diff options
-rw-r--r-- | test/knot-data/knot.conf | 3 | ||||
-rw-r--r-- | test/knot-data/zones/onlinesign.test.zone | 15 | ||||
-rw-r--r-- | test/knot-data/zones/root.zone | 8 | ||||
-rw-r--r-- | test/knot-data/zones/signed.test.zone | 23 | ||||
-rw-r--r-- | test/knot-data/zones/test.zone | 12 | ||||
-rw-r--r-- | test/knot-data/zones/unsigned.test.zone | 12 | ||||
-rw-r--r-- | test/knot-data/zones/untrusted.test.zone | 11 | ||||
-rwxr-xr-x | test/units/testsuite-75.sh | 135 |
8 files changed, 169 insertions, 50 deletions
diff --git a/test/knot-data/knot.conf b/test/knot-data/knot.conf index e3de69d0f4..6ea0cca3db 100644 --- a/test/knot-data/knot.conf +++ b/test/knot-data/knot.conf @@ -4,6 +4,7 @@ server: rundir: "/run/knot" user: knot:knot listen: 10.0.0.1@53 + listen: fd00:dead:beef:cafe::1@53 log: - target: syslog @@ -15,11 +16,13 @@ database: acl: - id: update_acl address: 10.0.0.0/24 + address: fd00:dead:beef:cafe::/64 action: update remote: - id: parent_zone_server address: 10.0.0.1@53 + address: fd00:dead:beef:cafe::1@53 submission: - id: parent_zone_sbm diff --git a/test/knot-data/zones/onlinesign.test.zone b/test/knot-data/zones/onlinesign.test.zone index c12c6b3396..c8662fa3ed 100644 --- a/test/knot-data/zones/onlinesign.test.zone +++ b/test/knot-data/zones/onlinesign.test.zone @@ -11,12 +11,17 @@ $ORIGIN onlinesign.test. ) ; NS info - NS ns1.unsigned.test. + NS ns1.unsigned.test. - TXT "hello from onlinesign" + TXT "hello from onlinesign" -*.wild TXT "this is an onlinesign wildcard" +*.wild TXT "this is an onlinesign wildcard" ; No A/AAAA record for the $ORIGIN -sub A 10.0.0.133 -secondsub A 10.0.0.134 +sub A 10.0.0.133 +secondsub A 10.0.0.134 + +dual A 10.0.0.135 +dual AAAA fd00:dead:beef:cafe::135 + +ipv6 AAAA fd00:dead:beef:cafe::136 diff --git a/test/knot-data/zones/root.zone b/test/knot-data/zones/root.zone index 72439fdc55..f601e8676d 100644 --- a/test/knot-data/zones/root.zone +++ b/test/knot-data/zones/root.zone @@ -8,7 +8,9 @@ $TTL 300 1D ; minimum TTL ) -. NS ns1.unsigned.test -ns1.unsigned.test A 10.0.0.1 +. NS ns1.unsigned.test +; NS glue records +ns1.unsigned.test A 10.0.0.1 +ns1.unsigned.test AAAA fd00:dead:beef:cafe::1 -test NS ns1.unsigned.test +test NS ns1.unsigned.test diff --git a/test/knot-data/zones/signed.test.zone b/test/knot-data/zones/signed.test.zone index 38d8e2aa13..fa6706205a 100644 --- a/test/knot-data/zones/signed.test.zone +++ b/test/knot-data/zones/signed.test.zone @@ -11,18 +11,27 @@ $ORIGIN signed.test. ) ; NS info - NS ns1.unsigned.test. + NS ns1.unsigned.test. -*.wild TXT "this is a wildcard" +*.wild TXT "this is a wildcard" -@ MX 10 mail.signed.test. +@ MX 10 mail.signed.test. - A 10.0.0.10 -mail A 10.0.0.11 + A 10.0.0.10 +mail A 10.0.0.11 +mail AAAA fd00:dead:beef:cafe::11 ; https://github.com/systemd/systemd/issues/22002 -dupe A 10.0.0.12 -dupe A 10.0.0.13 +dupe A 10.0.0.12 +dupe A 10.0.0.13 +dupe-ipv6 AAAA fd00:dead:beef:cafe::12 +dupe-ipv6 AAAA fd00:dead:beef:cafe::13 +dupe-mixed A 10.0.0.15 +dupe-mixed A 10.0.0.16 +dupe-mixed A 10.0.0.17 +dupe-mixed AAAA fd00:dead:beef:cafe::15 +dupe-mixed AAAA fd00:dead:beef:cafe::16 +dupe-mixed AAAA fd00:dead:beef:cafe::17 ; CNAME_REDIRECTS_MAX is 16, so let's test something close to that cname-chain CNAME follow1.signed.test. diff --git a/test/knot-data/zones/test.zone b/test/knot-data/zones/test.zone index 6cc2633082..ba5fcebc2d 100644 --- a/test/knot-data/zones/test.zone +++ b/test/knot-data/zones/test.zone @@ -11,9 +11,11 @@ $ORIGIN test. ) ; NS info -@ NS ns1.unsigned -ns1.signed A 10.0.0.1 +@ NS ns1.unsigned +; NS glue records +ns1.unsigned A 10.0.0.1 +ns1.unsigned AAAA fd00:dead:beef:cafe::1 -onlinesign NS ns1.unsigned -signed NS ns1.unsigned -unsigned NS ns1.unsigned +onlinesign NS ns1.unsigned +signed NS ns1.unsigned +unsigned NS ns1.unsigned diff --git a/test/knot-data/zones/unsigned.test.zone b/test/knot-data/zones/unsigned.test.zone index 87d9437e2c..c5445d7672 100644 --- a/test/knot-data/zones/unsigned.test.zone +++ b/test/knot-data/zones/unsigned.test.zone @@ -11,10 +11,12 @@ $ORIGIN unsigned.test. ) ; NS info -@ NS ns1.unsigned.test. -ns1 A 10.0.0.1 +@ NS ns1 +ns1 A 10.0.0.1 +ns1 AAAA fd00:dead:beef:cafe::1 -@ MX 15 mail.unsigned.test. +@ MX 15 mail.unsigned.test. - A 10.0.0.101 -mail A 10.0.0.111 + A 10.0.0.101 + AAAA fd00:dead:beef:cafe::101 +mail A 10.0.0.111 diff --git a/test/knot-data/zones/untrusted.test.zone b/test/knot-data/zones/untrusted.test.zone index 6d29bd77fe..cf0dec5296 100644 --- a/test/knot-data/zones/untrusted.test.zone +++ b/test/knot-data/zones/untrusted.test.zone @@ -11,11 +11,12 @@ $ORIGIN untrusted.test. ) ; NS info -@ NS ns1.unsigned.test. +@ NS ns1.unsigned.test. -*.wild TXT "this is an untrusted wildcard" +*.wild TXT "this is an untrusted wildcard" -@ MX 10 mail.untrusted.test. +@ MX 10 mail.untrusted.test. - A 10.0.0.121 -mail A 10.0.0.121 + A 10.0.0.121 + AAAA fd00:dead:beef:cafe::121 +mail A 10.0.0.122 diff --git a/test/units/testsuite-75.sh b/test/units/testsuite-75.sh index 852caac605..76b8f5b3c7 100755 --- a/test/units/testsuite-75.sh +++ b/test/units/testsuite-75.sh @@ -2,6 +2,12 @@ # SPDX-License-Identifier: LGPL-2.1-or-later # vi: ts=4 sw=4 tw=0 et: +# TODO: +# - IPv6-only stack +# - mDNS +# - LLMNR +# - DoT/DoH + set -eux set -o pipefail @@ -16,6 +22,15 @@ run() { "$@" |& tee "$RUN_OUT" } +disable_ipv6() { + sysctl -w net.ipv6.conf.all.disable_ipv6=1 +} + +enable_ipv6() { + sysctl -w net.ipv6.conf.all.disable_ipv6=0 + networkctl reconfigure dns0 +} + monitor_check_rr() ( set +x set +o pipefail @@ -146,7 +161,10 @@ ip link del hoge.foo ### SETUP ### # Configure network hostnamectl hostname ns1.unsigned.test -echo "10.0.0.1 ns1.unsigned.test" >>/etc/hosts +{ + echo "10.0.0.1 ns1.unsigned.test" + echo "fd00:dead:beef:cafe::1 ns1.unsigned.test" +} >>/etc/hosts mkdir -p /etc/systemd/network cat >/etc/systemd/network/dns0.netdev <<EOF @@ -160,10 +178,17 @@ Name=dns0 [Network] Address=10.0.0.1/24 +Address=fd00:dead:beef:cafe::1/64 DNSSEC=allow-downgrade DNS=10.0.0.1 +DNS=fd00:dead:beef:cafe::1 EOF +DNS_ADDRESSES=( + "10.0.0.1" + "fd00:dead:beef:cafe::1" +) + mkdir -p /run/systemd/resolved.conf.d { echo "[Resolve]" @@ -214,6 +239,10 @@ resolvectl log-level debug # Start monitoring queries systemd-run -u resmontest.service -p Type=notify resolvectl monitor +# Check if all the zones are valid (zone-check always returns 0, so let's check +# if it produces any errors/warnings) +run knotc zone-check +[[ ! -s "$RUN_OUT" ]] # We need to manually propagate the DS records of onlinesign.test. to the parent # zone, since they're generated online knotc zone-begin test. @@ -234,9 +263,19 @@ knotc reload : "--- nss-resolve/nss-myhostname tests" # Sanity check TIMESTAMP=$(date '+%F %T') +# Issue: https://github.com/systemd/systemd/issues/23951 +# With IPv6 enabled run getent -s resolve hosts ns1.unsigned.test -grep -qE "^10\.0\.0\.1\s+ns1\.unsigned\.test" "$RUN_OUT" -monitor_check_rr "$TIMESTAMP" "ns1.unsigned.test IN A 10.0.0.1" +grep -qE "^fd00:dead:beef:cafe::1\s+ns1\.unsigned\.test" "$RUN_OUT" +monitor_check_rr "$TIMESTAMP" "ns1.unsigned.test IN AAAA fd00:dead:beef:cafe::1" +# With IPv6 disabled +# Issue: https://github.com/systemd/systemd/issues/23951 +# FIXME +#disable_ipv6 +#run getent -s resolve hosts ns1.unsigned.test +#grep -qE "^10\.0\.0\.1\s+ns1\.unsigned\.test" "$RUN_OUT" +#monitor_check_rr "$TIMESTAMP" "ns1.unsigned.test IN A 10.0.0.1" +enable_ipv6 # Issue: https://github.com/systemd/systemd/issues/18812 # PR: https://github.com/systemd/systemd/pull/18896 @@ -248,13 +287,12 @@ grep -qE "^::1\s+localhost" "$RUN_OUT" run getent -s myhostname hosts localhost grep -qE "^::1\s+localhost" "$RUN_OUT" # With IPv6 disabled -sysctl -w net.ipv6.conf.all.disable_ipv6=1 +disable_ipv6 run getent -s resolve hosts localhost grep -qE "^127\.0\.0\.1\s+localhost" "$RUN_OUT" run getent -s myhostname hosts localhost grep -qE "^127\.0\.0\.1\s+localhost" "$RUN_OUT" -sysctl -w net.ipv6.conf.all.disable_ipv6=0 - +enable_ipv6 : "--- Basic resolved tests ---" # Issue: https://github.com/systemd/systemd/issues/22229 @@ -280,12 +318,14 @@ grep -qE "IN\s+SOA\s+ns1\.unsigned\.test\." "$RUN_OUT" : "--- ZONE: unsigned.test. ---" -run dig @10.0.0.1 +short unsigned.test +run dig @ns1.unsigned.test +short unsigned.test A unsigned.test AAAA grep -qF "10.0.0.101" "$RUN_OUT" +grep -qF "fd00:dead:beef:cafe::101" "$RUN_OUT" run resolvectl query unsigned.test -grep -qF "unsigned.test: 10.0.0.10" "$RUN_OUT" +grep -qF "10.0.0.10" "$RUN_OUT" +grep -qF "fd00:dead:beef:cafe::101" "$RUN_OUT" grep -qF "authenticated: no" "$RUN_OUT" -run dig @10.0.0.1 +short MX unsigned.test +run dig @ns1.unsigned.test +short MX unsigned.test grep -qF "15 mail.unsigned.test." "$RUN_OUT" run resolvectl query --legend=no -t MX unsigned.test grep -qF "unsigned.test IN MX 15 mail.unsigned.test" "$RUN_OUT" @@ -295,17 +335,28 @@ grep -qF "unsigned.test IN MX 15 mail.unsigned.test" "$RUN_OUT" # Check the trust chain (with and without systemd-resolved in between # Issue: https://github.com/systemd/systemd/issues/22002 # PR: https://github.com/systemd/systemd/pull/23289 -run delv @10.0.0.1 signed.test +run delv @ns1.unsigned.test signed.test grep -qF "; fully validated" "$RUN_OUT" run delv signed.test grep -qF "; fully validated" "$RUN_OUT" +for addr in "${DNS_ADDRESSES[@]}"; do + run delv "@$addr" -t A mail.signed.test + grep -qF "; fully validated" "$RUN_OUT" + run delv "@$addr" -t AAAA mail.signed.test + grep -qF "; fully validated" "$RUN_OUT" +done +run resolvectl query mail.signed.test +grep -qF "10.0.0.11" "$RUN_OUT" +grep -qF "fd00:dead:beef:cafe::11" "$RUN_OUT" +grep -qF "authenticated: yes" "$RUN_OUT" + run dig +short signed.test grep -qF "10.0.0.10" "$RUN_OUT" run resolvectl query signed.test grep -qF "signed.test: 10.0.0.10" "$RUN_OUT" grep -qF "authenticated: yes" "$RUN_OUT" -run dig @10.0.0.1 +short MX signed.test +run dig @ns1.unsigned.test +short MX signed.test grep -qF "10 mail.signed.test." "$RUN_OUT" run resolvectl query --legend=no -t MX signed.test grep -qF "signed.test IN MX 10 mail.signed.test" "$RUN_OUT" @@ -320,10 +371,30 @@ grep -qF "authenticated: yes" "$RUN_OUT" # DNSSEC validation with multiple records of the same type for the same name # Issue: https://github.com/systemd/systemd/issues/22002 # PR: https://github.com/systemd/systemd/pull/23289 -run delv @10.0.0.1 dupe.signed.test -grep -qF "; fully validated" "$RUN_OUT" -run delv dupe.signed.test -grep -qF "; fully validated" "$RUN_OUT" +check_domain() { + local domain="${1:?}" + local record="${2:?}" + local message="${3:?}" + local addr + + for addr in "${DNS_ADDRESSES[@]}"; do + run delv "@$addr" -t "$record" "$domain" + grep -qF "$message" "$RUN_OUT" + done + + run delv -t "$record" "$domain" + grep -qF "$message" "$RUN_OUT" + + run resolvectl query "$domain" + grep -qF "authenticated: yes" "$RUN_OUT" +} + +check_domain "dupe.signed.test" "A" "; fully validated" +check_domain "dupe.signed.test" "AAAA" "; negative response, fully validated" +check_domain "dupe-ipv6.signed.test" "AAAA" "; fully validated" +check_domain "dupe-ipv6.signed.test" "A" "; negative response, fully validated" +check_domain "dupe-mixed.signed.test" "A" "; fully validated" +check_domain "dupe-mixed.signed.test" "AAAA" "; fully validated" # Test resolution of CNAME chains TIMESTAMP=$(date '+%F %T') @@ -347,7 +418,7 @@ grep -qE "^follow14\.final\.signed\.test\..+IN\s+NSEC\s+" "$RUN_OUT" # Check the trust chain (with and without systemd-resolved in between # Issue: https://github.com/systemd/systemd/issues/22002 # PR: https://github.com/systemd/systemd/pull/23289 -run delv @10.0.0.1 sub.onlinesign.test +run delv @ns1.unsigned.test sub.onlinesign.test grep -qF "; fully validated" "$RUN_OUT" run delv sub.onlinesign.test grep -qF "; fully validated" "$RUN_OUT" @@ -357,10 +428,27 @@ grep -qF "10.0.0.133" "$RUN_OUT" run resolvectl query sub.onlinesign.test grep -qF "sub.onlinesign.test: 10.0.0.133" "$RUN_OUT" grep -qF "authenticated: yes" "$RUN_OUT" -run dig @10.0.0.1 +short TXT onlinesign.test +run dig @ns1.unsigned.test +short TXT onlinesign.test grep -qF '"hello from onlinesign"' "$RUN_OUT" run resolvectl query --legend=no -t TXT onlinesign.test grep -qF 'onlinesign.test IN TXT "hello from onlinesign"' "$RUN_OUT" + +for addr in "${DNS_ADDRESSES[@]}"; do + run delv "@$addr" -t A dual.onlinesign.test + grep -qF "10.0.0.135" "$RUN_OUT" + run delv "@$addr" -t AAAA dual.onlinesign.test + grep -qF "fd00:dead:beef:cafe::135" "$RUN_OUT" + run delv "@$addr" -t ANY ipv6.onlinesign.test + grep -qF "fd00:dead:beef:cafe::136" "$RUN_OUT" +done +run resolvectl query dual.onlinesign.test +grep -qF "10.0.0.135" "$RUN_OUT" +grep -qF "fd00:dead:beef:cafe::135" "$RUN_OUT" +grep -qF "authenticated: yes" "$RUN_OUT" +run resolvectl query ipv6.onlinesign.test +grep -qF "fd00:dead:beef:cafe::136" "$RUN_OUT" +grep -qF "authenticated: yes" "$RUN_OUT" + # Check a non-existent domain # Note: mod-onlinesign utilizes Minimally Covering NSEC Records, hence the # different response than with "standard" DNSSEC @@ -378,11 +466,18 @@ run busctl call org.freedesktop.resolve1 /org/freedesktop/resolve1 org.freedeskt grep -qF '10 0 0 134 "secondsub.onlinesign.test"' "$RUN_OUT" monitor_check_rr "$TIMESTAMP" "secondsub.onlinesign.test IN A 10.0.0.134" + : "--- ZONE: untrusted.test (DNSSEC without propagated DS records) ---" -run dig +short untrusted.test -grep -qF "10.0.0.121" "$RUN_OUT" +# Issue: https://github.com/systemd/systemd/issues/23955 +# FIXME +resolvectl flush-caches +#run dig +short untrusted.test A untrusted.test AAAA +#grep -qF "10.0.0.121" "$RUN_OUT" +#grep -qF "fd00:dead:beef:cafe::121" "$RUN_OUT" run resolvectl query untrusted.test -grep -qF "untrusted.test: 10.0.0.121" "$RUN_OUT" +grep -qF "untrusted.test:" "$RUN_OUT" +grep -qF "10.0.0.121" "$RUN_OUT" +grep -qF "fd00:dead:beef:cafe::121" "$RUN_OUT" grep -qF "authenticated: no" "$RUN_OUT" # Issue: https://github.com/systemd/systemd/issues/19472 |