libnm-core: Add connection.dnssec property

src/libnm-client-impl/libnm.ver

@@ -2083,4 +2083,6 @@ global:
 	nm_setting_gsm_get_device_uid;
 	nm_setting_hsr_get_protocol_version;
 	nm_setting_hsr_protocol_version_get_type;
+	nm_setting_connection_get_dnssec;
+	nm_setting_connection_dnssec_get_type;
 } libnm_1_54_0;

src/libnm-client-impl/tests/test-libnm.c

@@ -2756,6 +2756,8 @@ test_types(void)
         G(nm_setting_connection_lldp_get_type),
         G(nm_setting_connection_llmnr_get_type),
         G(nm_setting_connection_mdns_get_type),
+        G(nm_setting_connection_dns_over_tls_get_type),
+        G(nm_setting_connection_dnssec_get_type),
         G(nm_setting_dcb_flags_get_type),
         G(nm_setting_dcb_get_type),
         G(nm_setting_diff_result_get_type),

src/libnm-core-impl/gen-metadata-nm-settings-libnm-core.xml.in

@@ -810,6 +810,10 @@
                   dbus-type="i"
                   gprop-type="gint"
                   />
+        <property name="dnssec"
+                  dbus-type="i"
+                  gprop-type="gint"
+                  />
         <property name="down-on-poweroff"
                   dbus-type="i"
                   gprop-type="gint"

src/libnm-core-impl/nm-setting-connection.c

@@ -71,6 +71,7 @@ NM_GOBJECT_PROPERTIES_DEFINE(NMSettingConnection,
                              PROP_MDNS,
                              PROP_LLMNR,
                              PROP_DNS_OVER_TLS,
+                             PROP_DNSSEC,
                              PROP_MPTCP_FLAGS,
                              PROP_STABLE_ID,
                              PROP_AUTH_RETRIES,
@@ -103,6 +104,7 @@ typedef struct {
     gint32      mdns;
     gint32      llmnr;
     gint32      dns_over_tls;
+    gint32      dnssec;
     gint32      wait_device_timeout;
     gint32      lldp;
     gint32      wait_activation_delay;
@@ -1293,6 +1295,22 @@ nm_setting_connection_get_dns_over_tls(NMSettingConnection *setting)
     return NM_SETTING_CONNECTION_GET_PRIVATE(setting)->dns_over_tls;
 }
 
+/**
+ * nm_setting_connection_get_dnssec:
+ * @setting: the #NMSettingConnection
+ *
+ * Returns: the #NMSettingConnection:dnssec property of the setting.
+ *
+ * Since: 1.56
+ **/
+NMSettingConnectionDnssec
+nm_setting_connection_get_dnssec(NMSettingConnection *setting)
+{
+    g_return_val_if_fail(NM_IS_SETTING_CONNECTION(setting), NM_SETTING_CONNECTION_DNSSEC_DEFAULT);
+
+    return NM_SETTING_CONNECTION_GET_PRIVATE(setting)->dnssec;
+}
+
 /**
  * nm_setting_connection_get_mptcp_flags:
  * @setting: the #NMSettingConnection
@@ -3406,6 +3424,33 @@ nm_setting_connection_class_init(NMSettingConnectionClass *klass)
                                              NMSettingConnectionPrivate,
                                              dns_over_tls);
 
+    /**
+     * NMSettingConnection:dnssec:
+     *
+     * Whether DNSSEC (dnssec) is enabled for the connection.
+     *
+     * The permitted values are: "yes" (2) use DNSSEC and disable fallback,
+     * "allow-downgrade" (1) use DNSSEC but allow fallback if the server does not support it,
+     * "no" (0) don't ever use DNSSEC.
+     * The effect of "default" (-1) depends on the dns plugin used.
+     * Systemd-resolved uses its global setting in this case.
+     *
+     * This feature requires a plugin which supports DNSSEC. Otherwise, the
+     * setting has no effect. One such plugin is systemd-resolved.
+     *
+     * Since: 1.56
+     **/
+    _nm_setting_property_define_direct_enum(properties_override,
+                                            obj_properties,
+                                            NM_SETTING_CONNECTION_DNSSEC,
+                                            PROP_DNSSEC,
+                                            NM_TYPE_SETTING_CONNECTION_DNSSEC,
+                                            NM_SETTING_CONNECTION_DNSSEC_DEFAULT,
+                                            NM_SETTING_PARAM_NONE,
+                                            NULL,
+                                            NMSettingConnectionPrivate,
+                                            dnssec);
+
     /* Notes about "mptcp-flags":
      *
      * It is a bit odd that NMMptcpFlags mixes flags with different purposes:

src/libnm-core-impl/tests/test-general.c

@@ -4032,6 +4032,7 @@ test_connection_diff_a_only(void)
           {NM_SETTING_CONNECTION_MDNS, NM_SETTING_DIFF_RESULT_IN_A},
           {NM_SETTING_CONNECTION_LLMNR, NM_SETTING_DIFF_RESULT_IN_A},
           {NM_SETTING_CONNECTION_DNS_OVER_TLS, NM_SETTING_DIFF_RESULT_IN_A},
+          {NM_SETTING_CONNECTION_DNSSEC, NM_SETTING_DIFF_RESULT_IN_A},
           {NM_SETTING_CONNECTION_MPTCP_FLAGS, NM_SETTING_DIFF_RESULT_IN_A},
           {NM_SETTING_CONNECTION_MUD_URL, NM_SETTING_DIFF_RESULT_IN_A},
           {NM_SETTING_CONNECTION_WAIT_DEVICE_TIMEOUT, NM_SETTING_DIFF_RESULT_IN_A},

src/libnm-core-public/nm-setting-connection.h

@@ -60,6 +60,7 @@ G_BEGIN_DECLS
 #define NM_SETTING_CONNECTION_MDNS                          "mdns"
 #define NM_SETTING_CONNECTION_LLMNR                         "llmnr"
 #define NM_SETTING_CONNECTION_DNS_OVER_TLS                  "dns-over-tls"
+#define NM_SETTING_CONNECTION_DNSSEC                        "dnssec"
 #define NM_SETTING_CONNECTION_MPTCP_FLAGS                   "mptcp-flags"
 #define NM_SETTING_CONNECTION_WAIT_DEVICE_TIMEOUT           "wait-device-timeout"
 #define NM_SETTING_CONNECTION_MUD_URL                       "mud-url"
@@ -162,6 +163,24 @@ typedef enum {
     NM_SETTING_CONNECTION_DNS_OVER_TLS_YES           = 2,
 } NMSettingConnectionDnsOverTls;
 
+/**
+ * NMSettingConnectionDnssec:
+ * @NM_SETTING_CONNECTION_DNSSEC_DEFAULT: default value
+ * @NM_SETTING_CONNECTION_DNSSEC_NO: disable DNSSEC
+ * @NM_SETTING_CONNECTION_DNSSEC_ALLOW_DOWNGRADE: enable DNSSEC but allow fallback to non-DNSSEC mode
+ * @NM_SETTING_CONNECTION_DNSSEC_YES: force enable DNSSEC
+ *
+ * #NMSettingConnectionDnssec values indicate whether DNSSEC should be enabled.
+ *
+ * Since: 1.56
+ */
+typedef enum {
+    NM_SETTING_CONNECTION_DNSSEC_DEFAULT         = -1,
+    NM_SETTING_CONNECTION_DNSSEC_NO              = 0,
+    NM_SETTING_CONNECTION_DNSSEC_ALLOW_DOWNGRADE = 1,
+    NM_SETTING_CONNECTION_DNSSEC_YES             = 2,
+} NMSettingConnectionDnssec;
+
 /**
  * NMSettingConnectionDownOnPoweroff:
  * @NM_SETTING_CONNECTION_DOWN_ON_POWEROFF_DEFAULT: default value
@@ -304,6 +323,9 @@ void nm_setting_connection_clear_ip_ping_addresses(NMSettingConnection *setting)
 NM_AVAILABLE_IN_1_52
 NMTernary nm_setting_connection_get_ip_ping_addresses_require_all(NMSettingConnection *setting);
 
+NM_AVAILABLE_IN_1_56
+NMSettingConnectionDnssec nm_setting_connection_get_dnssec(NMSettingConnection *setting);
+
 G_END_DECLS
 
 #endif /* __NM_SETTING_CONNECTION_H__ */

src/libnmc-setting/settings-docs.h.in

@@ -8,6 +8,7 @@
 #define DESCRIBE_DOC_NM_SETTING_CONNECTION_AUTOCONNECT_SLAVES N_("Whether or not ports of this connection should be automatically brought up when NetworkManager activates this connection. This only has a real effect for controller connections. The properties \"autoconnect\", \"autoconnect-priority\" and \"autoconnect-retries\" are unrelated to this setting. The permitted values are: 0: leave port connections untouched, 1: activate all the port connections with this connection, -1: default. If -1 (default) is set, global connection.autoconnect-slaves is read to determine the real value. If it is default as well, this fallbacks to 0. Deprecated 1.46. Use \"autoconnect-ports\" instead, this is just an alias.")
 #define DESCRIBE_DOC_NM_SETTING_CONNECTION_CONTROLLER N_("Interface name of the controller device or UUID of the controller connection.")
 #define DESCRIBE_DOC_NM_SETTING_CONNECTION_DNS_OVER_TLS N_("Whether DNSOverTls (dns-over-tls) is enabled for the connection. DNSOverTls is a technology which uses TLS to encrypt dns traffic. The permitted values are: \"yes\" (2) use DNSOverTls and disabled fallback, \"opportunistic\" (1) use DNSOverTls but allow fallback to unencrypted resolution, \"no\" (0) don't ever use DNSOverTls. If unspecified \"default\" depends on the plugin used. Systemd-resolved uses global setting. This feature requires a plugin which supports DNSOverTls. Otherwise, the setting has no effect. One such plugin is dns-systemd-resolved.")
+#define DESCRIBE_DOC_NM_SETTING_CONNECTION_DNSSEC N_("Whether DNSSEC (dnssec) is enabled for the connection. The permitted values are: \"yes\" (2) use DNSSEC and disable fallback, \"allow-downgrade\" (1) use DNSSEC but allow fallback if the server does not support it, \"no\" (0) don't ever use DNSSEC. The effect of \"default\" (-1) depends on the dns plugin used. Systemd-resolved uses its global setting in this case. This feature requires a plugin which supports DNSSEC. Otherwise, the setting has no effect. One such plugin is systemd-resolved.")
 #define DESCRIBE_DOC_NM_SETTING_CONNECTION_DOWN_ON_POWEROFF N_("Whether the connection will be brought down before the system is powered off.  The default value is \"default\" (-1). When the default value is specified, then the global value from NetworkManager configuration is looked up, if not set, it is considered as \"no\" (0).")
 #define DESCRIBE_DOC_NM_SETTING_CONNECTION_GATEWAY_PING_TIMEOUT N_("If greater than zero, delay success of IP addressing until either the timeout is reached, or an IP gateway replies to a ping.")
 #define DESCRIBE_DOC_NM_SETTING_CONNECTION_ID N_("A human readable unique identifier for the connection, like \"Work Wi-Fi\" or \"T-Mobile 3G\".")