dns: add options to control automatic addition of edns0 and trust-adbg/dns-options-skip

Options "edns0" and "trust-ad" are automatically added when using
caching plugins such as dnsmasq and systemd-resolved. In some cases,
those options can break resolution due to non-conforming resolvers,
and there is no way to disable them.

Introduce new options "_no-add-edns0" and "_no-add-trust-ad" to
prevent the automatic addition of "edns0" and "trust-ad". The initial
underscore indicates that the option is internal and is not written
into resolv.conf.

https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/1393
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1751

3 files changed, 38 insertions, 6 deletions

diff --git a/src/core/dns/nm-dns-manager.c b/src/core/dns/nm-dns-manager.c
index f8f12fbcbc..86d65c0510 100644
--- a/src/core/dns/nm-dns-manager.c
+++ b/src/core/dns/nm-dns-manager.c
@@ -1876,8 +1876,11 @@ plugin_skip:;
         nameservers    = g_new0(char *, 2);
         nameservers[0] = g_strdup(lladdr);
 
-        need_edns0 = !nm_strv_contains(options, -1, NM_SETTING_DNS_OPTION_EDNS0);
-        need_trust = !nm_strv_contains(options, -1, NM_SETTING_DNS_OPTION_TRUST_AD);
+        need_edns0 = !nm_strv_contains(options, -1, NM_SETTING_DNS_OPTION_EDNS0)
+                     && !nm_strv_contains(options, -1, NM_SETTING_DNS_OPTION_INTERNAL_NO_ADD_EDNS0);
+        need_trust =
+            !nm_strv_contains(options, -1, NM_SETTING_DNS_OPTION_TRUST_AD)
+            && !nm_strv_contains(options, -1, NM_SETTING_DNS_OPTION_INTERNAL_NO_ADD_TRUST_AD);
 
         if (need_edns0 || need_trust) {
             gsize len;
@@ -1892,6 +1895,23 @@ plugin_skip:;
         }
     }
 
+    if (options) {
+        guint i;
+        guint j;
+
+        /* Skip internal options, those starting with '_' */
+        for (i = 0, j = 0; options[i]; i++) {
+            if (options[i][0] == '_') {
+                g_free(options[i]);
+                continue;
+            }
+            if (i != j)
+                options[j] = options[i];
+            j++;
+        }
+        options[j] = NULL;
+    }
+
     if (do_update) {
         switch (priv->rc_manager) {
         case NM_DNS_MANAGER_RESOLV_CONF_MAN_SYMLINK:
diff --git a/src/libnm-core-impl/nm-setting-ip-config.c b/src/libnm-core-impl/nm-setting-ip-config.c
index 5cfe9ed8bc..c305e48e9d 100644
--- a/src/libnm-core-impl/nm-setting-ip-config.c
+++ b/src/libnm-core-impl/nm-setting-ip-config.c
@@ -52,6 +52,8 @@ const NMUtilsDNSOptionDesc _nm_utils_dns_option_descs[] = {
     {NM_SETTING_DNS_OPTION_NO_RELOAD, FALSE, FALSE},
     {NM_SETTING_DNS_OPTION_TRUST_AD, FALSE, FALSE},
     {NM_SETTING_DNS_OPTION_NO_AAAA, FALSE, FALSE},
+    {NM_SETTING_DNS_OPTION_INTERNAL_NO_ADD_EDNS0, FALSE, FALSE},
+    {NM_SETTING_DNS_OPTION_INTERNAL_NO_ADD_TRUST_AD, FALSE, FALSE},
     {NULL, FALSE, FALSE}};
 
 static char *
@@ -6376,17 +6378,24 @@ nm_setting_ip_config_class_init(NMSettingIPConfigClass *klass)
     /**
      * NMSettingIPConfig:dns-options:
      *
-     * Array of DNS options as described in man 5 resolv.conf.
+     * Array of DNS options to be added to resolv.conf.
      *
      * %NULL means that the options are unset and left at the default.
      * In this case NetworkManager will use default options. This is
      * distinct from an empty list of properties.
      *
-     * The currently supported options are "attempts", "debug", "edns0",
+     * The following options are directly added to resolv.conf: "attempts",
+     *  "debug", "edns0",
      * "inet6", "ip6-bytestring", "ip6-dotint", "ndots", "no-aaaa",
      * "no-check-names", "no-ip6-dotint", "no-reload", "no-tld-query",
      * "rotate", "single-request", "single-request-reopen", "timeout",
-     * "trust-ad", "use-vc".
+     * "trust-ad", "use-vc". See the resolv.conf(5) man page for a
+     * detailed description of these options.
+     *
+     * In addition, NetworkManager supports the special options "_no-add-edns0"
+     * and "_no-add-trust-ad". They are not added to resolv.conf, and can be
+     * used to prevent the automatic addition of options "edns0" and "trust-ad"
+     * when using caching DNS plugins (see below).
      *
      * The "trust-ad" setting is only honored if the profile contributes
      * name servers to resolv.conf, and if all contributing profiles have
@@ -6394,7 +6403,7 @@ nm_setting_ip_config_class_init(NMSettingIPConfigClass *klass)
      *
      * When using a caching DNS plugin (dnsmasq or systemd-resolved in
      * NetworkManager.conf) then "edns0" and "trust-ad" are automatically
-     * added.
+     * added, unless "_no-add-edns0" and "_no-add-trust-ad" are present.
      *
      * Since: 1.2
      **/
diff --git a/src/libnm-core-public/nm-setting-ip-config.h b/src/libnm-core-public/nm-setting-ip-config.h
index f728196514..aa0d6d717c 100644
--- a/src/libnm-core-public/nm-setting-ip-config.h
+++ b/src/libnm-core-public/nm-setting-ip-config.h
@@ -363,6 +363,9 @@ char *nm_ip_routing_rule_to_string(const NMIPRoutingRule       *self,
 #define NM_SETTING_DNS_OPTION_NO_RELOAD             "no-reload"
 #define NM_SETTING_DNS_OPTION_TRUST_AD              "trust-ad"
 #define NM_SETTING_DNS_OPTION_NO_AAAA               "no-aaaa"
+/* Internal options (not added to resolv.conf) */
+#define NM_SETTING_DNS_OPTION_INTERNAL_NO_ADD_EDNS0    "_no-add-edns0"
+#define NM_SETTING_DNS_OPTION_INTERNAL_NO_ADD_TRUST_AD "_no-add-trust-ad"
 
 typedef struct _NMSettingIPConfigClass NMSettingIPConfigClass;