man: document DNS-over-TLS options

3 files changed, 54 insertions, 6 deletions

diff --git a/man/resolvectl.xml b/man/resolvectl.xml
index 7f981ac327..69c3c0f7ea 100644
--- a/man/resolvectl.xml
+++ b/man/resolvectl.xml
@@ -257,6 +257,7 @@
         <term><option>llmnr [<replaceable>LINK</replaceable> [<replaceable>MODE</replaceable>]]</option></term>
         <term><option>mdns [<replaceable>LINK</replaceable> [<replaceable>MODE</replaceable>]]</option></term>
         <term><option>dnssec [<replaceable>LINK</replaceable> [<replaceable>MODE</replaceable>]]</option></term>
+        <term><option>privatedns [<replaceable>LINK</replaceable> [<replaceable>MODE</replaceable>]]</option></term>
         <term><option>nta [<replaceable>LINK</replaceable> [<replaceable>DOMAIN</replaceable>…]]</option></term>
 
         <listitem><para>Get/set per-interface DNS configuration. These commands may be used to configure various DNS
@@ -268,10 +269,10 @@
         through external means. The <option>dns</option> command expects IPv4 or IPv6 address specifications of DNS
         servers to use. The <option>domain</option> command expects valid DNS domains, possibly prefixed with
         <literal>~</literal>, and configures a per-interface search or route-only domain. The <option>llmnr</option>,
-        <option>mdns</option> and <option>dnssec</option> commands may be used to configure the per-interface LLMNR,
-        MulticastDNS and DNSSEC settings. Finally, <option>nta</option> command may be used to configure additional
-        per-interface DNSSEC NTA domains. For details about these settings, their possible values and their effect,
-        see the corresponding options in
+        <option>mdns</option>, <option>dnssec</option> and <option>privatedns</option> commands may be used to configure
+        the per-interface LLMNR, MulticastDNS, DNSSEC and PrivateDNS settings. Finally, <option>nta</option> command
+        may be used to configure additional per-interface DNSSEC NTA domains. For details about these settings, their
+        possible values and their effect, see the corresponding options in
         <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
         </listitem>
       </varlistentry>
@@ -282,8 +283,8 @@
         <listitem><para>Revert the per-interface DNS configuration. If the DNS configuration is reverted all
         per-interface DNS setting are reset to their defaults, undoing all effects of <option>dns</option>,
         <option>domain</option>, <option>llmnr</option>, <option>mdns</option>, <option>dnssec</option>,
-        <option>nta=</option>. Note that when a network interface disappears all configuration is lost automatically,
-        an explicit reverting is not necessary in that case.</para></listitem>
+        <option>privatedns</option>, <option>nta=</option>. Note that when a network interface disappears all
+        configuration is lost automatically, an explicit reverting is not necessary in that case.</para></listitem>
       </varlistentry>
 
     </variablelist>
diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml
index e87aa59bae..67cc409440 100644
--- a/man/resolved.conf.xml
+++ b/man/resolved.conf.xml
@@ -207,6 +207,38 @@
       </varlistentry>
 
       <varlistentry>
+        <term><varname>PrivateDNS=</varname></term>
+        <listitem>
+        <para>Takes false or
+        <literal>opportunistic</literal>. When set to <literal>opportunistic</literal>
+        DNS request are attempted to send encrypted with DNS-over-TLS.
+        If the DNS server does not support TLS, DNS-over-TLS is disabled.
+        Note that this mode makes DNS-over-TLS vulnerable to "downgrade"
+        attacks, where an attacker might be able to trigger a downgrade
+        to non-encrypted mode by synthesizing a response that suggests
+        DNS-over-TLS was not supported. If set to false, DNS lookups
+        are send over UDP.</para>
+
+        <para>Note that DNS-over-TLS requires additional data to be
+        send for setting up an encrypted connection, and thus results
+        in a small DNS look-up time penalty.</para>
+
+        <para>Note as the resolver is not capable of authenticating
+        the server, it is vulnerable for "man-in-the-middle" attacks.</para>
+
+        <para>In addition to this global PrivateDNS setting
+        <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+        also maintains per-link PrivateDNS settings. For system DNS
+        servers (see above), only the global PrivateDNS setting is in
+        effect. For per-link DNS servers the per-link
+        setting is in effect, unless it is unset in which case the
+        global setting is used instead.</para>
+
+        <para>Defaults to off.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term><varname>Cache=</varname></term>
         <listitem><para>Takes a boolean argument. If "yes" (the default), resolving a domain name which already got
         queried earlier will return the previous result as long as it is still valid, and thus does not result in a new
diff --git a/man/systemd.network.xml b/man/systemd.network.xml
index d7bcf5a067..b43874b59c 100644
--- a/man/systemd.network.xml
+++ b/man/systemd.network.xml
@@ -385,6 +385,21 @@
           </listitem>
         </varlistentry>
         <varlistentry>
+          <term><varname>PrivateDNS=</varname></term>
+          <listitem>
+            <para>Takes false or
+            <literal>opportunistic</literal>. When set to <literal>opportunistic</literal>, enables
+            <ulink
+            url="https://tools.ietf.org/html/rfc7858">DNS-over-TLS</ulink>
+            support on the link. This option defines a
+            per-interface setting for
+            <citerefentry><refentrytitle>resolved.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>'s
+            global <varname>PrivateDNS=</varname> option. Defaults to
+            false. This setting is read by
+            <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
           <term><varname>DNSSEC=</varname></term>
           <listitem>
             <para>A boolean or