From d711322c131edae9bbd7c6df30d96ae2c5977d4b Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 3 Nov 2020 20:08:51 +0100
Subject: [PATCH] resolvectl: add support for various new flags

---
 man/resolvectl.xml       | 59 ++++++++++++++++++++++++++++++++++++
 src/resolve/resolvectl.c | 64 ++++++++++++++++++++++++++++++++++++++--
 2 files changed, 121 insertions(+), 2 deletions(-)

diff --git a/man/resolvectl.xml b/man/resolvectl.xml
index fb6cae7b9b6..7662349cc54 100644
--- a/man/resolvectl.xml
+++ b/man/resolvectl.xml
@@ -262,6 +262,65 @@
         returned.</para></listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><option>--validate=</option><replaceable>BOOL</replaceable></term>
+
+        <listitem><para>Takes a boolean parameter; used in conjunction with <command>query</command>. If true
+        (the default), DNSSEC validation is applied as usual — under the condition that it is enabled for the
+        network and for <filename>systemd-resolved.service</filename> as a whole. If false, DNSSEC validation
+        is disabled for the specific query, regardless of whether it is enabled for the network or in the
+        service. Note that setting this option to true does not force DNSSEC validation on systems/networks
+        where DNSSEC is turned off. This option is only suitable to turn off such validation where otherwise
+        enabled, not enable validation where otherwise disabled.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--synthesize=</option><replaceable>BOOL</replaceable></term>
+
+        <listitem><para>Takes a boolean parameter; used in conjunction with <command>query</command>. If true
+        (the default), select domains are resolved on the local system, among them
+        <literal>localhost</literal> and <literal>_gateway</literal> or entries from
+        <filename>/etc/hosts</filename>. If false these domains are not resolved locally, and either fail (in
+        case of <literal>localhost</literal> or <literal>_gateway</literal> and suchlike) or go to the
+        network via regular DNS/mDNS/LLMNR lookups (in case of <filename>/etc/hosts</filename>
+        entries).</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--cache=</option><replaceable>BOOL</replaceable></term>
+
+        <listitem><para>Takes a boolean parameter; used in conjunction with <command>query</command>. If true
+        (the default), lookups use the local DNS resource record cache. If false, lookups are routed to the
+        network instead, regardless if already available in the local cache.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--zone=</option><replaceable>BOOL</replaceable></term>
+
+        <listitem><para>Takes a boolean parameter; used in conjunction with <command>query</command>. If true
+        (the default), lookups are answered from locally registered LLMNR or mDNS resource records, if
+        defined. If false, locally registered LLMNR/mDNS records are not considered for the lookup
+        request.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--trust-anchor=</option><replaceable>BOOL</replaceable></term>
+
+        <listitem><para>Takes a boolean parameter; used in conjunction with <command>query</command>. If true
+        (the default), lookups for DS and DNSKEY are answered from the local DNSSEC trust anchors if
+        possible. If false, the local trust store is not considered for the lookup request.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--network=</option><replaceable>BOOL</replaceable></term>
+
+        <listitem><para>Takes a boolean parameter; used in conjunction with <command>query</command>. If true
+        (the default), lookups are answered via DNS, LLMNR or mDNS network requests if they cannot be
+        synthesized locally, or be answered from the local cache, zone or trust anchors (see above). If false,
+        the request is not answered from the network and will thus fail if none of the indicated sources can
+        answer them.</para></listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><option>--search=</option><replaceable>BOOL</replaceable></term>
 
diff --git a/src/resolve/resolvectl.c b/src/resolve/resolvectl.c
index 71854245025..e7ee7354287 100644
--- a/src/resolve/resolvectl.c
+++ b/src/resolve/resolvectl.c
@@ -2620,8 +2620,14 @@ static int native_help(void) {
                "     --service-address=BOOL    Resolve address for services (default: yes)\n"
                "     --service-txt=BOOL        Resolve TXT records for services (default: yes)\n"
                "     --cname=BOOL              Follow CNAME redirects (default: yes)\n"
-               "     --search=BOOL             Use search domains for single-label names\n"
-               "                                                              (default: yes)\n"
+               "     --validate=BOOL           Allow DNSSEC validation (default: yes)\n"
+               "     --synthesize=BOOL         Allow synthetic response (default: yes)\n"
+               "     --cache=BOOL              Allow response from cache (default: yes)\n"
+               "     --zone=BOOL               Allow response from locally registered mDNS/LLMNR\n"
+               "                               records (default: yes)\n"
+               "     --trust-anchor=BOOL       Allow response from local trust anchor (default: yes)\n"
+               "     --network=BOOL            Allow response from network (default: yes)\n"
+               "     --search=BOOL             Use search domains for single-label names (default: yes)\n"
                "     --raw[=payload|packet]    Dump the answer as binary data\n"
                "     --legend=BOOL             Print headers and additional info (default: yes)\n"
                "\nSee the %s for details.\n",
@@ -2961,6 +2967,12 @@ static int native_parse_argv(int argc, char *argv[]) {
                 ARG_VERSION = 0x100,
                 ARG_LEGEND,
                 ARG_CNAME,
+                ARG_VALIDATE,
+                ARG_SYNTHESIZE,
+                ARG_CACHE,
+                ARG_ZONE,
+                ARG_TRUST_ANCHOR,
+                ARG_NETWORK,
                 ARG_SERVICE_ADDRESS,
                 ARG_SERVICE_TXT,
                 ARG_RAW,
@@ -2977,6 +2989,12 @@ static int native_parse_argv(int argc, char *argv[]) {
                 { "interface",             required_argument, NULL, 'i'                       },
                 { "protocol",              required_argument, NULL, 'p'                       },
                 { "cname",                 required_argument, NULL, ARG_CNAME                 },
+                { "validate",              required_argument, NULL, ARG_VALIDATE              },
+                { "synthesize",            required_argument, NULL, ARG_SYNTHESIZE            },
+                { "cache",                 required_argument, NULL, ARG_CACHE                 },
+                { "zone",                  required_argument, NULL, ARG_ZONE                  },
+                { "trust-anchor",          required_argument, NULL, ARG_TRUST_ANCHOR          },
+                { "network",               required_argument, NULL, ARG_NETWORK               },
                 { "service-address",       required_argument, NULL, ARG_SERVICE_ADDRESS       },
                 { "service-txt",           required_argument, NULL, ARG_SERVICE_TXT           },
                 { "raw",                   optional_argument, NULL, ARG_RAW                   },
@@ -3100,6 +3118,48 @@ static int native_parse_argv(int argc, char *argv[]) {
                         SET_FLAG(arg_flags, SD_RESOLVED_NO_CNAME, r == 0);
                         break;
 
+                case ARG_VALIDATE:
+                        r = parse_boolean(optarg);
+                        if (r < 0)
+                                return log_error_errno(r, "Failed to parse --validate= argument.");
+                        SET_FLAG(arg_flags, SD_RESOLVED_NO_VALIDATE, r == 0);
+                        break;
+
+                case ARG_SYNTHESIZE:
+                        r = parse_boolean(optarg);
+                        if (r < 0)
+                                return log_error_errno(r, "Failed to parse --synthesize= argument.");
+                        SET_FLAG(arg_flags, SD_RESOLVED_NO_SYNTHESIZE, r == 0);
+                        break;
+
+                case ARG_CACHE:
+                        r = parse_boolean(optarg);
+                        if (r < 0)
+                                return log_error_errno(r, "Failed to parse --cache= argument.");
+                        SET_FLAG(arg_flags, SD_RESOLVED_NO_CACHE, r == 0);
+                        break;
+
+                case ARG_ZONE:
+                        r = parse_boolean(optarg);
+                        if (r < 0)
+                                return log_error_errno(r, "Failed to parse --zone= argument.");
+                        SET_FLAG(arg_flags, SD_RESOLVED_NO_ZONE, r == 0);
+                        break;
+
+                case ARG_TRUST_ANCHOR:
+                        r = parse_boolean(optarg);
+                        if (r < 0)
+                                return log_error_errno(r, "Failed to parse --trust-anchor= argument.");
+                        SET_FLAG(arg_flags, SD_RESOLVED_NO_TRUST_ANCHOR, r == 0);
+                        break;
+
+                case ARG_NETWORK:
+                        r = parse_boolean(optarg);
+                        if (r < 0)
+                                return log_error_errno(r, "Failed to parse --network= argument.");
+                        SET_FLAG(arg_flags, SD_RESOLVED_NO_NETWORK, r == 0);
+                        break;
+
                 case ARG_SERVICE_ADDRESS:
                         r = parse_boolean(optarg);
                         if (r < 0)