| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| |
|
|
|
|
| |
In some cases, caching DNS results locally is not desirable, a it makes DNS
cache poisoning attacks a tad easier and also allows users on the system to
determine whether or not a particular domain got visited by another user. Thus
provide a new "Cache" resolved.conf option to disable it.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let's make sure DNSSEC gets more testing, by defaulting DNSSEC to
"allow-downgrade" mode. Since distros should probably not ship DNSSEC enabled
by default add a configure switch to disable this again.
DNSSEC in "allow-downgrade" mode should mostly work without affecting user
experience. There's one exception: some captive portal systems rewrite DNS in
order to redirect HTTP traffic to the captive portal. If these systems
implement DNS servers that are otherwise DNSSEC-capable (which in fact is
pretty unlikely, but still...), then this will result in the captive portal
being inaccessible. To fix this support in NetworkManager (or any other network
management solution that does captive portal detection) is required, which
simply turns off DNSSEC during the captive portal detection, and resets it back
to the default (i.e. on) after captive portal authentication is complete.
|
| |
|
|
|
|
| |
These bits were intenionally left out while mDNS is under development.
Remove the exposed knobs and man page entries again until this is settled.
|
| |
|
|
|
| |
The option is already there, but wasn't exported in the configuration
file so far. Fix that.
|
| |
|
|
|
|
|
|
|
| |
The setting controls which kind of DNSSEC validation is done: none at
all, trusting the AD bit, or client-side validation.
For now, no validation is implemented, hence the setting doesn't do much
yet, except of toggling the CD bit in the generated messages if full
client-side validation is requested.
|
| |
|
|
|
|
|
|
|
|
| |
With this change, we add a new object to resolved, "DnsSearchDomain="
which wraps a search domain. This is then used to introduce a global
search domain list, in addition to the existing per-link search domain
list which is reword to make use of this new object too.
This is preparation for implement proper unicast DNS search domain
support.
|
| |
|
|
|
|
|
|
|
|
| |
For daemons which have a main configuration file, there's
little reason for the administrator to use configuration snippets.
They are useful for packagers which need to override settings, but
we shouldn't advertise that as the main way of configuring those
services.
https://bugs.freedesktop.org/show_bug.cgi?id=89397
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We now maintain two lists of DNS servers: system servers and fallback
servers.
system servers are used in combination with any per-link servers.
fallback servers are only used if there are no system servers or
per-link servers configured.
The system server list is supposed to be populated from a foreign tool's
/etc/resolv.conf (not implemented yet).
Also adds a configuration switch for LLMNR, that allows configuring
whether LLMNR shall be used simply for resolving or also for responding.
|
|
|
Also remove the equivalent functionality from networkd.
|
