From b83d91c02947585df06207c604534d25d87b611f Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 5 Jan 2016 17:37:09 +0100 Subject: [PATCH] resolved: make MulticastDNS support configurable in resolved.conf The option is already there, but wasn't exported in the configuration file so far. Fix that. --- man/resolved.conf.xml | 42 +++++++++++++++++++++++++++------------- src/resolve/resolved-gperf.gperf | 1 + src/resolve/resolved.conf.in | 1 + 3 files changed, 31 insertions(+), 13 deletions(-) diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml index 786b096..3c1e698 100644 --- a/man/resolved.conf.xml +++ b/man/resolved.conf.xml @@ -125,22 +125,38 @@ + MulticastDNS= + Takes a boolean argument or + resolve. Controls Multicast DNS support + (RFC + 6762) on the local host. If true, enables full + Multicast DNS responder and resolver support. If false, + disables both. If set to resolve, only + resolution support is enabled, but responding is + disabled. Note that + systemd-networkd.service8 + also maintains per-interface Multicast DNS settings. Multicast + DNS will be enabled on an interface only if the per-interface + and the global setting is on. + + + DNSSEC= Takes a boolean argument or downgrade-ok. If true all DNS lookups are - DNSSEC-validated locally. If a response for a lookup request - is detected invalid this is returned as lookup failure to - applications. Note that this mode requires a DNS server that - supports DNSSEC. If the DNS server does not properly support - DNSSEC all validations will fail. If set to - downgrade-ok DNSSEC validation is - attempted, but if the server does not support DNSSEC properly, - DNSSEC mode is automatically disabled. Note that this mode - makes DNSSEC validation vulnerable to "downgrade" attacks, - where an attacker might be able to trigger a downgrade to - non-DNSSEC mode by synthesizing a DNS response that suggests - DNSSEC was not supported. If set to false, DNS lookups are not - DNSSEC validated. + DNSSEC-validated locally (excluding LLMNR and Multicast + DNS). If a response for a lookup request is detected invalid + this is returned as lookup failure to applications. Note that + this mode requires a DNS server that supports DNSSEC. If the + DNS server does not properly support DNSSEC all validations + will fail. If set to downgrade-ok DNSSEC + validation is attempted, but if the server does not support + DNSSEC properly, DNSSEC mode is automatically disabled. Note + that this mode makes DNSSEC validation vulnerable to + "downgrade" attacks, where an attacker might be able to + trigger a downgrade to non-DNSSEC mode by synthesizing a DNS + response that suggests DNSSEC was not supported. If set to + false, DNS lookups are not DNSSEC validated. Note that DNSSEC validation requires retrieval of additional DNS data, and thus results in a small DNS look-up diff --git a/src/resolve/resolved-gperf.gperf b/src/resolve/resolved-gperf.gperf index 9bbf454..fb3fe9c 100644 --- a/src/resolve/resolved-gperf.gperf +++ b/src/resolve/resolved-gperf.gperf @@ -18,4 +18,5 @@ Resolve.DNS, config_parse_dns_servers, DNS_SERVER_SYSTEM, 0 Resolve.FallbackDNS, config_parse_dns_servers, DNS_SERVER_FALLBACK, 0 Resolve.Domains, config_parse_search_domains, 0, 0 Resolve.LLMNR, config_parse_resolve_support,0, offsetof(Manager, llmnr_support) +Resolve.MulticastDNS, config_parse_resolve_support,0, offsetof(Manager, mdns_support) Resolve.DNSSEC, config_parse_dnssec, 0, 0 diff --git a/src/resolve/resolved.conf.in b/src/resolve/resolved.conf.in index efc9c67..0ba572d 100644 --- a/src/resolve/resolved.conf.in +++ b/src/resolve/resolved.conf.in @@ -16,4 +16,5 @@ #FallbackDNS=@DNS_SERVERS@ #Domains= #LLMNR=yes +#MulticastDNS=no #DNSSEC=no -- 2.7.4