resolved: when switching between DNSSEC modes, possibly flush caches

If the networkd configuration changes during runtime, make sure to flush all caches when we switch from a less trusted
to a more trusted mode.

diff --git a/src/resolve/resolved-link.c b/src/resolve/resolved-link.c
index 928307e004b59b5c2d5d8cce6522162e8654d1fc..1e8f88024b2e480d58fe0b64b30c5287af32c043 100644 (file)
--- a/src/resolve/resolved-link.c
+++ b/src/resolve/resolved-link.c
@@ -279,6 +279,7 @@ clear:
 
 static int link_update_dnssec_mode(Link *l) {
         _cleanup_free_ char *m = NULL;
+        DnssecMode mode;
         int r;
 
         assert(l);
@@ -291,12 +292,23 @@ static int link_update_dnssec_mode(Link *l) {
         if (r < 0)
                 goto clear;
 
-        l->dnssec_mode = dnssec_mode_from_string(m);
-        if (l->dnssec_mode < 0) {
+        mode = dnssec_mode_from_string(m);
+        if (mode < 0) {
                 r = -EINVAL;
                 goto clear;
         }
 
+        if ((l->dnssec_mode == DNSSEC_NO && mode != DNSSEC_NO) ||
+            (l->dnssec_mode == DNSSEC_ALLOW_DOWNGRADE && mode == DNSSEC_YES)) {
+
+                /* When switching from non-DNSSEC mode to DNSSEC mode, flush the cache. Also when switching from the
+                 * allow-downgrade mode to full DNSSEC mode, flush it too. */
+                if (l->unicast_scope)
+                        dns_cache_flush(&l->unicast_scope->cache);
+        }
+
+        l->dnssec_mode = mode;
+
         return 0;
 
 clear: