1 files changed, 63 insertions, 23 deletions

diff --git a/src/resolve/resolved-link.c b/src/resolve/resolved-link.c
index e3e50eca53..ff2be12415 100644
--- a/src/resolve/resolved-link.c
+++ b/src/resolve/resolved-link.c
@@ -1,22 +1,4 @@
 /* SPDX-License-Identifier: LGPL-2.1+ */
-/***
-  This file is part of systemd.
-
-  Copyright 2014 Lennart Poettering
-
-  systemd is free software; you can redistribute it and/or modify it
-  under the terms of the GNU Lesser General Public License as published by
-  the Free Software Foundation; either version 2.1 of the License, or
-  (at your option) any later version.
-
-  systemd is distributed in the hope that it will be useful, but
-  WITHOUT ANY WARRANTY; without even the implied warranty of
-  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-  Lesser General Public License for more details.
-
-  You should have received a copy of the GNU Lesser General Public License
-  along with systemd; If not, see <http://www.gnu.org/licenses/>.
-***/
 
 #include <net/if.h>
 #include <stdio_ext.h>
@@ -54,6 +36,7 @@ int link_new(Manager *m, Link **ret, int ifindex) {
         l->llmnr_support = RESOLVE_SUPPORT_YES;
         l->mdns_support = RESOLVE_SUPPORT_NO;
         l->dnssec_mode = _DNSSEC_MODE_INVALID;
+        l->dns_over_tls_mode = _DNS_OVER_TLS_MODE_INVALID;
         l->operstate = IF_OPER_UNKNOWN;
 
         if (asprintf(&l->state_file, "/run/systemd/resolve/netif/%i", ifindex) < 0)
@@ -78,6 +61,7 @@ void link_flush_settings(Link *l) {
         l->llmnr_support = RESOLVE_SUPPORT_YES;
         l->mdns_support = RESOLVE_SUPPORT_NO;
         l->dnssec_mode = _DNSSEC_MODE_INVALID;
+        l->dns_over_tls_mode = _DNS_OVER_TLS_MODE_INVALID;
 
         dns_server_unlink_all(l->dns_servers);
         dns_search_domain_unlink_all(l->search_domains);
@@ -128,6 +112,11 @@ void link_allocate_scopes(Link *l) {
 
                 dns_server_reset_features_all(l->manager->fallback_dns_servers);
                 dns_server_reset_features_all(l->manager->dns_servers);
+
+                /* Also, flush the global unicast scope, to deal with split horizon setups, where talking through one
+                 * interface reveals different DNS zones than through others. */
+                if (l->manager->unicast_scope)
+                        dns_cache_flush(&l->manager->unicast_scope->cache);
         }
 
         /* And now, allocate all scopes that makes sense now if we didn't have them yet, and drop those which we don't
@@ -360,6 +349,46 @@ clear:
         return r;
 }
 
+void link_set_dns_over_tls_mode(Link *l, DnsOverTlsMode mode) {
+
+        assert(l);
+
+#if ! ENABLE_DNS_OVER_TLS
+        if (mode != DNS_OVER_TLS_NO)
+                log_warning("DNS-over-TLS option for the link cannot be set to opportunistic when systemd-resolved is built without DNS-over-TLS support. Turning off DNS-over-TLS support.");
+        return;
+#endif
+
+        l->dns_over_tls_mode = mode;
+}
+
+static int link_update_dns_over_tls_mode(Link *l) {
+        _cleanup_free_ char *b = NULL;
+        int r;
+
+        assert(l);
+
+        r = sd_network_link_get_dns_over_tls(l->ifindex, &b);
+        if (r == -ENODATA) {
+                r = 0;
+                goto clear;
+        }
+        if (r < 0)
+                goto clear;
+
+        l->dns_over_tls_mode = dns_over_tls_mode_from_string(b);
+        if (l->dns_over_tls_mode < 0) {
+                r = -EINVAL;
+                goto clear;
+        }
+
+        return 0;
+
+clear:
+        l->dns_over_tls_mode = _DNS_OVER_TLS_MODE_INVALID;
+        return r;
+}
+
 void link_set_dnssec_mode(Link *l, DnssecMode mode) {
 
         assert(l);
@@ -440,8 +469,7 @@ static int link_update_dnssec_negative_trust_anchors(Link *l) {
                 return r;
 
         set_free_free(l->dnssec_negative_trust_anchors);
-        l->dnssec_negative_trust_anchors = ns;
-        ns = NULL;
+        l->dnssec_negative_trust_anchors = TAKE_PTR(ns);
 
         return 0;
 
@@ -568,6 +596,10 @@ static void link_read_settings(Link *l) {
         if (r < 0)
                 log_warning_errno(r, "Failed to read mDNS support for interface %s, ignoring: %m", l->name);
 
+        r = link_update_dns_over_tls_mode(l);
+        if (r < 0)
+                log_warning_errno(r, "Failed to read DNS-over-TLS mode for interface %s, ignoring: %m", l->name);
+
         r = link_update_dnssec_mode(l);
         if (r < 0)
                 log_warning_errno(r, "Failed to read DNSSEC mode for interface %s, ignoring: %m", l->name);
@@ -701,6 +733,15 @@ void link_next_dns_server(Link *l) {
         link_set_dns_server(l, l->dns_servers);
 }
 
+DnsOverTlsMode link_get_dns_over_tls_mode(Link *l) {
+        assert(l);
+
+        if (l->dns_over_tls_mode != _DNS_OVER_TLS_MODE_INVALID)
+                return l->dns_over_tls_mode;
+
+        return manager_get_dns_over_tls_mode(l->manager);
+}
+
 DnssecMode link_get_dnssec_mode(Link *l) {
         assert(l);
 
@@ -1216,7 +1257,7 @@ int link_load_user(Link *l) {
         if (l->is_managed)
                 return 0; /* if the device is managed, then networkd is our configuration source, not the bus API */
 
-        r = parse_env_file(l->state_file, NEWLINE,
+        r = parse_env_file(NULL, l->state_file, NEWLINE,
                            "LLMNR", &llmnr,
                            "MDNS", &mdns,
                            "DNSSEC", &dnssec,
@@ -1293,8 +1334,7 @@ int link_load_user(Link *l) {
                 if (r < 0)
                         goto fail;
 
-                l->dnssec_negative_trust_anchors = ns;
-                ns = NULL;
+                l->dnssec_negative_trust_anchors = TAKE_PTR(ns);
         }
 
         return 0;