38 lines
1.6 KiB
Diff
38 lines
1.6 KiB
Diff
From 2f2b28ab35e80855042c69e324feaf7418636aa2 Mon Sep 17 00:00:00 2001
|
|
From: Riccardo Schirone <sirmy15@gmail.com>
|
|
Date: Wed, 13 Nov 2019 17:37:15 +0100
|
|
Subject: [PATCH] Be more specific in resolved.conf man page with regard to
|
|
DNSOverTLS
|
|
|
|
DNSOverTLS in strict mode (value yes) does check the server, as it is said in
|
|
the first few lines of the option documentation. The check is not performed in
|
|
"opportunistic" mode, however, as that is allowed by RFC 7858, section "4.1.
|
|
Opportunistic Privacy Profile".
|
|
|
|
> With such a discovered DNS server, the client might or might not validate the
|
|
> resolver. These choices maximize availability and performance, but they leave
|
|
> the client vulnerable to on-path attacks that remove privacy.
|
|
---
|
|
man/resolved.conf.xml | 5 +++--
|
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml
|
|
index 213be1d7b2..818000145b 100644
|
|
--- a/man/resolved.conf.xml
|
|
+++ b/man/resolved.conf.xml
|
|
@@ -210,8 +210,9 @@
|
|
send for setting up an encrypted connection, and thus results
|
|
in a small DNS look-up time penalty.</para>
|
|
|
|
- <para>Note as the resolver is not capable of authenticating
|
|
- the server, it is vulnerable for "man-in-the-middle" attacks.</para>
|
|
+ <para>Note that in <literal>opportunistic</literal> mode the
|
|
+ resolver is not capable of authenticating the server, so it is
|
|
+ vulnerable to "man-in-the-middle" attacks.</para>
|
|
|
|
<para>In addition to this global DNSOverTLS setting
|
|
<citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
--
|
|
2.26.2
|
|
|