system/systemd
system/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd synced 2024-07-21 10:17:21 +00:00
Code Issues Actions 7 Packages Projects Releases Wiki Activity

test: cover IPv6 in the resolved test suite

Browse source
This commit is contained in:
Frantisek Sumsal 2022-07-08 13:36:03 +02:00
parent 2f03e5087e
commit 5c9111fe77
8 changed files with 169 additions and 50 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
test/knot-data/knot.conf
View file

@ -4,6 +4,7 @@ server:
rundir: "/run/knot"
user: knot:knot
listen: 10.0.0.1@53
listen: fd00:dead:beef:cafe::1@53
log:
- target: syslog
@ -15,11 +16,13 @@ database:
acl:
- id: update_acl
address: 10.0.0.0/24
address: fd00:dead:beef:cafe::/64
action: update
remote:
- id: parent_zone_server
address: 10.0.0.1@53
address: fd00:dead:beef:cafe::1@53
submission:
- id: parent_zone_sbm

15
test/knot-data/zones/onlinesign.test.zone
View file

@ -11,12 +11,17 @@ $ORIGIN onlinesign.test.
)
; NS info
NS ns1.unsigned.test.
NS ns1.unsigned.test.
TXT "hello from onlinesign"
TXT "hello from onlinesign"
*.wild TXT "this is an onlinesign wildcard"
*.wild TXT "this is an onlinesign wildcard"
; No A/AAAA record for the $ORIGIN
sub A 10.0.0.133
secondsub A 10.0.0.134
sub A 10.0.0.133
secondsub A 10.0.0.134
dual A 10.0.0.135
dual AAAA fd00:dead:beef:cafe::135
ipv6 AAAA fd00:dead:beef:cafe::136

8
test/knot-data/zones/root.zone
View file

@ -8,7 +8,9 @@ $TTL 300
1D ; minimum TTL
)
. NS ns1.unsigned.test
ns1.unsigned.test A 10.0.0.1
. NS ns1.unsigned.test
; NS glue records
ns1.unsigned.test A 10.0.0.1
ns1.unsigned.test AAAA fd00:dead:beef:cafe::1
test NS ns1.unsigned.test
test NS ns1.unsigned.test

23
test/knot-data/zones/signed.test.zone
View file

@ -11,18 +11,27 @@ $ORIGIN signed.test.
)
; NS info
NS ns1.unsigned.test.
NS ns1.unsigned.test.
*.wild TXT "this is a wildcard"
*.wild TXT "this is a wildcard"
@ MX 10 mail.signed.test.
@ MX 10 mail.signed.test.
A 10.0.0.10
mail A 10.0.0.11
A 10.0.0.10
mail A 10.0.0.11
mail AAAA fd00:dead:beef:cafe::11
; https://github.com/systemd/systemd/issues/22002
dupe A 10.0.0.12
dupe A 10.0.0.13
dupe A 10.0.0.12
dupe A 10.0.0.13
dupe-ipv6 AAAA fd00:dead:beef:cafe::12
dupe-ipv6 AAAA fd00:dead:beef:cafe::13
dupe-mixed A 10.0.0.15
dupe-mixed A 10.0.0.16
dupe-mixed A 10.0.0.17
dupe-mixed AAAA fd00:dead:beef:cafe::15
dupe-mixed AAAA fd00:dead:beef:cafe::16
dupe-mixed AAAA fd00:dead:beef:cafe::17
; CNAME_REDIRECTS_MAX is 16, so let's test something close to that
cname-chain CNAME follow1.signed.test.

12
test/knot-data/zones/test.zone
View file

@ -11,9 +11,11 @@ $ORIGIN test.
)
; NS info
@ NS ns1.unsigned
ns1.signed A 10.0.0.1
@ NS ns1.unsigned
; NS glue records
ns1.unsigned A 10.0.0.1
ns1.unsigned AAAA fd00:dead:beef:cafe::1
onlinesign NS ns1.unsigned
signed NS ns1.unsigned
unsigned NS ns1.unsigned
onlinesign NS ns1.unsigned
signed NS ns1.unsigned
unsigned NS ns1.unsigned

12
test/knot-data/zones/unsigned.test.zone
View file

@ -11,10 +11,12 @@ $ORIGIN unsigned.test.
)
; NS info
@ NS ns1.unsigned.test.
ns1 A 10.0.0.1
@ NS ns1
ns1 A 10.0.0.1
ns1 AAAA fd00:dead:beef:cafe::1
@ MX 15 mail.unsigned.test.
@ MX 15 mail.unsigned.test.
A 10.0.0.101
mail A 10.0.0.111
A 10.0.0.101
AAAA fd00:dead:beef:cafe::101
mail A 10.0.0.111

11
test/knot-data/zones/untrusted.test.zone
View file

@ -11,11 +11,12 @@ $ORIGIN untrusted.test.
)
; NS info
@ NS ns1.unsigned.test.
@ NS ns1.unsigned.test.
*.wild TXT "this is an untrusted wildcard"
*.wild TXT "this is an untrusted wildcard"
@ MX 10 mail.untrusted.test.
@ MX 10 mail.untrusted.test.
A 10.0.0.121
mail A 10.0.0.121
A 10.0.0.121
AAAA fd00:dead:beef:cafe::121
mail A 10.0.0.122

135
test/units/testsuite-75.sh
View file

@ -2,6 +2,12 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
# vi: ts=4 sw=4 tw=0 et:
# TODO:
# - IPv6-only stack
# - mDNS
# - LLMNR
# - DoT/DoH
set -eux
set -o pipefail
@ -16,6 +22,15 @@ run() {
"$@" |& tee "$RUN_OUT"
}
disable_ipv6() {
sysctl -w net.ipv6.conf.all.disable_ipv6=1
}
enable_ipv6() {
sysctl -w net.ipv6.conf.all.disable_ipv6=0
networkctl reconfigure dns0
}
monitor_check_rr() (
set +x
set +o pipefail
@ -146,7 +161,10 @@ ip link del hoge.foo
### SETUP ###
# Configure network
hostnamectl hostname ns1.unsigned.test
echo "10.0.0.1 ns1.unsigned.test" >>/etc/hosts
{
echo "10.0.0.1 ns1.unsigned.test"
echo "fd00:dead:beef:cafe::1 ns1.unsigned.test"
} >>/etc/hosts
mkdir -p /etc/systemd/network
cat >/etc/systemd/network/dns0.netdev <<EOF
@ -160,10 +178,17 @@ Name=dns0
[Network]
Address=10.0.0.1/24
Address=fd00:dead:beef:cafe::1/64
DNSSEC=allow-downgrade
DNS=10.0.0.1
DNS=fd00:dead:beef:cafe::1
EOF
DNS_ADDRESSES=(
"10.0.0.1"
"fd00:dead:beef:cafe::1"
)
mkdir -p /run/systemd/resolved.conf.d
{
echo "[Resolve]"
@ -214,6 +239,10 @@ resolvectl log-level debug
# Start monitoring queries
systemd-run -u resmontest.service -p Type=notify resolvectl monitor
# Check if all the zones are valid (zone-check always returns 0, so let's check
# if it produces any errors/warnings)
run knotc zone-check
[[ ! -s "$RUN_OUT" ]]
# We need to manually propagate the DS records of onlinesign.test. to the parent
# zone, since they're generated online
knotc zone-begin test.
@ -234,9 +263,19 @@ knotc reload
: "--- nss-resolve/nss-myhostname tests"
# Sanity check
TIMESTAMP=$(date '+%F %T')
# Issue: https://github.com/systemd/systemd/issues/23951
# With IPv6 enabled
run getent -s resolve hosts ns1.unsigned.test
grep -qE "^10\.0\.0\.1\s+ns1\.unsigned\.test" "$RUN_OUT"
monitor_check_rr "$TIMESTAMP" "ns1.unsigned.test IN A 10.0.0.1"
grep -qE "^fd00:dead:beef:cafe::1\s+ns1\.unsigned\.test" "$RUN_OUT"
monitor_check_rr "$TIMESTAMP" "ns1.unsigned.test IN AAAA fd00:dead:beef:cafe::1"
# With IPv6 disabled
# Issue: https://github.com/systemd/systemd/issues/23951
# FIXME
#disable_ipv6
#run getent -s resolve hosts ns1.unsigned.test
#grep -qE "^10\.0\.0\.1\s+ns1\.unsigned\.test" "$RUN_OUT"
#monitor_check_rr "$TIMESTAMP" "ns1.unsigned.test IN A 10.0.0.1"
enable_ipv6
# Issue: https://github.com/systemd/systemd/issues/18812
# PR: https://github.com/systemd/systemd/pull/18896
@ -248,13 +287,12 @@ grep -qE "^::1\s+localhost" "$RUN_OUT"
run getent -s myhostname hosts localhost
grep -qE "^::1\s+localhost" "$RUN_OUT"
# With IPv6 disabled
sysctl -w net.ipv6.conf.all.disable_ipv6=1
disable_ipv6
run getent -s resolve hosts localhost
grep -qE "^127\.0\.0\.1\s+localhost" "$RUN_OUT"
run getent -s myhostname hosts localhost
grep -qE "^127\.0\.0\.1\s+localhost" "$RUN_OUT"
sysctl -w net.ipv6.conf.all.disable_ipv6=0
enable_ipv6
: "--- Basic resolved tests ---"
# Issue: https://github.com/systemd/systemd/issues/22229
@ -280,12 +318,14 @@ grep -qE "IN\s+SOA\s+ns1\.unsigned\.test\." "$RUN_OUT"
: "--- ZONE: unsigned.test. ---"
run dig @10.0.0.1 +short unsigned.test
run dig @ns1.unsigned.test +short unsigned.test A unsigned.test AAAA
grep -qF "10.0.0.101" "$RUN_OUT"
grep -qF "fd00:dead:beef:cafe::101" "$RUN_OUT"
run resolvectl query unsigned.test
grep -qF "unsigned.test: 10.0.0.10" "$RUN_OUT"
grep -qF "10.0.0.10" "$RUN_OUT"
grep -qF "fd00:dead:beef:cafe::101" "$RUN_OUT"
grep -qF "authenticated: no" "$RUN_OUT"
run dig @10.0.0.1 +short MX unsigned.test
run dig @ns1.unsigned.test +short MX unsigned.test
grep -qF "15 mail.unsigned.test." "$RUN_OUT"
run resolvectl query --legend=no -t MX unsigned.test
grep -qF "unsigned.test IN MX 15 mail.unsigned.test" "$RUN_OUT"
@ -295,17 +335,28 @@ grep -qF "unsigned.test IN MX 15 mail.unsigned.test" "$RUN_OUT"
# Check the trust chain (with and without systemd-resolved in between
# Issue: https://github.com/systemd/systemd/issues/22002
# PR: https://github.com/systemd/systemd/pull/23289
run delv @10.0.0.1 signed.test
run delv @ns1.unsigned.test signed.test
grep -qF "; fully validated" "$RUN_OUT"
run delv signed.test
grep -qF "; fully validated" "$RUN_OUT"
for addr in "${DNS_ADDRESSES[@]}"; do
run delv "@$addr" -t A mail.signed.test
grep -qF "; fully validated" "$RUN_OUT"
run delv "@$addr" -t AAAA mail.signed.test
grep -qF "; fully validated" "$RUN_OUT"
done
run resolvectl query mail.signed.test
grep -qF "10.0.0.11" "$RUN_OUT"
grep -qF "fd00:dead:beef:cafe::11" "$RUN_OUT"
grep -qF "authenticated: yes" "$RUN_OUT"
run dig +short signed.test
grep -qF "10.0.0.10" "$RUN_OUT"
run resolvectl query signed.test
grep -qF "signed.test: 10.0.0.10" "$RUN_OUT"
grep -qF "authenticated: yes" "$RUN_OUT"
run dig @10.0.0.1 +short MX signed.test
run dig @ns1.unsigned.test +short MX signed.test
grep -qF "10 mail.signed.test." "$RUN_OUT"
run resolvectl query --legend=no -t MX signed.test
grep -qF "signed.test IN MX 10 mail.signed.test" "$RUN_OUT"
@ -320,10 +371,30 @@ grep -qF "authenticated: yes" "$RUN_OUT"
# DNSSEC validation with multiple records of the same type for the same name
# Issue: https://github.com/systemd/systemd/issues/22002
# PR: https://github.com/systemd/systemd/pull/23289
run delv @10.0.0.1 dupe.signed.test
grep -qF "; fully validated" "$RUN_OUT"
run delv dupe.signed.test
grep -qF "; fully validated" "$RUN_OUT"
check_domain() {
local domain="${1:?}"
local record="${2:?}"
local message="${3:?}"
local addr
for addr in "${DNS_ADDRESSES[@]}"; do
run delv "@$addr" -t "$record" "$domain"
grep -qF "$message" "$RUN_OUT"
done
run delv -t "$record" "$domain"
grep -qF "$message" "$RUN_OUT"
run resolvectl query "$domain"
grep -qF "authenticated: yes" "$RUN_OUT"
}
check_domain "dupe.signed.test" "A" "; fully validated"
check_domain "dupe.signed.test" "AAAA" "; negative response, fully validated"
check_domain "dupe-ipv6.signed.test" "AAAA" "; fully validated"
check_domain "dupe-ipv6.signed.test" "A" "; negative response, fully validated"
check_domain "dupe-mixed.signed.test" "A" "; fully validated"
check_domain "dupe-mixed.signed.test" "AAAA" "; fully validated"
# Test resolution of CNAME chains
TIMESTAMP=$(date '+%F %T')
@ -347,7 +418,7 @@ grep -qE "^follow14\.final\.signed\.test\..+IN\s+NSEC\s+" "$RUN_OUT"
# Check the trust chain (with and without systemd-resolved in between
# Issue: https://github.com/systemd/systemd/issues/22002
# PR: https://github.com/systemd/systemd/pull/23289
run delv @10.0.0.1 sub.onlinesign.test
run delv @ns1.unsigned.test sub.onlinesign.test
grep -qF "; fully validated" "$RUN_OUT"
run delv sub.onlinesign.test
grep -qF "; fully validated" "$RUN_OUT"
@ -357,10 +428,27 @@ grep -qF "10.0.0.133" "$RUN_OUT"
run resolvectl query sub.onlinesign.test
grep -qF "sub.onlinesign.test: 10.0.0.133" "$RUN_OUT"
grep -qF "authenticated: yes" "$RUN_OUT"
run dig @10.0.0.1 +short TXT onlinesign.test
run dig @ns1.unsigned.test +short TXT onlinesign.test
grep -qF '"hello from onlinesign"' "$RUN_OUT"
run resolvectl query --legend=no -t TXT onlinesign.test
grep -qF 'onlinesign.test IN TXT "hello from onlinesign"' "$RUN_OUT"
for addr in "${DNS_ADDRESSES[@]}"; do
run delv "@$addr" -t A dual.onlinesign.test
grep -qF "10.0.0.135" "$RUN_OUT"
run delv "@$addr" -t AAAA dual.onlinesign.test
grep -qF "fd00:dead:beef:cafe::135" "$RUN_OUT"
run delv "@$addr" -t ANY ipv6.onlinesign.test
grep -qF "fd00:dead:beef:cafe::136" "$RUN_OUT"
done
run resolvectl query dual.onlinesign.test
grep -qF "10.0.0.135" "$RUN_OUT"
grep -qF "fd00:dead:beef:cafe::135" "$RUN_OUT"
grep -qF "authenticated: yes" "$RUN_OUT"
run resolvectl query ipv6.onlinesign.test
grep -qF "fd00:dead:beef:cafe::136" "$RUN_OUT"
grep -qF "authenticated: yes" "$RUN_OUT"
# Check a non-existent domain
# Note: mod-onlinesign utilizes Minimally Covering NSEC Records, hence the
# different response than with "standard" DNSSEC
@ -378,11 +466,18 @@ run busctl call org.freedesktop.resolve1 /org/freedesktop/resolve1 org.freedeskt
grep -qF '10 0 0 134 "secondsub.onlinesign.test"' "$RUN_OUT"
monitor_check_rr "$TIMESTAMP" "secondsub.onlinesign.test IN A 10.0.0.134"
: "--- ZONE: untrusted.test (DNSSEC without propagated DS records) ---"
run dig +short untrusted.test
grep -qF "10.0.0.121" "$RUN_OUT"
# Issue: https://github.com/systemd/systemd/issues/23955
# FIXME
resolvectl flush-caches
#run dig +short untrusted.test A untrusted.test AAAA
#grep -qF "10.0.0.121" "$RUN_OUT"
#grep -qF "fd00:dead:beef:cafe::121" "$RUN_OUT"
run resolvectl query untrusted.test
grep -qF "untrusted.test: 10.0.0.121" "$RUN_OUT"
grep -qF "untrusted.test:" "$RUN_OUT"
grep -qF "10.0.0.121" "$RUN_OUT"
grep -qF "fd00:dead:beef:cafe::121" "$RUN_OUT"
grep -qF "authenticated: no" "$RUN_OUT"
# Issue: https://github.com/systemd/systemd/issues/19472