resolved: properly check per-link NTA list

We need to check for parent domains too. We did this correctly for the
system-wide NTA list, but not for the per-link one. Let's fix that.

src/resolve/resolved-dns-transaction.c

@@ -1887,7 +1887,7 @@ static int dns_transaction_negative_trust_anchor_lookup(DnsTransaction *t, const
         if (!t->scope->link)
                 return 0;
 
-        return set_contains(t->scope->link->dnssec_negative_trust_anchors, name);
+        return link_negative_trust_anchor_lookup(t->scope->link, name);
 }
 
 static int dns_transaction_has_unsigned_negative_answer(DnsTransaction *t) {

src/resolve/resolved-link.c

@@ -1407,3 +1407,26 @@ void link_remove_user(Link *l) {
 
         (void) unlink(l->state_file);
 }
+
+bool link_negative_trust_anchor_lookup(Link *l, const char *name) {
+        int r;
+
+        assert(l);
+        assert(name);
+
+        /* Checks whether the specified domain (or any of its parent domains) are listed as per-link NTA. */
+
+        for (;;) {
+                if (set_contains(l->dnssec_negative_trust_anchors, name))
+                        return true;
+
+                /* And now, let's look at the parent, and check that too */
+                r = dns_name_parent(&name);
+                if (r < 0)
+                        return r;
+                if (r == 0)
+                        break;
+        }
+
+        return false;
+}

src/resolve/resolved-link.h

@@ -108,4 +108,6 @@ int link_address_update_rtnl(LinkAddress *a, sd_netlink_message *m);
 bool link_address_relevant(LinkAddress *l, bool local_multicast);
 void link_address_add_rrs(LinkAddress *a, bool force_remove);
 
+bool link_negative_trust_anchor_lookup(Link *l, const char *name);
+
 DEFINE_TRIVIAL_CLEANUP_FUNC(Link*, link_free);