From 8ef114c692846b0a801807a087ee65a1c7c6c7c3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Mon, 20 Dec 2021 14:16:44 +0100
Subject: nss-resolve: expose various source-disablement settings as variables

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2006761:
> systemd-resolved always (reverse)-resolves the host's IP addresses and FQDN.
> This can be harmful when an application (for instance, a DNS zone manager) is
> installed on the same server instance.  That application would expect
> NXDOMAIN to be returned if the current server's IP does not belong in an
> already managed reverse zone.

This allows clients of nss-resolve to use the same config options that are
available through the dbus api and as command-line options to resolvectl.

The man page text is is mostly copied directly from
c6f20515ab600098b5c2871bae2e9ecab3b41555.
---
 man/nss-resolve.xml | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)

(limited to 'man/nss-resolve.xml')

diff --git a/man/nss-resolve.xml b/man/nss-resolve.xml
index 7d427b1a1a..061d0d74bb 100644
--- a/man/nss-resolve.xml
+++ b/man/nss-resolve.xml
@@ -76,6 +76,55 @@
         unreliable.</para></listitem>
       </varlistentry>
     </variablelist>
+
+    <variablelist class='environment-variables'>
+      <varlistentry>
+        <term><varname>$SYSTEMD_NSS_RESOLVE_SYNTHESIZE</varname></term>
+
+        <listitem><para>Takes a boolean argument. When false, synthetic records, e.g. for the local host
+        name, will not be returned. See section SYNTHETIC RECORDS in
+        <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+        for more information. This may be useful to query the "public" resource records, independent of the
+        configuration of the local machine.</para></listitem>
+      </varlistentry>
+    </variablelist>
+
+    <variablelist class='environment-variables'>
+      <varlistentry>
+        <term><varname>$SYSTEMD_NSS_RESOLVE_CACHE</varname></term>
+
+        <listitem><para>Takes a boolean argument. When false, the cache of previously queried records will
+        not be used by <filename>systemd-resolved</filename>.</para></listitem>
+      </varlistentry>
+    </variablelist>
+
+    <variablelist class='environment-variables'>
+      <varlistentry>
+        <term><varname>$SYSTEMD_NSS_RESOLVE_ZONE</varname></term>
+
+        <listitem><para>Takes a boolean argument. When false, answers using locally registered public
+        LLMNR/mDNS resource records will not be returned.</para></listitem>
+      </varlistentry>
+    </variablelist>
+
+    <variablelist class='environment-variables'>
+      <varlistentry>
+        <term><varname>$SYSTEMD_NSS_RESOLVE_TRUST_ANCHOR</varname></term>
+
+        <listitem><para>Takes a boolean argument. When false, answers using locally configured trust anchors
+        will not be used.</para></listitem>
+      </varlistentry>
+    </variablelist>
+
+    <variablelist class='environment-variables'>
+      <varlistentry>
+        <term><varname>$SYSTEMD_NSS_RESOLVE_NETWORK</varname></term>
+
+        <listitem><para>Takes a boolean argument. When false, answers will be returned without using the
+        network, i.e. either from local sources or the cache in <filename>systemd-resolved</filename>.
+        </para></listitem>
+      </varlistentry>
+    </variablelist>
   </refsect1>
 
   <refsect1>
-- 
cgit v1.2.1