3 files changed, 25 insertions, 9 deletions

diff --git a/src/resolve/resolved-dns-cache.c b/src/resolve/resolved-dns-cache.c
index 9267b67f79..1ac8a223d8 100644
--- a/src/resolve/resolved-dns-cache.c
+++ b/src/resolve/resolved-dns-cache.c
@@ -51,6 +51,7 @@ struct DnsCacheItem {
         bool authenticated:1;
         bool shared_owner:1;
 
+        int ifindex;
         int owner_family;
         union in_addr_union owner_address;
 
@@ -329,6 +330,7 @@ static void dns_cache_item_update_positive(
                 bool authenticated,
                 bool shared_owner,
                 usec_t timestamp,
+                int ifindex,
                 int owner_family,
                 const union in_addr_union *owner_address) {
 
@@ -356,6 +358,8 @@ static void dns_cache_item_update_positive(
         i->authenticated = authenticated;
         i->shared_owner = shared_owner;
 
+        i->ifindex = ifindex;
+
         i->owner_family = owner_family;
         i->owner_address = *owner_address;
 
@@ -368,6 +372,7 @@ static int dns_cache_put_positive(
                 bool authenticated,
                 bool shared_owner,
                 usec_t timestamp,
+                int ifindex,
                 int owner_family,
                 const union in_addr_union *owner_address) {
 
@@ -414,6 +419,7 @@ static int dns_cache_put_positive(
                                 authenticated,
                                 shared_owner,
                                 timestamp,
+                                ifindex,
                                 owner_family,
                                 owner_address);
                 return 0;
@@ -436,6 +442,7 @@ static int dns_cache_put_positive(
         i->until = calculate_until(rr, (uint32_t) -1, timestamp, false);
         i->authenticated = authenticated;
         i->shared_owner = shared_owner;
+        i->ifindex = ifindex;
         i->owner_family = owner_family;
         i->owner_address = *owner_address;
         i->prioq_idx = PRIOQ_IDX_NULL;
@@ -615,7 +622,7 @@ int dns_cache_put(
         DnsResourceRecord *soa = NULL, *rr;
         DnsAnswerFlags flags;
         unsigned cache_keys;
-        int r;
+        int r, ifindex;
 
         assert(c);
         assert(owner_address);
@@ -653,7 +660,7 @@ int dns_cache_put(
                 timestamp = now(clock_boottime_or_monotonic());
 
         /* Second, add in positive entries for all contained RRs */
-        DNS_ANSWER_FOREACH_FLAGS(rr, flags, answer) {
+        DNS_ANSWER_FOREACH_FULL(rr, ifindex, flags, answer) {
                 if ((flags & DNS_ANSWER_CACHEABLE) == 0)
                         continue;
 
@@ -669,6 +676,7 @@ int dns_cache_put(
                                 flags & DNS_ANSWER_AUTHENTICATED,
                                 flags & DNS_ANSWER_SHARED_OWNER,
                                 timestamp,
+                                ifindex,
                                 owner_family, owner_address);
                 if (r < 0)
                         goto fail;
@@ -922,7 +930,7 @@ int dns_cache_lookup(DnsCache *c, DnsResourceKey *key, int *rcode, DnsAnswer **r
                 if (!j->rr)
                         continue;
 
-                r = dns_answer_add(answer, j->rr, 0, j->authenticated ? DNS_ANSWER_AUTHENTICATED : 0);
+                r = dns_answer_add(answer, j->rr, j->ifindex, j->authenticated ? DNS_ANSWER_AUTHENTICATED : 0);
                 if (r < 0)
                         return r;
         }
diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c
index 06d30d7863..b8bdff9dfa 100644
--- a/src/resolve/resolved-dns-query.c
+++ b/src/resolve/resolved-dns-query.c
@@ -967,6 +967,17 @@ static int dns_query_cname_redirect(DnsQuery *q, const DnsResourceRecord *cname)
         if (r == 0 && k == 0) /* No actual cname happened? */
                 return -ELOOP;
 
+        if (q->answer_protocol == DNS_PROTOCOL_DNS) {
+                /* Don't permit CNAME redirects from unicast DNS to LLMNR or MulticastDNS, so that global resources
+                 * cannot invade the local namespace. The opposite way we permit: local names may redirect to global
+                 * ones. */
+
+                q->flags &= ~(SD_RESOLVED_LLMNR|SD_RESOLVED_MDNS); /* mask away the local protocols */
+        }
+
+        /* Turn off searching for the new name */
+        q->flags |= SD_RESOLVED_NO_SEARCH;
+
         dns_question_unref(q->question_idna);
         q->question_idna = nq_idna;
         nq_idna = NULL;
@@ -977,10 +988,8 @@ static int dns_query_cname_redirect(DnsQuery *q, const DnsResourceRecord *cname)
 
         dns_query_free_candidates(q);
         dns_query_reset_answer(q);
-        q->state = DNS_TRANSACTION_NULL;
 
-        /* Turn off searching for the new name */
-        q->flags |= SD_RESOLVED_NO_SEARCH;
+        q->state = DNS_TRANSACTION_NULL;
 
         return 0;
 }
diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c
index 03239794ee..8f3be4b991 100644
--- a/src/resolve/resolved-dns-scope.c
+++ b/src/resolve/resolved-dns-scope.c
@@ -57,8 +57,6 @@ int dns_scope_new(Manager *m, DnsScope **ret, Link *l, DnsProtocol protocol, int
         s->family = family;
         s->resend_timeout = MULTICAST_RESEND_TIMEOUT_MIN_USEC;
 
-        s->dnssec_mode = _DNSSEC_MODE_INVALID;
-
         if (protocol == DNS_PROTOCOL_DNS) {
                 /* Copy DNSSEC mode from the link if it is set there,
                  * otherwise take the manager's DNSSEC mode. Note that
@@ -70,7 +68,8 @@ int dns_scope_new(Manager *m, DnsScope **ret, Link *l, DnsProtocol protocol, int
                         s->dnssec_mode = link_get_dnssec_mode(l);
                 else
                         s->dnssec_mode = manager_get_dnssec_mode(m);
-        }
+        } else
+                s->dnssec_mode = DNSSEC_NO;
 
         LIST_PREPEND(scopes, m->dns_scopes, s);