summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--test/knot-data/knot.conf3
-rw-r--r--test/knot-data/zones/onlinesign.test.zone15
-rw-r--r--test/knot-data/zones/root.zone8
-rw-r--r--test/knot-data/zones/signed.test.zone23
-rw-r--r--test/knot-data/zones/test.zone12
-rw-r--r--test/knot-data/zones/unsigned.test.zone12
-rw-r--r--test/knot-data/zones/untrusted.test.zone11
-rwxr-xr-xtest/units/testsuite-75.sh135
8 files changed, 169 insertions, 50 deletions
diff --git a/test/knot-data/knot.conf b/test/knot-data/knot.conf
index e3de69d0f4..6ea0cca3db 100644
--- a/test/knot-data/knot.conf
+++ b/test/knot-data/knot.conf
@@ -4,6 +4,7 @@ server:
rundir: "/run/knot"
user: knot:knot
listen: 10.0.0.1@53
+ listen: fd00:dead:beef:cafe::1@53
log:
- target: syslog
@@ -15,11 +16,13 @@ database:
acl:
- id: update_acl
address: 10.0.0.0/24
+ address: fd00:dead:beef:cafe::/64
action: update
remote:
- id: parent_zone_server
address: 10.0.0.1@53
+ address: fd00:dead:beef:cafe::1@53
submission:
- id: parent_zone_sbm
diff --git a/test/knot-data/zones/onlinesign.test.zone b/test/knot-data/zones/onlinesign.test.zone
index c12c6b3396..c8662fa3ed 100644
--- a/test/knot-data/zones/onlinesign.test.zone
+++ b/test/knot-data/zones/onlinesign.test.zone
@@ -11,12 +11,17 @@ $ORIGIN onlinesign.test.
)
; NS info
- NS ns1.unsigned.test.
+ NS ns1.unsigned.test.
- TXT "hello from onlinesign"
+ TXT "hello from onlinesign"
-*.wild TXT "this is an onlinesign wildcard"
+*.wild TXT "this is an onlinesign wildcard"
; No A/AAAA record for the $ORIGIN
-sub A 10.0.0.133
-secondsub A 10.0.0.134
+sub A 10.0.0.133
+secondsub A 10.0.0.134
+
+dual A 10.0.0.135
+dual AAAA fd00:dead:beef:cafe::135
+
+ipv6 AAAA fd00:dead:beef:cafe::136
diff --git a/test/knot-data/zones/root.zone b/test/knot-data/zones/root.zone
index 72439fdc55..f601e8676d 100644
--- a/test/knot-data/zones/root.zone
+++ b/test/knot-data/zones/root.zone
@@ -8,7 +8,9 @@ $TTL 300
1D ; minimum TTL
)
-. NS ns1.unsigned.test
-ns1.unsigned.test A 10.0.0.1
+. NS ns1.unsigned.test
+; NS glue records
+ns1.unsigned.test A 10.0.0.1
+ns1.unsigned.test AAAA fd00:dead:beef:cafe::1
-test NS ns1.unsigned.test
+test NS ns1.unsigned.test
diff --git a/test/knot-data/zones/signed.test.zone b/test/knot-data/zones/signed.test.zone
index 38d8e2aa13..fa6706205a 100644
--- a/test/knot-data/zones/signed.test.zone
+++ b/test/knot-data/zones/signed.test.zone
@@ -11,18 +11,27 @@ $ORIGIN signed.test.
)
; NS info
- NS ns1.unsigned.test.
+ NS ns1.unsigned.test.
-*.wild TXT "this is a wildcard"
+*.wild TXT "this is a wildcard"
-@ MX 10 mail.signed.test.
+@ MX 10 mail.signed.test.
- A 10.0.0.10
-mail A 10.0.0.11
+ A 10.0.0.10
+mail A 10.0.0.11
+mail AAAA fd00:dead:beef:cafe::11
; https://github.com/systemd/systemd/issues/22002
-dupe A 10.0.0.12
-dupe A 10.0.0.13
+dupe A 10.0.0.12
+dupe A 10.0.0.13
+dupe-ipv6 AAAA fd00:dead:beef:cafe::12
+dupe-ipv6 AAAA fd00:dead:beef:cafe::13
+dupe-mixed A 10.0.0.15
+dupe-mixed A 10.0.0.16
+dupe-mixed A 10.0.0.17
+dupe-mixed AAAA fd00:dead:beef:cafe::15
+dupe-mixed AAAA fd00:dead:beef:cafe::16
+dupe-mixed AAAA fd00:dead:beef:cafe::17
; CNAME_REDIRECTS_MAX is 16, so let's test something close to that
cname-chain CNAME follow1.signed.test.
diff --git a/test/knot-data/zones/test.zone b/test/knot-data/zones/test.zone
index 6cc2633082..ba5fcebc2d 100644
--- a/test/knot-data/zones/test.zone
+++ b/test/knot-data/zones/test.zone
@@ -11,9 +11,11 @@ $ORIGIN test.
)
; NS info
-@ NS ns1.unsigned
-ns1.signed A 10.0.0.1
+@ NS ns1.unsigned
+; NS glue records
+ns1.unsigned A 10.0.0.1
+ns1.unsigned AAAA fd00:dead:beef:cafe::1
-onlinesign NS ns1.unsigned
-signed NS ns1.unsigned
-unsigned NS ns1.unsigned
+onlinesign NS ns1.unsigned
+signed NS ns1.unsigned
+unsigned NS ns1.unsigned
diff --git a/test/knot-data/zones/unsigned.test.zone b/test/knot-data/zones/unsigned.test.zone
index 87d9437e2c..c5445d7672 100644
--- a/test/knot-data/zones/unsigned.test.zone
+++ b/test/knot-data/zones/unsigned.test.zone
@@ -11,10 +11,12 @@ $ORIGIN unsigned.test.
)
; NS info
-@ NS ns1.unsigned.test.
-ns1 A 10.0.0.1
+@ NS ns1
+ns1 A 10.0.0.1
+ns1 AAAA fd00:dead:beef:cafe::1
-@ MX 15 mail.unsigned.test.
+@ MX 15 mail.unsigned.test.
- A 10.0.0.101
-mail A 10.0.0.111
+ A 10.0.0.101
+ AAAA fd00:dead:beef:cafe::101
+mail A 10.0.0.111
diff --git a/test/knot-data/zones/untrusted.test.zone b/test/knot-data/zones/untrusted.test.zone
index 6d29bd77fe..cf0dec5296 100644
--- a/test/knot-data/zones/untrusted.test.zone
+++ b/test/knot-data/zones/untrusted.test.zone
@@ -11,11 +11,12 @@ $ORIGIN untrusted.test.
)
; NS info
-@ NS ns1.unsigned.test.
+@ NS ns1.unsigned.test.
-*.wild TXT "this is an untrusted wildcard"
+*.wild TXT "this is an untrusted wildcard"
-@ MX 10 mail.untrusted.test.
+@ MX 10 mail.untrusted.test.
- A 10.0.0.121
-mail A 10.0.0.121
+ A 10.0.0.121
+ AAAA fd00:dead:beef:cafe::121
+mail A 10.0.0.122
diff --git a/test/units/testsuite-75.sh b/test/units/testsuite-75.sh
index 852caac605..76b8f5b3c7 100755
--- a/test/units/testsuite-75.sh
+++ b/test/units/testsuite-75.sh
@@ -2,6 +2,12 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
# vi: ts=4 sw=4 tw=0 et:
+# TODO:
+# - IPv6-only stack
+# - mDNS
+# - LLMNR
+# - DoT/DoH
+
set -eux
set -o pipefail
@@ -16,6 +22,15 @@ run() {
"$@" |& tee "$RUN_OUT"
}
+disable_ipv6() {
+ sysctl -w net.ipv6.conf.all.disable_ipv6=1
+}
+
+enable_ipv6() {
+ sysctl -w net.ipv6.conf.all.disable_ipv6=0
+ networkctl reconfigure dns0
+}
+
monitor_check_rr() (
set +x
set +o pipefail
@@ -146,7 +161,10 @@ ip link del hoge.foo
### SETUP ###
# Configure network
hostnamectl hostname ns1.unsigned.test
-echo "10.0.0.1 ns1.unsigned.test" >>/etc/hosts
+{
+ echo "10.0.0.1 ns1.unsigned.test"
+ echo "fd00:dead:beef:cafe::1 ns1.unsigned.test"
+} >>/etc/hosts
mkdir -p /etc/systemd/network
cat >/etc/systemd/network/dns0.netdev <<EOF
@@ -160,10 +178,17 @@ Name=dns0
[Network]
Address=10.0.0.1/24
+Address=fd00:dead:beef:cafe::1/64
DNSSEC=allow-downgrade
DNS=10.0.0.1
+DNS=fd00:dead:beef:cafe::1
EOF
+DNS_ADDRESSES=(
+ "10.0.0.1"
+ "fd00:dead:beef:cafe::1"
+)
+
mkdir -p /run/systemd/resolved.conf.d
{
echo "[Resolve]"
@@ -214,6 +239,10 @@ resolvectl log-level debug
# Start monitoring queries
systemd-run -u resmontest.service -p Type=notify resolvectl monitor
+# Check if all the zones are valid (zone-check always returns 0, so let's check
+# if it produces any errors/warnings)
+run knotc zone-check
+[[ ! -s "$RUN_OUT" ]]
# We need to manually propagate the DS records of onlinesign.test. to the parent
# zone, since they're generated online
knotc zone-begin test.
@@ -234,9 +263,19 @@ knotc reload
: "--- nss-resolve/nss-myhostname tests"
# Sanity check
TIMESTAMP=$(date '+%F %T')
+# Issue: https://github.com/systemd/systemd/issues/23951
+# With IPv6 enabled
run getent -s resolve hosts ns1.unsigned.test
-grep -qE "^10\.0\.0\.1\s+ns1\.unsigned\.test" "$RUN_OUT"
-monitor_check_rr "$TIMESTAMP" "ns1.unsigned.test IN A 10.0.0.1"
+grep -qE "^fd00:dead:beef:cafe::1\s+ns1\.unsigned\.test" "$RUN_OUT"
+monitor_check_rr "$TIMESTAMP" "ns1.unsigned.test IN AAAA fd00:dead:beef:cafe::1"
+# With IPv6 disabled
+# Issue: https://github.com/systemd/systemd/issues/23951
+# FIXME
+#disable_ipv6
+#run getent -s resolve hosts ns1.unsigned.test
+#grep -qE "^10\.0\.0\.1\s+ns1\.unsigned\.test" "$RUN_OUT"
+#monitor_check_rr "$TIMESTAMP" "ns1.unsigned.test IN A 10.0.0.1"
+enable_ipv6
# Issue: https://github.com/systemd/systemd/issues/18812
# PR: https://github.com/systemd/systemd/pull/18896
@@ -248,13 +287,12 @@ grep -qE "^::1\s+localhost" "$RUN_OUT"
run getent -s myhostname hosts localhost
grep -qE "^::1\s+localhost" "$RUN_OUT"
# With IPv6 disabled
-sysctl -w net.ipv6.conf.all.disable_ipv6=1
+disable_ipv6
run getent -s resolve hosts localhost
grep -qE "^127\.0\.0\.1\s+localhost" "$RUN_OUT"
run getent -s myhostname hosts localhost
grep -qE "^127\.0\.0\.1\s+localhost" "$RUN_OUT"
-sysctl -w net.ipv6.conf.all.disable_ipv6=0
-
+enable_ipv6
: "--- Basic resolved tests ---"
# Issue: https://github.com/systemd/systemd/issues/22229
@@ -280,12 +318,14 @@ grep -qE "IN\s+SOA\s+ns1\.unsigned\.test\." "$RUN_OUT"
: "--- ZONE: unsigned.test. ---"
-run dig @10.0.0.1 +short unsigned.test
+run dig @ns1.unsigned.test +short unsigned.test A unsigned.test AAAA
grep -qF "10.0.0.101" "$RUN_OUT"
+grep -qF "fd00:dead:beef:cafe::101" "$RUN_OUT"
run resolvectl query unsigned.test
-grep -qF "unsigned.test: 10.0.0.10" "$RUN_OUT"
+grep -qF "10.0.0.10" "$RUN_OUT"
+grep -qF "fd00:dead:beef:cafe::101" "$RUN_OUT"
grep -qF "authenticated: no" "$RUN_OUT"
-run dig @10.0.0.1 +short MX unsigned.test
+run dig @ns1.unsigned.test +short MX unsigned.test
grep -qF "15 mail.unsigned.test." "$RUN_OUT"
run resolvectl query --legend=no -t MX unsigned.test
grep -qF "unsigned.test IN MX 15 mail.unsigned.test" "$RUN_OUT"
@@ -295,17 +335,28 @@ grep -qF "unsigned.test IN MX 15 mail.unsigned.test" "$RUN_OUT"
# Check the trust chain (with and without systemd-resolved in between
# Issue: https://github.com/systemd/systemd/issues/22002
# PR: https://github.com/systemd/systemd/pull/23289
-run delv @10.0.0.1 signed.test
+run delv @ns1.unsigned.test signed.test
grep -qF "; fully validated" "$RUN_OUT"
run delv signed.test
grep -qF "; fully validated" "$RUN_OUT"
+for addr in "${DNS_ADDRESSES[@]}"; do
+ run delv "@$addr" -t A mail.signed.test
+ grep -qF "; fully validated" "$RUN_OUT"
+ run delv "@$addr" -t AAAA mail.signed.test
+ grep -qF "; fully validated" "$RUN_OUT"
+done
+run resolvectl query mail.signed.test
+grep -qF "10.0.0.11" "$RUN_OUT"
+grep -qF "fd00:dead:beef:cafe::11" "$RUN_OUT"
+grep -qF "authenticated: yes" "$RUN_OUT"
+
run dig +short signed.test
grep -qF "10.0.0.10" "$RUN_OUT"
run resolvectl query signed.test
grep -qF "signed.test: 10.0.0.10" "$RUN_OUT"
grep -qF "authenticated: yes" "$RUN_OUT"
-run dig @10.0.0.1 +short MX signed.test
+run dig @ns1.unsigned.test +short MX signed.test
grep -qF "10 mail.signed.test." "$RUN_OUT"
run resolvectl query --legend=no -t MX signed.test
grep -qF "signed.test IN MX 10 mail.signed.test" "$RUN_OUT"
@@ -320,10 +371,30 @@ grep -qF "authenticated: yes" "$RUN_OUT"
# DNSSEC validation with multiple records of the same type for the same name
# Issue: https://github.com/systemd/systemd/issues/22002
# PR: https://github.com/systemd/systemd/pull/23289
-run delv @10.0.0.1 dupe.signed.test
-grep -qF "; fully validated" "$RUN_OUT"
-run delv dupe.signed.test
-grep -qF "; fully validated" "$RUN_OUT"
+check_domain() {
+ local domain="${1:?}"
+ local record="${2:?}"
+ local message="${3:?}"
+ local addr
+
+ for addr in "${DNS_ADDRESSES[@]}"; do
+ run delv "@$addr" -t "$record" "$domain"
+ grep -qF "$message" "$RUN_OUT"
+ done
+
+ run delv -t "$record" "$domain"
+ grep -qF "$message" "$RUN_OUT"
+
+ run resolvectl query "$domain"
+ grep -qF "authenticated: yes" "$RUN_OUT"
+}
+
+check_domain "dupe.signed.test" "A" "; fully validated"
+check_domain "dupe.signed.test" "AAAA" "; negative response, fully validated"
+check_domain "dupe-ipv6.signed.test" "AAAA" "; fully validated"
+check_domain "dupe-ipv6.signed.test" "A" "; negative response, fully validated"
+check_domain "dupe-mixed.signed.test" "A" "; fully validated"
+check_domain "dupe-mixed.signed.test" "AAAA" "; fully validated"
# Test resolution of CNAME chains
TIMESTAMP=$(date '+%F %T')
@@ -347,7 +418,7 @@ grep -qE "^follow14\.final\.signed\.test\..+IN\s+NSEC\s+" "$RUN_OUT"
# Check the trust chain (with and without systemd-resolved in between
# Issue: https://github.com/systemd/systemd/issues/22002
# PR: https://github.com/systemd/systemd/pull/23289
-run delv @10.0.0.1 sub.onlinesign.test
+run delv @ns1.unsigned.test sub.onlinesign.test
grep -qF "; fully validated" "$RUN_OUT"
run delv sub.onlinesign.test
grep -qF "; fully validated" "$RUN_OUT"
@@ -357,10 +428,27 @@ grep -qF "10.0.0.133" "$RUN_OUT"
run resolvectl query sub.onlinesign.test
grep -qF "sub.onlinesign.test: 10.0.0.133" "$RUN_OUT"
grep -qF "authenticated: yes" "$RUN_OUT"
-run dig @10.0.0.1 +short TXT onlinesign.test
+run dig @ns1.unsigned.test +short TXT onlinesign.test
grep -qF '"hello from onlinesign"' "$RUN_OUT"
run resolvectl query --legend=no -t TXT onlinesign.test
grep -qF 'onlinesign.test IN TXT "hello from onlinesign"' "$RUN_OUT"
+
+for addr in "${DNS_ADDRESSES[@]}"; do
+ run delv "@$addr" -t A dual.onlinesign.test
+ grep -qF "10.0.0.135" "$RUN_OUT"
+ run delv "@$addr" -t AAAA dual.onlinesign.test
+ grep -qF "fd00:dead:beef:cafe::135" "$RUN_OUT"
+ run delv "@$addr" -t ANY ipv6.onlinesign.test
+ grep -qF "fd00:dead:beef:cafe::136" "$RUN_OUT"
+done
+run resolvectl query dual.onlinesign.test
+grep -qF "10.0.0.135" "$RUN_OUT"
+grep -qF "fd00:dead:beef:cafe::135" "$RUN_OUT"
+grep -qF "authenticated: yes" "$RUN_OUT"
+run resolvectl query ipv6.onlinesign.test
+grep -qF "fd00:dead:beef:cafe::136" "$RUN_OUT"
+grep -qF "authenticated: yes" "$RUN_OUT"
+
# Check a non-existent domain
# Note: mod-onlinesign utilizes Minimally Covering NSEC Records, hence the
# different response than with "standard" DNSSEC
@@ -378,11 +466,18 @@ run busctl call org.freedesktop.resolve1 /org/freedesktop/resolve1 org.freedeskt
grep -qF '10 0 0 134 "secondsub.onlinesign.test"' "$RUN_OUT"
monitor_check_rr "$TIMESTAMP" "secondsub.onlinesign.test IN A 10.0.0.134"
+
: "--- ZONE: untrusted.test (DNSSEC without propagated DS records) ---"
-run dig +short untrusted.test
-grep -qF "10.0.0.121" "$RUN_OUT"
+# Issue: https://github.com/systemd/systemd/issues/23955
+# FIXME
+resolvectl flush-caches
+#run dig +short untrusted.test A untrusted.test AAAA
+#grep -qF "10.0.0.121" "$RUN_OUT"
+#grep -qF "fd00:dead:beef:cafe::121" "$RUN_OUT"
run resolvectl query untrusted.test
-grep -qF "untrusted.test: 10.0.0.121" "$RUN_OUT"
+grep -qF "untrusted.test:" "$RUN_OUT"
+grep -qF "10.0.0.121" "$RUN_OUT"
+grep -qF "fd00:dead:beef:cafe::121" "$RUN_OUT"
grep -qF "authenticated: no" "$RUN_OUT"
# Issue: https://github.com/systemd/systemd/issues/19472