resolved: when the dns server feature level grace period elapses, flush caches

The cache might contain all kinds of unauthenticated data that we really
shouldn't be using if we upgrade our feature level and suddenly are able
to get authenticated data again.

Might fix: #4866

src/resolve/resolved-dns-server.c

@@ -415,6 +415,8 @@ DnsServerFeatureLevel dns_server_possible_feature_level(DnsServer *s) {
                          dns_server_feature_level_to_string(s->possible_feature_level),
                          dns_server_string(s));
 
+                dns_server_flush_cache(s);
+
         } else if (s->possible_feature_level <= s->verified_feature_level)
                 s->possible_feature_level = s->verified_feature_level;
         else {
@@ -792,6 +794,25 @@ DnssecMode dns_server_get_dnssec_mode(DnsServer *s) {
         return manager_get_dnssec_mode(s->manager);
 }
 
+void dns_server_flush_cache(DnsServer *s) {
+        DnsServer *current;
+        DnsScope *scope;
+
+        assert(s);
+
+        /* Flush the cache of the scope this server belongs to */
+
+        current = s->link ? s->link->current_dns_server : s->manager->current_dns_server;
+        if (current != s)
+                return;
+
+        scope = s->link ? s->link->unicast_scope : s->manager->unicast_scope;
+        if (!scope)
+                return;
+
+        dns_cache_flush(&scope->cache);
+}
+
 static const char* const dns_server_type_table[_DNS_SERVER_TYPE_MAX] = {
         [DNS_SERVER_SYSTEM] = "system",
         [DNS_SERVER_FALLBACK] = "fallback",

src/resolve/resolved-dns-server.h

@@ -149,3 +149,5 @@ DnssecMode dns_server_get_dnssec_mode(DnsServer *s);
 DEFINE_TRIVIAL_CLEANUP_FUNC(DnsServer*, dns_server_unref);
 
 extern const struct hash_ops dns_server_hash_ops;
+
+void dns_server_flush_cache(DnsServer *s);