diff --git a/src/libnm-client-impl/libnm.ver b/src/libnm-client-impl/libnm.ver
index bcc2ed8453..80f779c190 100644
--- a/src/libnm-client-impl/libnm.ver
+++ b/src/libnm-client-impl/libnm.ver
@@ -2083,4 +2083,6 @@ global:
nm_setting_gsm_get_device_uid;
nm_setting_hsr_get_protocol_version;
nm_setting_hsr_protocol_version_get_type;
+ nm_setting_connection_get_dnssec;
+ nm_setting_connection_dnssec_get_type;
} libnm_1_54_0;
diff --git a/src/libnm-client-impl/tests/test-libnm.c b/src/libnm-client-impl/tests/test-libnm.c
index f56521a492..b30d02a581 100644
--- a/src/libnm-client-impl/tests/test-libnm.c
+++ b/src/libnm-client-impl/tests/test-libnm.c
@@ -2756,6 +2756,8 @@ test_types(void)
G(nm_setting_connection_lldp_get_type),
G(nm_setting_connection_llmnr_get_type),
G(nm_setting_connection_mdns_get_type),
+ G(nm_setting_connection_dns_over_tls_get_type),
+ G(nm_setting_connection_dnssec_get_type),
G(nm_setting_dcb_flags_get_type),
G(nm_setting_dcb_get_type),
G(nm_setting_diff_result_get_type),
diff --git a/src/libnm-core-impl/gen-metadata-nm-settings-libnm-core.xml.in b/src/libnm-core-impl/gen-metadata-nm-settings-libnm-core.xml.in
index 1836efd03f..f584ee5d2c 100644
--- a/src/libnm-core-impl/gen-metadata-nm-settings-libnm-core.xml.in
+++ b/src/libnm-core-impl/gen-metadata-nm-settings-libnm-core.xml.in
@@ -810,6 +810,10 @@
dbus-type="i"
gprop-type="gint"
/>
+
dns_over_tls;
}
+/**
+ * nm_setting_connection_get_dnssec:
+ * @setting: the #NMSettingConnection
+ *
+ * Returns: the #NMSettingConnection:dnssec property of the setting.
+ *
+ * Since: 1.56
+ **/
+NMSettingConnectionDnssec
+nm_setting_connection_get_dnssec(NMSettingConnection *setting)
+{
+ g_return_val_if_fail(NM_IS_SETTING_CONNECTION(setting), NM_SETTING_CONNECTION_DNSSEC_DEFAULT);
+
+ return NM_SETTING_CONNECTION_GET_PRIVATE(setting)->dnssec;
+}
+
/**
* nm_setting_connection_get_mptcp_flags:
* @setting: the #NMSettingConnection
@@ -3406,6 +3424,33 @@ nm_setting_connection_class_init(NMSettingConnectionClass *klass)
NMSettingConnectionPrivate,
dns_over_tls);
+ /**
+ * NMSettingConnection:dnssec:
+ *
+ * Whether DNSSEC (dnssec) is enabled for the connection.
+ *
+ * The permitted values are: "yes" (2) use DNSSEC and disable fallback,
+ * "allow-downgrade" (1) use DNSSEC but allow fallback if the server does not support it,
+ * "no" (0) don't ever use DNSSEC.
+ * The effect of "default" (-1) depends on the dns plugin used.
+ * Systemd-resolved uses its global setting in this case.
+ *
+ * This feature requires a plugin which supports DNSSEC. Otherwise, the
+ * setting has no effect. One such plugin is systemd-resolved.
+ *
+ * Since: 1.56
+ **/
+ _nm_setting_property_define_direct_enum(properties_override,
+ obj_properties,
+ NM_SETTING_CONNECTION_DNSSEC,
+ PROP_DNSSEC,
+ NM_TYPE_SETTING_CONNECTION_DNSSEC,
+ NM_SETTING_CONNECTION_DNSSEC_DEFAULT,
+ NM_SETTING_PARAM_NONE,
+ NULL,
+ NMSettingConnectionPrivate,
+ dnssec);
+
/* Notes about "mptcp-flags":
*
* It is a bit odd that NMMptcpFlags mixes flags with different purposes:
diff --git a/src/libnm-core-impl/tests/test-general.c b/src/libnm-core-impl/tests/test-general.c
index 8f9daacdcc..cd48004538 100644
--- a/src/libnm-core-impl/tests/test-general.c
+++ b/src/libnm-core-impl/tests/test-general.c
@@ -4032,6 +4032,7 @@ test_connection_diff_a_only(void)
{NM_SETTING_CONNECTION_MDNS, NM_SETTING_DIFF_RESULT_IN_A},
{NM_SETTING_CONNECTION_LLMNR, NM_SETTING_DIFF_RESULT_IN_A},
{NM_SETTING_CONNECTION_DNS_OVER_TLS, NM_SETTING_DIFF_RESULT_IN_A},
+ {NM_SETTING_CONNECTION_DNSSEC, NM_SETTING_DIFF_RESULT_IN_A},
{NM_SETTING_CONNECTION_MPTCP_FLAGS, NM_SETTING_DIFF_RESULT_IN_A},
{NM_SETTING_CONNECTION_MUD_URL, NM_SETTING_DIFF_RESULT_IN_A},
{NM_SETTING_CONNECTION_WAIT_DEVICE_TIMEOUT, NM_SETTING_DIFF_RESULT_IN_A},
diff --git a/src/libnm-core-public/nm-setting-connection.h b/src/libnm-core-public/nm-setting-connection.h
index 6547c5be9f..51cf99fb81 100644
--- a/src/libnm-core-public/nm-setting-connection.h
+++ b/src/libnm-core-public/nm-setting-connection.h
@@ -60,6 +60,7 @@ G_BEGIN_DECLS
#define NM_SETTING_CONNECTION_MDNS "mdns"
#define NM_SETTING_CONNECTION_LLMNR "llmnr"
#define NM_SETTING_CONNECTION_DNS_OVER_TLS "dns-over-tls"
+#define NM_SETTING_CONNECTION_DNSSEC "dnssec"
#define NM_SETTING_CONNECTION_MPTCP_FLAGS "mptcp-flags"
#define NM_SETTING_CONNECTION_WAIT_DEVICE_TIMEOUT "wait-device-timeout"
#define NM_SETTING_CONNECTION_MUD_URL "mud-url"
@@ -162,6 +163,24 @@ typedef enum {
NM_SETTING_CONNECTION_DNS_OVER_TLS_YES = 2,
} NMSettingConnectionDnsOverTls;
+/**
+ * NMSettingConnectionDnssec:
+ * @NM_SETTING_CONNECTION_DNSSEC_DEFAULT: default value
+ * @NM_SETTING_CONNECTION_DNSSEC_NO: disable DNSSEC
+ * @NM_SETTING_CONNECTION_DNSSEC_ALLOW_DOWNGRADE: enable DNSSEC but allow fallback to non-DNSSEC mode
+ * @NM_SETTING_CONNECTION_DNSSEC_YES: force enable DNSSEC
+ *
+ * #NMSettingConnectionDnssec values indicate whether DNSSEC should be enabled.
+ *
+ * Since: 1.56
+ */
+typedef enum {
+ NM_SETTING_CONNECTION_DNSSEC_DEFAULT = -1,
+ NM_SETTING_CONNECTION_DNSSEC_NO = 0,
+ NM_SETTING_CONNECTION_DNSSEC_ALLOW_DOWNGRADE = 1,
+ NM_SETTING_CONNECTION_DNSSEC_YES = 2,
+} NMSettingConnectionDnssec;
+
/**
* NMSettingConnectionDownOnPoweroff:
* @NM_SETTING_CONNECTION_DOWN_ON_POWEROFF_DEFAULT: default value
@@ -304,6 +323,9 @@ void nm_setting_connection_clear_ip_ping_addresses(NMSettingConnection *setting)
NM_AVAILABLE_IN_1_52
NMTernary nm_setting_connection_get_ip_ping_addresses_require_all(NMSettingConnection *setting);
+NM_AVAILABLE_IN_1_56
+NMSettingConnectionDnssec nm_setting_connection_get_dnssec(NMSettingConnection *setting);
+
G_END_DECLS
#endif /* __NM_SETTING_CONNECTION_H__ */
diff --git a/src/libnmc-setting/settings-docs.h.in b/src/libnmc-setting/settings-docs.h.in
index 3fd2966bce..0db894d17f 100644
--- a/src/libnmc-setting/settings-docs.h.in
+++ b/src/libnmc-setting/settings-docs.h.in
@@ -8,6 +8,7 @@
#define DESCRIBE_DOC_NM_SETTING_CONNECTION_AUTOCONNECT_SLAVES N_("Whether or not ports of this connection should be automatically brought up when NetworkManager activates this connection. This only has a real effect for controller connections. The properties \"autoconnect\", \"autoconnect-priority\" and \"autoconnect-retries\" are unrelated to this setting. The permitted values are: 0: leave port connections untouched, 1: activate all the port connections with this connection, -1: default. If -1 (default) is set, global connection.autoconnect-slaves is read to determine the real value. If it is default as well, this fallbacks to 0. Deprecated 1.46. Use \"autoconnect-ports\" instead, this is just an alias.")
#define DESCRIBE_DOC_NM_SETTING_CONNECTION_CONTROLLER N_("Interface name of the controller device or UUID of the controller connection.")
#define DESCRIBE_DOC_NM_SETTING_CONNECTION_DNS_OVER_TLS N_("Whether DNSOverTls (dns-over-tls) is enabled for the connection. DNSOverTls is a technology which uses TLS to encrypt dns traffic. The permitted values are: \"yes\" (2) use DNSOverTls and disabled fallback, \"opportunistic\" (1) use DNSOverTls but allow fallback to unencrypted resolution, \"no\" (0) don't ever use DNSOverTls. If unspecified \"default\" depends on the plugin used. Systemd-resolved uses global setting. This feature requires a plugin which supports DNSOverTls. Otherwise, the setting has no effect. One such plugin is dns-systemd-resolved.")
+#define DESCRIBE_DOC_NM_SETTING_CONNECTION_DNSSEC N_("Whether DNSSEC (dnssec) is enabled for the connection. The permitted values are: \"yes\" (2) use DNSSEC and disable fallback, \"allow-downgrade\" (1) use DNSSEC but allow fallback if the server does not support it, \"no\" (0) don't ever use DNSSEC. The effect of \"default\" (-1) depends on the dns plugin used. Systemd-resolved uses its global setting in this case. This feature requires a plugin which supports DNSSEC. Otherwise, the setting has no effect. One such plugin is systemd-resolved.")
#define DESCRIBE_DOC_NM_SETTING_CONNECTION_DOWN_ON_POWEROFF N_("Whether the connection will be brought down before the system is powered off. The default value is \"default\" (-1). When the default value is specified, then the global value from NetworkManager configuration is looked up, if not set, it is considered as \"no\" (0).")
#define DESCRIBE_DOC_NM_SETTING_CONNECTION_GATEWAY_PING_TIMEOUT N_("If greater than zero, delay success of IP addressing until either the timeout is reached, or an IP gateway replies to a ping.")
#define DESCRIBE_DOC_NM_SETTING_CONNECTION_ID N_("A human readable unique identifier for the connection, like \"Work Wi-Fi\" or \"T-Mobile 3G\".")