resolved: set the AA bit for synthetic answers

The stub DNS server is authoritative for the RRs we synthesize, such as
localhost, _gateway, and entries from /etc/hosts, and also for trust anchors.

Partially fixes https://github.com/systemd/systemd/issues/17972

3 files changed, 12 insertions, 1 deletions

diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c
index 1413afe3b9..7fb2e110e0 100644
--- a/src/resolve/resolved-dns-query.c
+++ b/src/resolve/resolved-dns-query.c
@@ -1140,3 +1140,10 @@ bool dns_query_fully_confidential(DnsQuery *q) {
 
         return FLAGS_SET(q->answer_query_flags, SD_RESOLVED_CONFIDENTIAL) && !q->previous_redirect_non_confidential;
 }
+
+bool dns_query_fully_synthetic(DnsQuery *q) {
+        assert(q);
+
+        return (q->answer_query_flags & (SD_RESOLVED_SYNTHETIC | SD_RESOLVED_FROM_TRUST_ANCHOR)) &&
+                !(q->answer_query_flags & SD_RESOLVED_FROM_MASK & ~SD_RESOLVED_FROM_TRUST_ANCHOR);
+}
diff --git a/src/resolve/resolved-dns-query.h b/src/resolve/resolved-dns-query.h
index 4874aa0c17..ea296167b6 100644
--- a/src/resolve/resolved-dns-query.h
+++ b/src/resolve/resolved-dns-query.h
@@ -134,6 +134,7 @@ DEFINE_TRIVIAL_CLEANUP_FUNC(DnsQuery*, dns_query_free);
 
 bool dns_query_fully_authenticated(DnsQuery *q);
 bool dns_query_fully_confidential(DnsQuery *q);
+bool dns_query_fully_synthetic(DnsQuery *q);
 
 static inline uint64_t dns_query_reply_flags_make(DnsQuery *q) {
         assert(q);
diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c
index a40eeea655..02ac29dbb9 100644
--- a/src/resolve/resolved-dns-stub.c
+++ b/src/resolve/resolved-dns-stub.c
@@ -428,6 +428,7 @@ static int dns_stub_finish_reply_packet(
                 uint16_t id,
                 int rcode,
                 bool tc,        /* set the Truncated bit? */
+                bool aa,        /* set the Authoritative Answer bit? */
                 bool add_opt,   /* add an OPT RR to this packet? */
                 bool edns0_do,  /* set the EDNS0 DNSSEC OK bit? */
                 bool ad,        /* set the DNSSEC authenticated data bit? */
@@ -466,7 +467,7 @@ static int dns_stub_finish_reply_packet(
         DNS_PACKET_HEADER(p)->flags = htobe16(DNS_PACKET_MAKE_FLAGS(
                                                               1  /* qr */,
                                                               0  /* opcode */,
-                                                              0  /* aa */,
+                                                              aa /* aa */,
                                                               tc /* tc */,
                                                               1  /* rd */,
                                                               1  /* ra */,
@@ -556,6 +557,7 @@ static int dns_stub_send_reply(
                         DNS_PACKET_ID(q->request_packet),
                         rcode,
                         truncated,
+                        dns_query_fully_synthetic(q),
                         !!q->request_packet->opt,
                         edns0_do,
                         DNS_PACKET_AD(q->request_packet) && dns_query_fully_authenticated(q),
@@ -596,6 +598,7 @@ static int dns_stub_send_failure(
                         DNS_PACKET_ID(p),
                         rcode,
                         truncated,
+                        false,
                         !!p->opt,
                         DNS_PACKET_DO(p),
                         DNS_PACKET_AD(p) && authenticated,