1 files changed, 31 insertions, 21 deletions

diff --git a/upstream/debian-unstable/man5/resolved.conf.5 b/upstream/debian-unstable/man5/resolved.conf.5
index cd0d5721..4979ca77 100644
--- a/upstream/debian-unstable/man5/resolved.conf.5
+++ b/upstream/debian-unstable/man5/resolved.conf.5
@@ -1,5 +1,5 @@
 '\" t
-.TH "RESOLVED\&.CONF" "5" "" "systemd 255" "resolved.conf"
+.TH "RESOLVED\&.CONF" "5" "" "systemd 256~rc3" "resolved.conf"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -23,28 +23,39 @@
 resolved.conf, resolved.conf.d \- Network Name Resolution configuration files
 .SH "SYNOPSIS"
 .PP
+.RS 4
 /etc/systemd/resolved\&.conf
-.PP
+.RE
+.RS 4
+/run/systemd/resolved\&.conf
+.RE
+.RS 4
+/usr/lib/systemd/resolved\&.conf
+.RE
+.RS 4
 /etc/systemd/resolved\&.conf\&.d/*\&.conf
-.PP
+.RE
+.RS 4
 /run/systemd/resolved\&.conf\&.d/*\&.conf
-.PP
+.RE
+.RS 4
 /usr/lib/systemd/resolved\&.conf\&.d/*\&.conf
+.RE
 .SH "DESCRIPTION"
 .PP
 These configuration files control local DNS and LLMNR name resolution\&.
 .SH "CONFIGURATION DIRECTORIES AND PRECEDENCE"
 .PP
-The default configuration is set during compilation, so configuration is only needed when it is necessary to deviate from those defaults\&. The main configuration file is either in
-/usr/lib/systemd/
-or
-/etc/systemd/
-and contains commented out entries showing the defaults as a guide to the administrator\&. Local overrides can be created by creating drop\-ins, as described below\&. The main configuration file can also be edited for this purpose (or a copy in
+The default configuration is set during compilation, so configuration is only needed when it is necessary to deviate from those defaults\&. The main configuration file is loaded from one of the listed directories in order of priority, only the first file found is used:
+/etc/systemd/,
+/run/systemd/,
+/usr/local/lib/systemd/,
+/usr/lib/systemd/\&. The vendor version of the file contains commented out entries showing the defaults as a guide to the administrator\&. Local overrides can also be created by creating drop\-ins, as described below\&. The main configuration file can also be edited for this purpose (or a copy in
 /etc/
-if it\*(Aqs shipped in
-/usr/) however using drop\-ins for local configuration is recommended over modifications to the main configuration file\&.
+if it\*(Aqs shipped under
+/usr/), however using drop\-ins for local configuration is recommended over modifications to the main configuration file\&.
 .PP
-In addition to the "main" configuration file, drop\-in configuration snippets are read from
+In addition to the main configuration file, drop\-in configuration snippets are read from
 /usr/lib/systemd/*\&.conf\&.d/,
 /usr/local/lib/systemd/*\&.conf\&.d/, and
 /etc/systemd/*\&.conf\&.d/\&. Those drop\-ins have higher precedence and override the main configuration file\&. Files in the
@@ -54,7 +65,12 @@ configuration subdirectories are sorted by their filename in lexicographic order
 When packages need to customize the configuration, they can install drop\-ins under
 /usr/\&. Files in
 /etc/
-are reserved for the local administrator, who may use this logic to override the configuration files installed by vendor packages\&. Drop\-ins have to be used to override package drop\-ins, since the main configuration file has lower precedence\&. It is recommended to prefix all filenames in those subdirectories with a two\-digit number and a dash, to simplify the ordering of the files\&. This also defined a concept of drop\-in priority to allow distributions to ship drop\-ins within a specific range lower than the range used by users\&. This should lower the risk of package drop\-ins overriding accidentally drop\-ins defined by users\&.
+are reserved for the local administrator, who may use this logic to override the configuration files installed by vendor packages\&. Drop\-ins have to be used to override package drop\-ins, since the main configuration file has lower precedence\&. It is recommended to prefix all filenames in those subdirectories with a two\-digit number and a dash, to simplify the ordering of the files\&. This also defines a concept of drop\-in priorities to allow OS vendors to ship drop\-ins within a specific range lower than the range used by users\&. This should lower the risk of package drop\-ins overriding accidentally drop\-ins defined by users\&. It is recommended to use the range 10\-40 for drop\-ins in
+/usr/
+and the range 60\-90 for drop\-ins in
+/etc/
+and
+/run/, to make sure that local and transient drop\-ins take priority over drop\-ins shipped by the OS vendor\&.
 .PP
 To disable a configuration file supplied by the vendor, the recommended way is to place a symlink to
 /dev/null
@@ -173,9 +189,7 @@ If set to true, all DNS lookups are DNSSEC\-validated locally (excluding LLMNR a
 If set to
 "allow\-downgrade", DNSSEC validation is attempted, but if the server does not support DNSSEC properly, DNSSEC mode is automatically disabled\&. Note that this mode makes DNSSEC validation vulnerable to "downgrade" attacks, where an attacker might be able to trigger a downgrade to non\-DNSSEC mode by synthesizing a DNS response that suggests DNSSEC was not supported\&.
 .sp
-If set to false, DNS lookups are not DNSSEC validated\&. In this mode, or when set to
-"allow\-downgrade"
-and the downgrade has happened, the resolver becomes security\-unaware and all forwarded queries have DNSSEC OK (DO) bit unset\&.
+If set to false, DNS lookups are not DNSSEC validated\&.
 .sp
 Note that DNSSEC validation requires retrieval of additional DNS data, and thus results in a small DNS lookup time penalty\&.
 .sp
@@ -366,11 +380,7 @@ Added in version 254\&.
 .RE
 .SH "SEE ALSO"
 .PP
-\fBsystemd\fR(1),
-\fBsystemd-resolved.service\fR(8),
-\fBsystemd-networkd.service\fR(8),
-\fBdnssec-trust-anchors.d\fR(5),
-\fBresolv.conf\fR(5)
+\fBsystemd\fR(1), \fBsystemd-resolved.service\fR(8), \fBsystemd-networkd.service\fR(8), \fBdnssec-trust-anchors.d\fR(5), \fBresolv.conf\fR(5)
 .SH "NOTES"
 .IP " 1." 4
 RFC 4795