resolved: rework DNSSECSupported property

Not only report whether the server actually supports DNSSEC, but also first check whether DNSSEC is actually enabled
for it in our local configuration.

Also, export a per-link DNSSECSupported property in addition to the existing manager-wide property.

src/resolve/resolved-bus.c

@@ -1309,25 +1309,11 @@ static int bus_property_get_dnssec_supported(
                 sd_bus_error *error) {
 
         Manager *m = userdata;
-        DnsServer *server;
-        bool supported = true;
-        Iterator i;
-        Link *l;
 
         assert(reply);
         assert(m);
 
-        server = manager_get_dns_server(m);
-        if (server)
-                supported = supported && dns_server_dnssec_supported(server);
-
-        HASHMAP_FOREACH(l, m->links, i) {
-                server = link_get_dns_server(l);
-                if (server)
-                        supported = supported && dns_server_dnssec_supported(server);
-        }
-
-        return sd_bus_message_append(reply, "b", supported);
+        return sd_bus_message_append(reply, "b", manager_dnssec_supported(m));
 }
 
 static int bus_method_reset_statistics(sd_bus_message *message, void *userdata, sd_bus_error *error) {

src/resolve/resolved-dns-scope.c

@@ -67,11 +67,9 @@ int dns_scope_new(Manager *m, DnsScope **ret, Link *l, DnsProtocol protocol, int
                  * changes. */
 
                 if (l)
-                        s->dnssec_mode = l->dnssec_mode;
-                if (s->dnssec_mode == _DNSSEC_MODE_INVALID)
-                        s->dnssec_mode = m->dnssec_mode;
-                if (s->dnssec_mode == _DNSSEC_MODE_INVALID)
-                        s->dnssec_mode = DNSSEC_NO;
+                        s->dnssec_mode = link_get_dnssec_mode(l);
+                else
+                        s->dnssec_mode = manager_get_dnssec_mode(m);
         }
 
         LIST_PREPEND(scopes, m->dns_scopes, s);

src/resolve/resolved-link-bus.c

@@ -142,6 +142,23 @@ static int property_get_ntas(
         return sd_bus_message_close_container(reply);
 }
 
+static int property_get_dnssec_supported(
+                sd_bus *bus,
+                const char *path,
+                const char *interface,
+                const char *property,
+                sd_bus_message *reply,
+                void *userdata,
+                sd_bus_error *error) {
+
+        Link *l = userdata;
+
+        assert(reply);
+        assert(l);
+
+        return sd_bus_message_append(reply, "b", link_dnssec_supported(l));
+}
+
 int bus_link_method_set_dns_servers(sd_bus_message *message, void *userdata, sd_bus_error *error) {
         _cleanup_free_ struct in_addr_data *dns = NULL;
         size_t allocated = 0, n = 0;
@@ -418,6 +435,7 @@ const sd_bus_vtable link_vtable[] = {
         SD_BUS_PROPERTY("MulticastDNS", "s", property_get_resolve_support, offsetof(Link, mdns_support), 0),
         SD_BUS_PROPERTY("DNSSEC", "s", property_get_dnssec_mode, offsetof(Link, dnssec_mode), 0),
         SD_BUS_PROPERTY("DNSSECNegativeTrustAnchors", "as", property_get_ntas, 0, 0),
+        SD_BUS_PROPERTY("DNSSECSupport", "b", property_get_dnssec_supported, 0, 0),
 
         SD_BUS_METHOD("SetDNS", "a(iay)", NULL, bus_link_method_set_dns_servers, 0),
         SD_BUS_METHOD("SetDomains", "as", NULL, bus_link_method_set_search_domains, 0),

src/resolve/resolved-link.c

@@ -580,6 +580,30 @@ void link_next_dns_server(Link *l) {
         link_set_dns_server(l, l->dns_servers);
 }
 
+DnssecMode link_get_dnssec_mode(Link *l) {
+        assert(l);
+
+        if (l->dnssec_mode != _DNSSEC_MODE_INVALID)
+                return l->dnssec_mode;
+
+        return manager_get_dnssec_mode(l->manager);
+}
+
+bool link_dnssec_supported(Link *l) {
+        DnsServer *server;
+
+        assert(l);
+
+        if (link_get_dnssec_mode(l) == DNSSEC_NO)
+                return false;
+
+        server = link_get_dns_server(l);
+        if (server)
+                return dns_server_dnssec_supported(server);
+
+        return true;
+}
+
 int link_address_new(Link *l, LinkAddress **ret, int family, const union in_addr_union *in_addr) {
         LinkAddress *a;
 

src/resolve/resolved-link.h

@@ -100,6 +100,9 @@ DnsServer* link_set_dns_server(Link *l, DnsServer *s);
 DnsServer* link_get_dns_server(Link *l);
 void link_next_dns_server(Link *l);
 
+DnssecMode link_get_dnssec_mode(Link *l);
+bool link_dnssec_supported(Link *l);
+
 int link_address_new(Link *l, LinkAddress **ret, int family, const union in_addr_union *in_addr);
 LinkAddress *link_address_free(LinkAddress *a);
 int link_address_update_rtnl(LinkAddress *a, sd_netlink_message *m);

src/resolve/resolved-manager.c

@@ -1173,3 +1173,33 @@ int manager_compile_search_domains(Manager *m, OrderedSet **domains) {
 
         return 0;
 }
+
+DnssecMode manager_get_dnssec_mode(Manager *m) {
+        assert(m);
+
+        if (m->dnssec_mode != _DNSSEC_MODE_INVALID)
+                return m->dnssec_mode;
+
+        return DNSSEC_NO;
+}
+
+bool manager_dnssec_supported(Manager *m) {
+        DnsServer *server;
+        Iterator i;
+        Link *l;
+
+        assert(m);
+
+        if (manager_get_dnssec_mode(m) == DNSSEC_NO)
+                return false;
+
+        server = manager_get_dns_server(m);
+        if (server && !dns_server_dnssec_supported(server))
+                return false;
+
+        HASHMAP_FOREACH(l, m->links, i)
+                if (!link_dnssec_supported(l))
+                        return false;
+
+        return true;
+}

src/resolve/resolved-manager.h

@@ -158,3 +158,6 @@ int manager_is_own_hostname(Manager *m, const char *name);
 
 int manager_compile_dns_servers(Manager *m, OrderedSet **servers);
 int manager_compile_search_domains(Manager *m, OrderedSet **domains);
+
+DnssecMode manager_get_dnssec_mode(Manager *m);
+bool manager_dnssec_supported(Manager *m);