From a811cc6f8716815618b8ffb25ad3d1ff65d0f02c Mon Sep 17 00:00:00 2001
From: Nick Rosbrook <enr0n@ubuntu.com>
Date: Fri, 22 Aug 2025 13:36:48 -0400
Subject: [PATCH] test: ensure that reload updates DNSSEC and DNSOverTLS on
 link scopes

(cherry picked from commit 1be088c2995f6f22767a4a58e7b51c3642930805)
---
 test/units/TEST-75-RESOLVED.sh | 52 ++++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)

diff --git a/test/units/TEST-75-RESOLVED.sh b/test/units/TEST-75-RESOLVED.sh
index 80aa239d445..5f7d64c005e 100755
--- a/test/units/TEST-75-RESOLVED.sh
+++ b/test/units/TEST-75-RESOLVED.sh
@@ -789,10 +789,62 @@ testcase_08_resolved() {
 }
 
 testcase_09_resolvectl_showcache() {
+    # Cleanup
+    # shellcheck disable=SC2317
+    cleanup() {
+        rm -f /run/systemd/resolved.conf.d/90-resolved.conf
+        rm -f /run/systemd/network/10-dns2.netdev
+        rm -f /run/systemd/network/10-dns2.network
+        networkctl reload
+        systemctl reload systemd-resolved.service
+        resolvectl revert dns0
+    }
+
+    trap cleanup RETURN
+
     ### Test resolvectl show-cache
     run resolvectl show-cache
     run resolvectl show-cache --json=short
     run resolvectl show-cache --json=pretty
+
+    # Use resolvectl show-cache to check that reloding resolved updates scope
+    # DNSSEC and DNSOverTLS modes.
+    {
+        echo "[NetDev]"
+        echo "Name=dns2"
+        echo "Kind=dummy"
+    } > /run/systemd/network/10-dns2.netdev
+    {
+        echo "[Match]"
+        echo "Name=dns2"
+        echo "[Network]"
+        echo "IPv6AcceptRA=no"
+        echo "Address=10.123.0.1/24"
+        echo "DNS=10.0.0.1"
+    } > /run/systemd/network/10-dns2.network
+    networkctl reload
+    networkctl reconfigure dns2
+
+    mkdir -p /run/systemd/resolved.conf.d/
+    {
+        echo "[Resolve]"
+        echo "DNSSEC=no"
+        echo "DNSOverTLS=no"
+    } > /run/systemd/resolved.conf.d/90-resolved.conf
+    systemctl reload systemd-resolved.service
+
+    test "$(resolvectl show-cache --json=short | jq -rc '.[] | select(.ifname == "dns2" and .protocol == "dns") | .dnssec')" == 'no'
+    test "$(resolvectl show-cache --json=short | jq -rc '.[] | select(.ifname == "dns2" and .protocol == "dns") | .dnsOverTLS')" == 'no'
+
+    {
+        echo "[Resolve]"
+        echo "DNSSEC=allow-downgrade"
+        echo "DNSOverTLS=opportunistic"
+    } > /run/systemd/resolved.conf.d/90-resolved.conf
+    systemctl reload systemd-resolved.service
+
+    test "$(resolvectl show-cache --json=short | jq -rc '.[] | select(.ifname == "dns2" and .protocol == "dns") | .dnssec')" == 'allow-downgrade'
+    test "$(resolvectl show-cache --json=short | jq -rc '.[] | select(.ifname == "dns2" and .protocol == "dns") | .dnsOverTLS')" == 'opportunistic'
 }
 
 testcase_10_resolvectl_json() {
-- 
2.47.3