From c69fa7e3c44240bedc0ee1bd89fecf954783ac85 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 19 Jan 2016 21:48:01 +0100
Subject: [PATCH] resolved: rework DNSSECSupported property

Not only report whether the server actually supports DNSSEC, but also first check whether DNSSEC is actually enabled
for it in our local configuration.

Also, export a per-link DNSSECSupported property in addition to the existing manager-wide property.
---
 src/resolve/resolved-bus.c       | 16 +---------------
 src/resolve/resolved-dns-scope.c |  8 +++-----
 src/resolve/resolved-link-bus.c  | 18 ++++++++++++++++++
 src/resolve/resolved-link.c      | 24 ++++++++++++++++++++++++
 src/resolve/resolved-link.h      |  3 +++
 src/resolve/resolved-manager.c   | 30 ++++++++++++++++++++++++++++++
 src/resolve/resolved-manager.h   |  3 +++
 7 files changed, 82 insertions(+), 20 deletions(-)

diff --git a/src/resolve/resolved-bus.c b/src/resolve/resolved-bus.c
index 666135660f..9110ea52a6 100644
--- a/src/resolve/resolved-bus.c
+++ b/src/resolve/resolved-bus.c
@@ -1309,25 +1309,11 @@ static int bus_property_get_dnssec_supported(
                 sd_bus_error *error) {
 
         Manager *m = userdata;
-        DnsServer *server;
-        bool supported = true;
-        Iterator i;
-        Link *l;
 
         assert(reply);
         assert(m);
 
-        server = manager_get_dns_server(m);
-        if (server)
-                supported = supported && dns_server_dnssec_supported(server);
-
-        HASHMAP_FOREACH(l, m->links, i) {
-                server = link_get_dns_server(l);
-                if (server)
-                        supported = supported && dns_server_dnssec_supported(server);
-        }
-
-        return sd_bus_message_append(reply, "b", supported);
+        return sd_bus_message_append(reply, "b", manager_dnssec_supported(m));
 }
 
 static int bus_method_reset_statistics(sd_bus_message *message, void *userdata, sd_bus_error *error) {
diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c
index dd3609bd12..8a52d66fad 100644
--- a/src/resolve/resolved-dns-scope.c
+++ b/src/resolve/resolved-dns-scope.c
@@ -67,11 +67,9 @@ int dns_scope_new(Manager *m, DnsScope **ret, Link *l, DnsProtocol protocol, int
                  * changes. */
 
                 if (l)
-                        s->dnssec_mode = l->dnssec_mode;
-                if (s->dnssec_mode == _DNSSEC_MODE_INVALID)
-                        s->dnssec_mode = m->dnssec_mode;
-                if (s->dnssec_mode == _DNSSEC_MODE_INVALID)
-                        s->dnssec_mode = DNSSEC_NO;
+                        s->dnssec_mode = link_get_dnssec_mode(l);
+                else
+                        s->dnssec_mode = manager_get_dnssec_mode(m);
         }
 
         LIST_PREPEND(scopes, m->dns_scopes, s);
diff --git a/src/resolve/resolved-link-bus.c b/src/resolve/resolved-link-bus.c
index 3fec92545d..20352a3e51 100644
--- a/src/resolve/resolved-link-bus.c
+++ b/src/resolve/resolved-link-bus.c
@@ -142,6 +142,23 @@ static int property_get_ntas(
         return sd_bus_message_close_container(reply);
 }
 
+static int property_get_dnssec_supported(
+                sd_bus *bus,
+                const char *path,
+                const char *interface,
+                const char *property,
+                sd_bus_message *reply,
+                void *userdata,
+                sd_bus_error *error) {
+
+        Link *l = userdata;
+
+        assert(reply);
+        assert(l);
+
+        return sd_bus_message_append(reply, "b", link_dnssec_supported(l));
+}
+
 int bus_link_method_set_dns_servers(sd_bus_message *message, void *userdata, sd_bus_error *error) {
         _cleanup_free_ struct in_addr_data *dns = NULL;
         size_t allocated = 0, n = 0;
@@ -418,6 +435,7 @@ const sd_bus_vtable link_vtable[] = {
         SD_BUS_PROPERTY("MulticastDNS", "s", property_get_resolve_support, offsetof(Link, mdns_support), 0),
         SD_BUS_PROPERTY("DNSSEC", "s", property_get_dnssec_mode, offsetof(Link, dnssec_mode), 0),
         SD_BUS_PROPERTY("DNSSECNegativeTrustAnchors", "as", property_get_ntas, 0, 0),
+        SD_BUS_PROPERTY("DNSSECSupport", "b", property_get_dnssec_supported, 0, 0),
 
         SD_BUS_METHOD("SetDNS", "a(iay)", NULL, bus_link_method_set_dns_servers, 0),
         SD_BUS_METHOD("SetDomains", "as", NULL, bus_link_method_set_search_domains, 0),
diff --git a/src/resolve/resolved-link.c b/src/resolve/resolved-link.c
index 6f37da46b0..b203f19dbb 100644
--- a/src/resolve/resolved-link.c
+++ b/src/resolve/resolved-link.c
@@ -580,6 +580,30 @@ void link_next_dns_server(Link *l) {
         link_set_dns_server(l, l->dns_servers);
 }
 
+DnssecMode link_get_dnssec_mode(Link *l) {
+        assert(l);
+
+        if (l->dnssec_mode != _DNSSEC_MODE_INVALID)
+                return l->dnssec_mode;
+
+        return manager_get_dnssec_mode(l->manager);
+}
+
+bool link_dnssec_supported(Link *l) {
+        DnsServer *server;
+
+        assert(l);
+
+        if (link_get_dnssec_mode(l) == DNSSEC_NO)
+                return false;
+
+        server = link_get_dns_server(l);
+        if (server)
+                return dns_server_dnssec_supported(server);
+
+        return true;
+}
+
 int link_address_new(Link *l, LinkAddress **ret, int family, const union in_addr_union *in_addr) {
         LinkAddress *a;
 
diff --git a/src/resolve/resolved-link.h b/src/resolve/resolved-link.h
index d2acf71132..6544214b77 100644
--- a/src/resolve/resolved-link.h
+++ b/src/resolve/resolved-link.h
@@ -100,6 +100,9 @@ DnsServer* link_set_dns_server(Link *l, DnsServer *s);
 DnsServer* link_get_dns_server(Link *l);
 void link_next_dns_server(Link *l);
 
+DnssecMode link_get_dnssec_mode(Link *l);
+bool link_dnssec_supported(Link *l);
+
 int link_address_new(Link *l, LinkAddress **ret, int family, const union in_addr_union *in_addr);
 LinkAddress *link_address_free(LinkAddress *a);
 int link_address_update_rtnl(LinkAddress *a, sd_netlink_message *m);
diff --git a/src/resolve/resolved-manager.c b/src/resolve/resolved-manager.c
index b17a19d331..d6d75a3f78 100644
--- a/src/resolve/resolved-manager.c
+++ b/src/resolve/resolved-manager.c
@@ -1173,3 +1173,33 @@ int manager_compile_search_domains(Manager *m, OrderedSet **domains) {
 
         return 0;
 }
+
+DnssecMode manager_get_dnssec_mode(Manager *m) {
+        assert(m);
+
+        if (m->dnssec_mode != _DNSSEC_MODE_INVALID)
+                return m->dnssec_mode;
+
+        return DNSSEC_NO;
+}
+
+bool manager_dnssec_supported(Manager *m) {
+        DnsServer *server;
+        Iterator i;
+        Link *l;
+
+        assert(m);
+
+        if (manager_get_dnssec_mode(m) == DNSSEC_NO)
+                return false;
+
+        server = manager_get_dns_server(m);
+        if (server && !dns_server_dnssec_supported(server))
+                return false;
+
+        HASHMAP_FOREACH(l, m->links, i)
+                if (!link_dnssec_supported(l))
+                        return false;
+
+        return true;
+}
diff --git a/src/resolve/resolved-manager.h b/src/resolve/resolved-manager.h
index 1907d2e1bc..8b13074298 100644
--- a/src/resolve/resolved-manager.h
+++ b/src/resolve/resolved-manager.h
@@ -158,3 +158,6 @@ int manager_is_own_hostname(Manager *m, const char *name);
 
 int manager_compile_dns_servers(Manager *m, OrderedSet **servers);
 int manager_compile_search_domains(Manager *m, OrderedSet **domains);
+
+DnssecMode manager_get_dnssec_mode(Manager *m);
+bool manager_dnssec_supported(Manager *m);