From 16f74783d888117bc9ddc8b54138acbf730c4584 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Sun, 8 May 2022 14:50:39 +0900
Subject: [PATCH] resolve: reallocate DNS scope when DNSSEC and/or DNS-over-TLS
 settings are changed

Fixes #23227.
---
 src/resolve/resolved-link-bus.c |  2 ++
 src/resolve/resolved-link.c     | 12 ++----------
 2 files changed, 4 insertions(+), 10 deletions(-)

diff --git a/src/resolve/resolved-link-bus.c b/src/resolve/resolved-link-bus.c
index 881b65bb26..2361f448e8 100644
--- a/src/resolve/resolved-link-bus.c
+++ b/src/resolve/resolved-link-bus.c
@@ -640,6 +640,7 @@ int bus_link_method_set_dns_over_tls(sd_bus_message *message, void *userdata, sd
 
         if (l->dns_over_tls_mode != mode) {
                 link_set_dns_over_tls_mode(l, mode);
+                link_allocate_scopes(l);
 
                 (void) link_save_user(l);
 
@@ -688,6 +689,7 @@ int bus_link_method_set_dnssec(sd_bus_message *message, void *userdata, sd_bus_e
 
         if (l->dnssec_mode != mode) {
                 link_set_dnssec_mode(l, mode);
+                link_allocate_scopes(l);
 
                 (void) link_save_user(l);
 
diff --git a/src/resolve/resolved-link.c b/src/resolve/resolved-link.c
index 8027eb6f91..cd960e25b1 100644
--- a/src/resolve/resolved-link.c
+++ b/src/resolve/resolved-link.c
@@ -390,6 +390,7 @@ void link_set_dns_over_tls_mode(Link *l, DnsOverTlsMode mode) {
 #endif
 
         l->dns_over_tls_mode = mode;
+        l->unicast_scope = dns_scope_free(l->unicast_scope);
 }
 
 static int link_update_dns_over_tls_mode(Link *l) {
@@ -430,17 +431,8 @@ void link_set_dnssec_mode(Link *l, DnssecMode mode) {
         if (l->dnssec_mode == mode)
                 return;
 
-        if ((l->dnssec_mode == _DNSSEC_MODE_INVALID) ||
-            (l->dnssec_mode == DNSSEC_NO && mode != DNSSEC_NO) ||
-            (l->dnssec_mode == DNSSEC_ALLOW_DOWNGRADE && mode == DNSSEC_YES)) {
-
-                /* When switching from non-DNSSEC mode to DNSSEC mode, flush the cache. Also when switching from the
-                 * allow-downgrade mode to full DNSSEC mode, flush it too. */
-                if (l->unicast_scope)
-                        dns_cache_flush(&l->unicast_scope->cache);
-        }
-
         l->dnssec_mode = mode;
+        l->unicast_scope = dns_scope_free(l->unicast_scope);
 }
 
 static int link_update_dnssec_mode(Link *l) {