not referenced from the Internet DNS hierarchy,
|
|
and not signed.</para>
|
|
|
|
<para><ulink url="https://tools.ietf.org/html/rfc7646">RFC
|
|
7646</ulink> for details on negative trust anchors.</para>
|
|
|
|
<para>If no negative trust anchor files are configured a built-in
|
|
set of well-known private DNS zone domains is used as negative
|
|
trust anchors.</para>
|
|
|
|
<para>It is also possibly to define per-interface negative trust
|
|
anchors using the <varname>DNSSECNegativeTrustAnchors=</varname>
|
|
setting in
|
|
<citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
files.</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>See Also</title>
|
|
<para>
|
|
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
|
<citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
|
|
<citerefentry><refentrytitle>resolved.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
|
<citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
</para>
|
|
</refsect1>
|
|
|
|
</refentry>
|