diff --git a/man/NetworkManager.conf.xml b/man/NetworkManager.conf.xml
index 3f9aec790b..65cad02cf9 100644
--- a/man/NetworkManager.conf.xml
+++ b/man/NetworkManager.conf.xml
@@ -899,7 +899,11 @@ ipv6.ip6-privacy=0
connection.dns-over-tls
- If unspecified, the ultimate default values depends on the DNS plugin. With systemd-resolved the default currently is global setting and for all other plugins "no" (0).
+ If unspecified, the ultimate default values depends on the DNS plugin. With systemd-resolved the default currently is its global setting and for all other plugins "no" (0).
+
+
+ connection.dnssec
+ If unspecified, the ultimate default values depends on the DNS plugin. With systemd-resolved the default currently is its global setting and for all other plugins "no" (0).
connection.stable-id
diff --git a/src/core/devices/nm-device.c b/src/core/devices/nm-device.c
index 2c154b3256..21ba692855 100644
--- a/src/core/devices/nm-device.c
+++ b/src/core/devices/nm-device.c
@@ -1494,6 +1494,28 @@ _prop_get_connection_dns_over_tls(NMDevice *self)
NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT);
}
+static NMSettingConnectionDnssec
+_prop_get_connection_dnssec(NMDevice *self)
+{
+ NMConnection *connection;
+ NMSettingConnectionDnssec dnssec = NM_SETTING_CONNECTION_DNSSEC_DEFAULT;
+
+ g_return_val_if_fail(NM_IS_DEVICE(self), NM_SETTING_CONNECTION_DNSSEC_DEFAULT);
+
+ connection = nm_device_get_applied_connection(self);
+ if (connection)
+ dnssec = nm_setting_connection_get_dnssec(nm_connection_get_setting_connection(connection));
+ if (dnssec != NM_SETTING_CONNECTION_DNSSEC_DEFAULT)
+ return dnssec;
+
+ return nm_config_data_get_connection_default_int64(NM_CONFIG_GET_DATA,
+ NM_CON_DEFAULT("connection.dnssec"),
+ self,
+ NM_SETTING_CONNECTION_DNSSEC_NO,
+ NM_SETTING_CONNECTION_DNSSEC_YES,
+ NM_SETTING_CONNECTION_DNSSEC_DEFAULT);
+}
+
static NMMptcpFlags
_prop_get_connection_mptcp_flags(NMDevice *self)
{
@@ -3613,6 +3635,7 @@ nm_device_create_l3_config_data_from_connection(NMDevice *self, NMConnection *co
nm_l3_config_data_set_mdns(l3cd, _prop_get_connection_mdns(self));
nm_l3_config_data_set_llmnr(l3cd, _prop_get_connection_llmnr(self));
nm_l3_config_data_set_dns_over_tls(l3cd, _prop_get_connection_dns_over_tls(self));
+ nm_l3_config_data_set_dnssec(l3cd, _prop_get_connection_dnssec(self));
nm_l3_config_data_set_ip6_privacy(l3cd, _prop_get_ipv6_ip6_privacy(self));
nm_l3_config_data_set_mptcp_flags(l3cd, _prop_get_connection_mptcp_flags(self));
return l3cd;
@@ -14069,6 +14092,7 @@ can_reapply_change(NMDevice *self,
NM_SETTING_CONNECTION_MDNS,
NM_SETTING_CONNECTION_LLMNR,
NM_SETTING_CONNECTION_DNS_OVER_TLS,
+ NM_SETTING_CONNECTION_DNSSEC,
NM_SETTING_CONNECTION_MPTCP_FLAGS,
NM_SETTING_CONNECTION_WAIT_ACTIVATION_DELAY);
}
@@ -14327,6 +14351,7 @@ check_and_reapply_connection(NMDevice *self,
NM_SETTING_CONNECTION_MDNS,
NM_SETTING_CONNECTION_LLMNR,
NM_SETTING_CONNECTION_DNS_OVER_TLS,
+ NM_SETTING_CONNECTION_DNSSEC,
NM_SETTING_CONNECTION_MPTCP_FLAGS)) {
priv->ip_data_4.do_reapply = TRUE;
priv->ip_data_6.do_reapply = TRUE;
diff --git a/src/core/dns/nm-dns-systemd-resolved.c b/src/core/dns/nm-dns-systemd-resolved.c
index 1caed844eb..172bd0bc6b 100644
--- a/src/core/dns/nm-dns-systemd-resolved.c
+++ b/src/core/dns/nm-dns-systemd-resolved.c
@@ -37,6 +37,7 @@
static const char *const DBUS_OP_SET_LINK_DEFAULT_ROUTE = "SetLinkDefaultRoute";
static const char *const DBUS_OP_SET_LINK_DNS_OVER_TLS = "SetLinkDNSOverTLS";
static const char *const DBUS_OP_SET_LINK_DNS_EX = "SetLinkDNSEx";
+static const char *const DBUS_OP_SET_LINK_DNSSEC = "SetLinkDNSSEC";
/*****************************************************************************/
@@ -484,9 +485,11 @@ prepare_one_interface(NMDnsSystemdResolved *self, const InterfaceConfig *ic)
NMSettingConnectionMdns mdns = NM_SETTING_CONNECTION_MDNS_DEFAULT;
NMSettingConnectionLlmnr llmnr = NM_SETTING_CONNECTION_LLMNR_DEFAULT;
NMSettingConnectionDnsOverTls dns_over_tls = NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT;
+ NMSettingConnectionDnssec dnssec = NM_SETTING_CONNECTION_DNSSEC_DEFAULT;
const char *mdns_arg = NULL;
const char *llmnr_arg = NULL;
const char *dns_over_tls_arg = NULL;
+ const char *dnssec_arg = NULL;
gboolean has_config = FALSE;
gboolean has_default_route = FALSE;
guint i;
@@ -517,6 +520,7 @@ prepare_one_interface(NMDnsSystemdResolved *self, const InterfaceConfig *ic)
llmnr = NM_MAX(llmnr, nm_l3_config_data_get_llmnr(ip_data->l3cd));
dns_over_tls =
NM_MAX(dns_over_tls, nm_l3_config_data_get_dns_over_tls(ip_data->l3cd));
+ dnssec = NM_MAX(dnssec, nm_l3_config_data_get_dnssec(ip_data->l3cd));
}
}
}
@@ -589,8 +593,24 @@ prepare_one_interface(NMDnsSystemdResolved *self, const InterfaceConfig *ic)
}
nm_assert(dns_over_tls_arg);
+ switch (dnssec) {
+ case NM_SETTING_CONNECTION_DNSSEC_NO:
+ dnssec_arg = "no";
+ break;
+ case NM_SETTING_CONNECTION_DNSSEC_ALLOW_DOWNGRADE:
+ dnssec_arg = "allow-downgrade";
+ break;
+ case NM_SETTING_CONNECTION_DNSSEC_YES:
+ dnssec_arg = "yes";
+ break;
+ case NM_SETTING_CONNECTION_DNSSEC_DEFAULT:
+ dnssec_arg = "";
+ break;
+ }
+ nm_assert(dnssec_arg);
+
if (!nm_str_is_empty(mdns_arg) || !nm_str_is_empty(llmnr_arg)
- || !nm_str_is_empty(dns_over_tls_arg))
+ || !nm_str_is_empty(dns_over_tls_arg) || !nm_str_is_empty(dnssec_arg))
has_config = TRUE;
_request_item_append(self, "SetLinkDomains", ic->ifindex, g_variant_builder_end(&domains));
@@ -618,6 +638,10 @@ prepare_one_interface(NMDnsSystemdResolved *self, const InterfaceConfig *ic)
DBUS_OP_SET_LINK_DNS_OVER_TLS,
ic->ifindex,
g_variant_new("(is)", ic->ifindex, dns_over_tls_arg ?: ""));
+ _request_item_append(self,
+ DBUS_OP_SET_LINK_DNSSEC,
+ ic->ifindex,
+ g_variant_new("(is)", ic->ifindex, dnssec_arg ?: ""));
return has_config;
}
diff --git a/src/core/nm-l3-config-data.c b/src/core/nm-l3-config-data.c
index 666aa8a38c..328f59b6ce 100644
--- a/src/core/nm-l3-config-data.c
+++ b/src/core/nm-l3-config-data.c
@@ -120,6 +120,7 @@ struct _NML3ConfigData {
NMSettingConnectionMdns mdns;
NMSettingConnectionLlmnr llmnr;
NMSettingConnectionDnsOverTls dns_over_tls;
+ NMSettingConnectionDnssec dnssec;
NMUtilsIPv6IfaceId ip6_token;
NML3ConfigDatFlags flags;
@@ -577,6 +578,16 @@ nm_l3_config_data_log(const NML3ConfigData *self,
NULL)));
}
+ if (self->dnssec != NM_SETTING_CONNECTION_DNSSEC_DEFAULT) {
+ gs_free char *s = NULL;
+
+ _L("dnssec: %s",
+ (s = _nm_utils_enum_to_str_full(nm_setting_connection_dnssec_get_type(),
+ self->dnssec,
+ " ",
+ NULL)));
+ }
+
if (self->mptcp_flags != NM_MPTCP_FLAGS_NONE) {
gs_free char *s = NULL;
@@ -694,6 +705,7 @@ nm_l3_config_data_new(NMDedupMultiIndex *multi_idx, int ifindex, NMIPConfigSourc
.mdns = NM_SETTING_CONNECTION_MDNS_DEFAULT,
.llmnr = NM_SETTING_CONNECTION_LLMNR_DEFAULT,
.dns_over_tls = NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT,
+ .dnssec = NM_SETTING_CONNECTION_DNSSEC_DEFAULT,
.flags = NM_L3_CONFIG_DAT_FLAGS_NONE,
.metered = NM_TERNARY_DEFAULT,
.proxy_browser_only = NM_TERNARY_DEFAULT,
@@ -1767,6 +1779,26 @@ nm_l3_config_data_set_dns_over_tls(NML3ConfigData *self, NMSettingConnectionDnsO
return TRUE;
}
+NMSettingConnectionDnssec
+nm_l3_config_data_get_dnssec(const NML3ConfigData *self)
+{
+ nm_assert(_NM_IS_L3_CONFIG_DATA(self, TRUE));
+
+ return self->dnssec;
+}
+
+gboolean
+nm_l3_config_data_set_dnssec(NML3ConfigData *self, NMSettingConnectionDnssec dnssec)
+{
+ nm_assert(_NM_IS_L3_CONFIG_DATA(self, FALSE));
+
+ if (self->dnssec == dnssec)
+ return FALSE;
+
+ self->dnssec = dnssec;
+ return TRUE;
+}
+
NMIPRouteTableSyncMode
nm_l3_config_data_get_route_table_sync(const NML3ConfigData *self, int addr_family)
{
@@ -2446,6 +2478,7 @@ nm_l3_config_data_cmp_full(const NML3ConfigData *a,
NM_CMP_DIRECT(a->mdns, b->mdns);
NM_CMP_DIRECT(a->llmnr, b->llmnr);
NM_CMP_DIRECT(a->dns_over_tls, b->dns_over_tls);
+ NM_CMP_DIRECT(a->dnssec, b->dnssec);
}
if (NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_OTHER)) {
@@ -3211,6 +3244,12 @@ nm_l3_config_data_hash_dns(const NML3ConfigData *l3cd,
empty = FALSE;
}
+ val = nm_l3_config_data_get_dnssec(l3cd);
+ if (val != NM_SETTING_CONNECTION_DNSSEC_DEFAULT) {
+ g_checksum_update(sum, (const guint8 *) &val, sizeof(val));
+ empty = FALSE;
+ }
+
if (!empty) {
int prio = 0;
@@ -3461,6 +3500,9 @@ nm_l3_config_data_merge(NML3ConfigData *self,
if (self->dns_over_tls == NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT)
self->dns_over_tls = src->dns_over_tls;
+ if (self->dnssec == NM_SETTING_CONNECTION_DNSSEC_DEFAULT)
+ self->dnssec = src->dnssec;
+
if (self->ip6_token.id == 0)
self->ip6_token.id = src->ip6_token.id;
diff --git a/src/core/nm-l3-config-data.h b/src/core/nm-l3-config-data.h
index 265e126d89..4102b6e137 100644
--- a/src/core/nm-l3-config-data.h
+++ b/src/core/nm-l3-config-data.h
@@ -458,6 +458,10 @@ NMSettingConnectionDnsOverTls nm_l3_config_data_get_dns_over_tls(const NML3Confi
gboolean nm_l3_config_data_set_dns_over_tls(NML3ConfigData *self,
NMSettingConnectionDnsOverTls dns_over_tls);
+NMSettingConnectionDnssec nm_l3_config_data_get_dnssec(const NML3ConfigData *self);
+
+gboolean nm_l3_config_data_set_dnssec(NML3ConfigData *self, NMSettingConnectionDnssec dnssec);
+
NMIPRouteTableSyncMode nm_l3_config_data_get_route_table_sync(const NML3ConfigData *self,
int addr_family);