nss-resolve: expose various source-disablement settings as variables

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2006761:
> systemd-resolved always (reverse)-resolves the host's IP addresses and FQDN.
> This can be harmful when an application (for instance, a DNS zone manager) is
> installed on the same server instance.  That application would expect
> NXDOMAIN to be returned if the current server's IP does not belong in an
> already managed reverse zone.

This allows clients of nss-resolve to use the same config options that are
available through the dbus api and as command-line options to resolvectl.

The man page text is is mostly copied directly from
c6f20515ab600098b5c2871bae2e9ecab3b41555.

3 files changed, 73 insertions, 11 deletions

diff --git a/man/nss-resolve.xml b/man/nss-resolve.xml
index 7d427b1a1a..061d0d74bb 100644
--- a/man/nss-resolve.xml
+++ b/man/nss-resolve.xml
@@ -76,6 +76,55 @@
         unreliable.</para></listitem>
       </varlistentry>
     </variablelist>
+
+    <variablelist class='environment-variables'>
+      <varlistentry>
+        <term><varname>$SYSTEMD_NSS_RESOLVE_SYNTHESIZE</varname></term>
+
+        <listitem><para>Takes a boolean argument. When false, synthetic records, e.g. for the local host
+        name, will not be returned. See section SYNTHETIC RECORDS in
+        <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+        for more information. This may be useful to query the "public" resource records, independent of the
+        configuration of the local machine.</para></listitem>
+      </varlistentry>
+    </variablelist>
+
+    <variablelist class='environment-variables'>
+      <varlistentry>
+        <term><varname>$SYSTEMD_NSS_RESOLVE_CACHE</varname></term>
+
+        <listitem><para>Takes a boolean argument. When false, the cache of previously queried records will
+        not be used by <filename>systemd-resolved</filename>.</para></listitem>
+      </varlistentry>
+    </variablelist>
+
+    <variablelist class='environment-variables'>
+      <varlistentry>
+        <term><varname>$SYSTEMD_NSS_RESOLVE_ZONE</varname></term>
+
+        <listitem><para>Takes a boolean argument. When false, answers using locally registered public
+        LLMNR/mDNS resource records will not be returned.</para></listitem>
+      </varlistentry>
+    </variablelist>
+
+    <variablelist class='environment-variables'>
+      <varlistentry>
+        <term><varname>$SYSTEMD_NSS_RESOLVE_TRUST_ANCHOR</varname></term>
+
+        <listitem><para>Takes a boolean argument. When false, answers using locally configured trust anchors
+        will not be used.</para></listitem>
+      </varlistentry>
+    </variablelist>
+
+    <variablelist class='environment-variables'>
+      <varlistentry>
+        <term><varname>$SYSTEMD_NSS_RESOLVE_NETWORK</varname></term>
+
+        <listitem><para>Takes a boolean argument. When false, answers will be returned without using the
+        network, i.e. either from local sources or the cache in <filename>systemd-resolved</filename>.
+        </para></listitem>
+      </varlistentry>
+    </variablelist>
   </refsect1>
 
   <refsect1>
diff --git a/src/nss-resolve/nss-resolve.c b/src/nss-resolve/nss-resolve.c
index 951d141f35..6b0c762d03 100644
--- a/src/nss-resolve/nss-resolve.c
+++ b/src/nss-resolve/nss-resolve.c
@@ -198,19 +198,29 @@ static const JsonDispatch address_parameters_dispatch_table[] = {
         {}
 };
 
-static uint64_t query_flags(void) {
-        uint64_t f = 0;
+static uint64_t query_flag(
+                const char *name,
+                const int value,
+                uint64_t flag) {
         int r;
 
-        /* Allow callers to turn off validation, when we resolve via nss-resolve */
-
-        r = getenv_bool_secure("SYSTEMD_NSS_RESOLVE_VALIDATE");
-        if (r < 0 && r != -ENXIO)
-                log_debug_errno(r, "Failed to parse $SYSTEMD_NSS_RESOLVE_VALIDATE value, ignoring.");
-        else if (r == 0)
-                f |= SD_RESOLVED_NO_VALIDATE;
+        r = getenv_bool_secure(name);
+        if (r >= 0)
+                return r == value ? flag : 0;
+        if (r != -ENXIO)
+                log_debug_errno(r, "Failed to parse $%s, ignoring.", name);
+        return 0;
+}
 
-        return f;
+static uint64_t query_flags(void) {
+        /* Allow callers to turn off validation, synthetization, caching, etc., when we resolve via
+         * nss-resolve. */
+        return  query_flag("SYSTEMD_NSS_RESOLVE_VALIDATE", 0, SD_RESOLVED_NO_VALIDATE) |
+                query_flag("SYSTEMD_NSS_RESOLVE_SYNTHESIZE", 0, SD_RESOLVED_NO_SYNTHESIZE) |
+                query_flag("SYSTEMD_NSS_RESOLVE_CACHE", 0, SD_RESOLVED_NO_CACHE) |
+                query_flag("SYSTEMD_NSS_RESOLVE_ZONE", 0, SD_RESOLVED_NO_ZONE) |
+                query_flag("SYSTEMD_NSS_RESOLVE_TRUST_ANCHOR", 0, SD_RESOLVED_NO_TRUST_ANCHOR) |
+                query_flag("SYSTEMD_NSS_RESOLVE_NETWORK", 0, SD_RESOLVED_NO_NETWORK);
 }
 
 enum nss_status _nss_resolve_gethostbyname4_r(
diff --git a/src/test/test-nss-hosts.c b/src/test/test-nss-hosts.c
index 01cbff9b83..eac2c74f4c 100644
--- a/src/test/test-nss-hosts.c
+++ b/src/test/test-nss-hosts.c
@@ -7,6 +7,7 @@
 #include "af-list.h"
 #include "alloc-util.h"
 #include "dlfcn-util.h"
+#include "env-util.h"
 #include "errno-list.h"
 #include "format-util.h"
 #include "hexdecoct.h"
@@ -135,7 +136,9 @@ static void test_gethostbyname4_r(void *handle, const char *module, const char *
         if (STR_IN_SET(module, "resolve", "mymachines") && status == NSS_STATUS_UNAVAIL)
                 return;
 
-        if (STR_IN_SET(module, "myhostname", "resolve") && streq(name, "localhost")) {
+        if (STR_IN_SET(module, "myhostname", "resolve") &&
+            streq(name, "localhost") &&
+            getenv_bool_secure("SYSTEMD_NSS_RESOLVE_SYNTHESIZE") != 0) {
                 assert_se(status == NSS_STATUS_SUCCESS);
                 assert_se(n == 2);
         }