RESOLVED.CONF(5) | resolved.conf | RESOLVED.CONF(5) |
NAME
resolved.conf, resolved.conf.d - 網路名字解析服務配置檔案
SYNOPSIS
/etc/systemd/resolved.conf
/etc/systemd/resolved.conf.d/*.conf
/run/systemd/resolved.conf.d/*.conf
/usr/lib/systemd/resolved.conf.d/*.conf
描述
這些配置檔案控制著本地DNS與LLMNR名字解析
配置目錄及其優先順序
預設設定是在編譯期間確定的, 所以僅在確實需要修改預設設定的情況下, 才需要使用配置檔案。位於 /etc/systemd/ 目錄中的初始配置檔案, 僅包含了展示選項預設值的註釋, 目的在於方便系統管理員檢視和直接修改。
如果軟體包想要自定義某些預設設定, 那麼必須將自定義的配置檔案安裝到 /usr/lib/systemd/*.conf.d/ 目錄中。 /etc/ 目錄僅供系統管理員使用。 系統管理員可以利用下面的邏輯來覆蓋預設設定: 主配置檔案最先被讀取, 優先順序也最低。 所有 *.conf.d/ 中的配置檔案 都會覆蓋主配置檔案中的設定。 所有 *.conf.d/ 中的配置檔案(無論位於哪個目錄中), 統一按照檔名的字典順序處理。 如果在多個配置檔案中設定了同一個選項, 那麼僅以檔名最靠後(字典順序)的那一個為準。 為了便於排序, 建議給所有 *.conf.d/ 中的配置檔案 都加上兩位十進位制數字的檔名字首。
如果系統管理員想要遮蔽 /usr/lib/ 目錄中的某個配置檔案, 那麼最佳做法是在 /etc/ 目錄中 建立一個指向 /dev/null 的同名符號連結, 即可徹底遮蔽 /usr/lib/ 目錄中的同名檔案。
選項
下列選項都位於 "[Resolve]" 小節:
DNS=
FallbackDNS=
Domains=
如果指定的域名帶有 "~" 字首, 那麼表示它不是一個搜尋域,而是一個"路由專用域名",也就是僅用於將指定的域名查詢請求 優先路由到上文 DNS= 設定的全域性DNS伺服器上去。 注意,如果不存在針對特定連線的DNS伺服器,那麼 "~" 語法沒有任何實際效果。 特殊值 "~." 表示將所有DNS查詢請求 優先路由到上文 DNS= 設定的全域性DNS伺服器上去 (前面的波浪號表示這是一個"路由專用域名",後面的點表示DNS根域名(也就是所有域名的字尾))。
LLMNR=
DNSSEC=
注意,因為 DNSSEC 需要額外查詢更多的DNS資料, 所以,開啟此選項會減慢DNS查詢速度。
DNSSEC requires knowledge of "trust anchors" to prove data integrity. The trust anchor for the Internet root domain is built into the resolver, additional trust anchors may be defined with dnssec-trust-anchors.d(5). Trust anchors may change at regular intervals, and old trust anchors may be revoked. In such a case DNSSEC validation is not possible until new trust anchors are configured locally or the resolver software package is updated with the new root trust anchor. In effect, when the built-in trust anchor is revoked and DNSSEC= is yes, all further lookups will fail, as it cannot be proved anymore whether lookups are correctly signed, or validly unsigned. If DNSSEC= is set to "allow-downgrade" the resolver will automatically turn off DNSSEC validation in such a case.
Client programs looking up DNS data will be informed whether lookups could be verified using DNSSEC, or whether the returned data could not be verified (either because the data was found unsigned in the DNS, or the DNS server did not support DNSSEC or no appropriate trust anchors were known). In the latter case it is assumed that client programs employ a secondary scheme to validate the returned DNS data, should this be required.
It is recommended to set DNSSEC= to yes on systems where it is known that the DNS server supports DNSSEC correctly, and where software or trust anchor updates happen regularly. On other systems it is recommended to set DNSSEC= to "allow-downgrade".
In addition to this global DNSSEC setting systemd-networkd.service(8) also maintains per-link DNSSEC settings. For system DNS servers (see above), only the global DNSSEC setting is in effect. For per-link DNS servers the per-link setting is in effect, unless it is unset in which case the global setting is used instead.
Site-private DNS zones generally conflict with DNSSEC operation, unless a negative (if the private zone is not signed) or positive (if the private zone is signed) trust anchor is configured for them. If "allow-downgrade" mode is selected, it is attempted to detect site-private DNS zones using top-level domains (TLDs) that are not known by the DNS root server. This logic does not work in all private zone setups.
預設值是 no
Cache=
注意,對於IP地址為 127.0.0.1 或 ::1 之類的本機DNS來說,DNS快取總是關閉的。 這樣做是為了避免不必要的多次快取。
參見
systemd(1), systemd-resolved.service(8), systemd-networkd.service(8), dnssec-trust-anchors.d(5), resolv.conf(4)
NOTES
- 1.
- RFC 4794
跋
本頁面中文版由中文 man 手冊頁計劃提供。
翻譯人員:金步國
金步國作品集:http://www.jinbuguo.com
中文 man
手冊頁計劃:https://github.com/man-pages-zh/manpages-zh
systemd 231 |