core: add support for connection.dnssec

2026-02-04 04:50:30 +01:00 · 2025-09-08 11:21:26 +02:00 · 2025-09-08 11:21:26 +02:00 · 1dcd63ab5d
commit 1dcd63ab5d
parent 029f8be4c1
5 changed files with 101 additions and 2 deletions
--- a/man/NetworkManager.conf.xml
+++ b/man/NetworkManager.conf.xml
@ -899,7 +899,11 @@ ipv6.ip6-privacy=0
        </varlistentry>
        <varlistentry>
          <term><varname>connection.dns-over-tls</varname></term>
-          <listitem><para>If unspecified, the ultimate default values depends on the DNS plugin. With systemd-resolved the default currently is global setting and for all other plugins "no" (0).</para></listitem>
+          <listitem><para>If unspecified, the ultimate default values depends on the DNS plugin. With systemd-resolved the default currently is its global setting and for all other plugins "no" (0).</para></listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><varname>connection.dnssec</varname></term>
+          <listitem><para>If unspecified, the ultimate default values depends on the DNS plugin. With systemd-resolved the default currently is its global setting and for all other plugins "no" (0).</para></listitem>
        </varlistentry>
        <varlistentry>
          <term><varname>connection.stable-id</varname></term>
--- a/src/core/devices/nm-device.c
+++ b/src/core/devices/nm-device.c
@ -1494,6 +1494,28 @@ _prop_get_connection_dns_over_tls(NMDevice *self)
                                                       NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT);
 }

+static NMSettingConnectionDnssec
+_prop_get_connection_dnssec(NMDevice *self)
+{
+    NMConnection             *connection;
+    NMSettingConnectionDnssec dnssec = NM_SETTING_CONNECTION_DNSSEC_DEFAULT;
+
+    g_return_val_if_fail(NM_IS_DEVICE(self), NM_SETTING_CONNECTION_DNSSEC_DEFAULT);
+
+    connection = nm_device_get_applied_connection(self);
+    if (connection)
+        dnssec = nm_setting_connection_get_dnssec(nm_connection_get_setting_connection(connection));
+    if (dnssec != NM_SETTING_CONNECTION_DNSSEC_DEFAULT)
+        return dnssec;
+
+    return nm_config_data_get_connection_default_int64(NM_CONFIG_GET_DATA,
+                                                       NM_CON_DEFAULT("connection.dnssec"),
+                                                       self,
+                                                       NM_SETTING_CONNECTION_DNSSEC_NO,
+                                                       NM_SETTING_CONNECTION_DNSSEC_YES,
+                                                       NM_SETTING_CONNECTION_DNSSEC_DEFAULT);
+}
+
 static NMMptcpFlags
 _prop_get_connection_mptcp_flags(NMDevice *self)
 {
@ -3613,6 +3635,7 @@ nm_device_create_l3_config_data_from_connection(NMDevice *self, NMConnection *co
    nm_l3_config_data_set_mdns(l3cd, _prop_get_connection_mdns(self));
    nm_l3_config_data_set_llmnr(l3cd, _prop_get_connection_llmnr(self));
    nm_l3_config_data_set_dns_over_tls(l3cd, _prop_get_connection_dns_over_tls(self));
+    nm_l3_config_data_set_dnssec(l3cd, _prop_get_connection_dnssec(self));
    nm_l3_config_data_set_ip6_privacy(l3cd, _prop_get_ipv6_ip6_privacy(self));
    nm_l3_config_data_set_mptcp_flags(l3cd, _prop_get_connection_mptcp_flags(self));
    return l3cd;
@ -14069,6 +14092,7 @@ can_reapply_change(NMDevice   *self,
                                                 NM_SETTING_CONNECTION_MDNS,
                                                 NM_SETTING_CONNECTION_LLMNR,
                                                 NM_SETTING_CONNECTION_DNS_OVER_TLS,
+                                                 NM_SETTING_CONNECTION_DNSSEC,
                                                 NM_SETTING_CONNECTION_MPTCP_FLAGS,
                                                 NM_SETTING_CONNECTION_WAIT_ACTIVATION_DELAY);
    }
@ -14327,6 +14351,7 @@ check_and_reapply_connection(NMDevice            *self,
                NM_SETTING_CONNECTION_MDNS,
                NM_SETTING_CONNECTION_LLMNR,
                NM_SETTING_CONNECTION_DNS_OVER_TLS,
+                NM_SETTING_CONNECTION_DNSSEC,
                NM_SETTING_CONNECTION_MPTCP_FLAGS)) {
            priv->ip_data_4.do_reapply = TRUE;
            priv->ip_data_6.do_reapply = TRUE;
--- a/src/core/dns/nm-dns-systemd-resolved.c
+++ b/src/core/dns/nm-dns-systemd-resolved.c
@ -37,6 +37,7 @@
 static const char *const DBUS_OP_SET_LINK_DEFAULT_ROUTE = "SetLinkDefaultRoute";
 static const char *const DBUS_OP_SET_LINK_DNS_OVER_TLS  = "SetLinkDNSOverTLS";
 static const char *const DBUS_OP_SET_LINK_DNS_EX        = "SetLinkDNSEx";
+static const char *const DBUS_OP_SET_LINK_DNSSEC        = "SetLinkDNSSEC";

 /*****************************************************************************/

@ -484,9 +485,11 @@ prepare_one_interface(NMDnsSystemdResolved *self, const InterfaceConfig *ic)
    NMSettingConnectionMdns       mdns              = NM_SETTING_CONNECTION_MDNS_DEFAULT;
    NMSettingConnectionLlmnr      llmnr             = NM_SETTING_CONNECTION_LLMNR_DEFAULT;
    NMSettingConnectionDnsOverTls dns_over_tls      = NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT;
+    NMSettingConnectionDnssec     dnssec            = NM_SETTING_CONNECTION_DNSSEC_DEFAULT;
    const char                   *mdns_arg          = NULL;
    const char                   *llmnr_arg         = NULL;
    const char                   *dns_over_tls_arg  = NULL;
+    const char                   *dnssec_arg        = NULL;
    gboolean                      has_config        = FALSE;
    gboolean                      has_default_route = FALSE;
    guint                         i;
@ -517,6 +520,7 @@ prepare_one_interface(NMDnsSystemdResolved *self, const InterfaceConfig *ic)
                llmnr = NM_MAX(llmnr, nm_l3_config_data_get_llmnr(ip_data->l3cd));
                dns_over_tls =
                    NM_MAX(dns_over_tls, nm_l3_config_data_get_dns_over_tls(ip_data->l3cd));
+                dnssec = NM_MAX(dnssec, nm_l3_config_data_get_dnssec(ip_data->l3cd));
            }
        }
    }
@ -589,8 +593,24 @@ prepare_one_interface(NMDnsSystemdResolved *self, const InterfaceConfig *ic)
    }
    nm_assert(dns_over_tls_arg);

+    switch (dnssec) {
+    case NM_SETTING_CONNECTION_DNSSEC_NO:
+        dnssec_arg = "no";
+        break;
+    case NM_SETTING_CONNECTION_DNSSEC_ALLOW_DOWNGRADE:
+        dnssec_arg = "allow-downgrade";
+        break;
+    case NM_SETTING_CONNECTION_DNSSEC_YES:
+        dnssec_arg = "yes";
+        break;
+    case NM_SETTING_CONNECTION_DNSSEC_DEFAULT:
+        dnssec_arg = "";
+        break;
+    }
+    nm_assert(dnssec_arg);
+
    if (!nm_str_is_empty(mdns_arg) || !nm_str_is_empty(llmnr_arg)
-        || !nm_str_is_empty(dns_over_tls_arg))
+        || !nm_str_is_empty(dns_over_tls_arg) || !nm_str_is_empty(dnssec_arg))
        has_config = TRUE;

    _request_item_append(self, "SetLinkDomains", ic->ifindex, g_variant_builder_end(&domains));
@ -618,6 +638,10 @@ prepare_one_interface(NMDnsSystemdResolved *self, const InterfaceConfig *ic)
                         DBUS_OP_SET_LINK_DNS_OVER_TLS,
                         ic->ifindex,
                         g_variant_new("(is)", ic->ifindex, dns_over_tls_arg ?: ""));
+    _request_item_append(self,
+                         DBUS_OP_SET_LINK_DNSSEC,
+                         ic->ifindex,
+                         g_variant_new("(is)", ic->ifindex, dnssec_arg ?: ""));

    return has_config;
 }
--- a/src/core/nm-l3-config-data.c
+++ b/src/core/nm-l3-config-data.c
@ -120,6 +120,7 @@ struct _NML3ConfigData {
    NMSettingConnectionMdns       mdns;
    NMSettingConnectionLlmnr      llmnr;
    NMSettingConnectionDnsOverTls dns_over_tls;
+    NMSettingConnectionDnssec     dnssec;
    NMUtilsIPv6IfaceId            ip6_token;

    NML3ConfigDatFlags flags;
@ -577,6 +578,16 @@ nm_l3_config_data_log(const NML3ConfigData *self,
                                           NULL)));
    }

+    if (self->dnssec != NM_SETTING_CONNECTION_DNSSEC_DEFAULT) {
+        gs_free char *s = NULL;
+
+        _L("dnssec: %s",
+           (s = _nm_utils_enum_to_str_full(nm_setting_connection_dnssec_get_type(),
+                                           self->dnssec,
+                                           " ",
+                                           NULL)));
+    }
+
    if (self->mptcp_flags != NM_MPTCP_FLAGS_NONE) {
        gs_free char *s = NULL;

@ -694,6 +705,7 @@ nm_l3_config_data_new(NMDedupMultiIndex *multi_idx, int ifindex, NMIPConfigSourc
        .mdns                           = NM_SETTING_CONNECTION_MDNS_DEFAULT,
        .llmnr                          = NM_SETTING_CONNECTION_LLMNR_DEFAULT,
        .dns_over_tls                   = NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT,
+        .dnssec                         = NM_SETTING_CONNECTION_DNSSEC_DEFAULT,
        .flags                          = NM_L3_CONFIG_DAT_FLAGS_NONE,
        .metered                        = NM_TERNARY_DEFAULT,
        .proxy_browser_only             = NM_TERNARY_DEFAULT,
@ -1767,6 +1779,26 @@ nm_l3_config_data_set_dns_over_tls(NML3ConfigData *self, NMSettingConnectionDnsO
    return TRUE;
 }

+NMSettingConnectionDnssec
+nm_l3_config_data_get_dnssec(const NML3ConfigData *self)
+{
+    nm_assert(_NM_IS_L3_CONFIG_DATA(self, TRUE));
+
+    return self->dnssec;
+}
+
+gboolean
+nm_l3_config_data_set_dnssec(NML3ConfigData *self, NMSettingConnectionDnssec dnssec)
+{
+    nm_assert(_NM_IS_L3_CONFIG_DATA(self, FALSE));
+
+    if (self->dnssec == dnssec)
+        return FALSE;
+
+    self->dnssec = dnssec;
+    return TRUE;
+}
+
 NMIPRouteTableSyncMode
 nm_l3_config_data_get_route_table_sync(const NML3ConfigData *self, int addr_family)
 {
@ -2446,6 +2478,7 @@ nm_l3_config_data_cmp_full(const NML3ConfigData *a,
        NM_CMP_DIRECT(a->mdns, b->mdns);
        NM_CMP_DIRECT(a->llmnr, b->llmnr);
        NM_CMP_DIRECT(a->dns_over_tls, b->dns_over_tls);
+        NM_CMP_DIRECT(a->dnssec, b->dnssec);
    }

    if (NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_OTHER)) {
@ -3211,6 +3244,12 @@ nm_l3_config_data_hash_dns(const NML3ConfigData *l3cd,
        empty = FALSE;
    }

+    val = nm_l3_config_data_get_dnssec(l3cd);
+    if (val != NM_SETTING_CONNECTION_DNSSEC_DEFAULT) {
+        g_checksum_update(sum, (const guint8 *) &val, sizeof(val));
+        empty = FALSE;
+    }
+
    if (!empty) {
        int prio = 0;

@ -3461,6 +3500,9 @@ nm_l3_config_data_merge(NML3ConfigData       *self,
    if (self->dns_over_tls == NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT)
        self->dns_over_tls = src->dns_over_tls;

+    if (self->dnssec == NM_SETTING_CONNECTION_DNSSEC_DEFAULT)
+        self->dnssec = src->dnssec;
+
    if (self->ip6_token.id == 0)
        self->ip6_token.id = src->ip6_token.id;

--- a/src/core/nm-l3-config-data.h
+++ b/src/core/nm-l3-config-data.h
@ -458,6 +458,10 @@ NMSettingConnectionDnsOverTls nm_l3_config_data_get_dns_over_tls(const NML3Confi
 gboolean nm_l3_config_data_set_dns_over_tls(NML3ConfigData               *self,
                                            NMSettingConnectionDnsOverTls dns_over_tls);

+NMSettingConnectionDnssec nm_l3_config_data_get_dnssec(const NML3ConfigData *self);
+
+gboolean nm_l3_config_data_set_dnssec(NML3ConfigData *self, NMSettingConnectionDnssec dnssec);
+
 NMIPRouteTableSyncMode nm_l3_config_data_get_route_table_sync(const NML3ConfigData *self,
                                                              int                   addr_family);