3 files changed, 19 insertions, 11 deletions

diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
index 64a4b74e15..a9d91b07f6 100644
--- a/src/network/networkd-link.c
+++ b/src/network/networkd-link.c
@@ -2040,9 +2040,13 @@ static int link_configure(Link *link) {
         assert(link->network);
         assert(link->state == LINK_STATE_PENDING);
 
-        r = link_drop_foreign_config(link);
-        if (r < 0)
-                return r;
+        /* Drop foreign config, but ignore loopback device.
+         * We do not want to remove loopback address. */
+        if (!(link->flags & IFF_LOOPBACK)) {
+                r = link_drop_foreign_config(link);
+                if (r < 0)
+                        return r;
+        }
 
         r = link_set_bridge_fdb(link);
         if (r < 0)
diff --git a/src/resolve/resolved-bus.c b/src/resolve/resolved-bus.c
index 1908cae2b7..da1b5014bf 100644
--- a/src/resolve/resolved-bus.c
+++ b/src/resolve/resolved-bus.c
@@ -298,7 +298,15 @@ static void bus_method_resolve_address_complete(DnsQuery *q) {
                 goto finish;
         }
 
-        /* We don't process CNAME for PTR lookups. */
+        r = dns_query_process_cname(q);
+        if (r == -ELOOP) {
+                r = sd_bus_reply_method_errorf(q->request, BUS_ERROR_CNAME_LOOP, "CNAME loop detected, or CNAME resolving disabled on '%s'", dns_question_name(q->question));
+                goto finish;
+        }
+        if (r < 0)
+                goto finish;
+        if (r > 0) /* This was a cname, and the query was restarted. */
+                return;
 
         r = sd_bus_message_new_method_return(q->request, &reply);
         if (r < 0)
@@ -1011,7 +1019,6 @@ finish:
 }
 
 static int bus_method_resolve_service(sd_bus_message *message, void *userdata, sd_bus_error *error) {
-        _cleanup_(dns_resource_key_unrefp) DnsResourceKey *key = NULL;
         _cleanup_(dns_question_unrefp) DnsQuestion *question = NULL;
         const char *name, *type, *domain, *joined;
         _cleanup_free_ char *n = NULL;
diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c
index 472486777c..4b6b6afae8 100644
--- a/src/resolve/resolved-dns-packet.c
+++ b/src/resolve/resolved-dns-packet.c
@@ -1746,12 +1746,9 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, size_t *start) {
                 if (r < 0)
                         goto fail;
 
-                /* The types bitmap must contain at least the NSEC record itself, so an empty bitmap means
-                   something went wrong */
-                if (bitmap_isclear(rr->nsec.types)) {
-                        r = -EBADMSG;
-                        goto fail;
-                }
+                /* We accept empty NSEC bitmaps. The bit indicating the presence of the NSEC record itself
+                 * is redundant and in e.g., RFC4956 this fact is used to define a use for NSEC records
+                 * without the NSEC bit set. */
 
                 break;