mirror of
https://github.com/systemd/systemd
synced 2024-07-21 10:17:21 +00:00
test: cover IPv6 in the resolved test suite
This commit is contained in:
parent
2f03e5087e
commit
5c9111fe77
|
@ -4,6 +4,7 @@ server:
|
|||
rundir: "/run/knot"
|
||||
user: knot:knot
|
||||
listen: 10.0.0.1@53
|
||||
listen: fd00:dead:beef:cafe::1@53
|
||||
|
||||
log:
|
||||
- target: syslog
|
||||
|
@ -15,11 +16,13 @@ database:
|
|||
acl:
|
||||
- id: update_acl
|
||||
address: 10.0.0.0/24
|
||||
address: fd00:dead:beef:cafe::/64
|
||||
action: update
|
||||
|
||||
remote:
|
||||
- id: parent_zone_server
|
||||
address: 10.0.0.1@53
|
||||
address: fd00:dead:beef:cafe::1@53
|
||||
|
||||
submission:
|
||||
- id: parent_zone_sbm
|
||||
|
|
|
@ -11,12 +11,17 @@ $ORIGIN onlinesign.test.
|
|||
)
|
||||
|
||||
; NS info
|
||||
NS ns1.unsigned.test.
|
||||
NS ns1.unsigned.test.
|
||||
|
||||
TXT "hello from onlinesign"
|
||||
TXT "hello from onlinesign"
|
||||
|
||||
*.wild TXT "this is an onlinesign wildcard"
|
||||
*.wild TXT "this is an onlinesign wildcard"
|
||||
|
||||
; No A/AAAA record for the $ORIGIN
|
||||
sub A 10.0.0.133
|
||||
secondsub A 10.0.0.134
|
||||
sub A 10.0.0.133
|
||||
secondsub A 10.0.0.134
|
||||
|
||||
dual A 10.0.0.135
|
||||
dual AAAA fd00:dead:beef:cafe::135
|
||||
|
||||
ipv6 AAAA fd00:dead:beef:cafe::136
|
||||
|
|
|
@ -8,7 +8,9 @@ $TTL 300
|
|||
1D ; minimum TTL
|
||||
)
|
||||
|
||||
. NS ns1.unsigned.test
|
||||
ns1.unsigned.test A 10.0.0.1
|
||||
. NS ns1.unsigned.test
|
||||
; NS glue records
|
||||
ns1.unsigned.test A 10.0.0.1
|
||||
ns1.unsigned.test AAAA fd00:dead:beef:cafe::1
|
||||
|
||||
test NS ns1.unsigned.test
|
||||
test NS ns1.unsigned.test
|
||||
|
|
|
@ -11,18 +11,27 @@ $ORIGIN signed.test.
|
|||
)
|
||||
|
||||
; NS info
|
||||
NS ns1.unsigned.test.
|
||||
NS ns1.unsigned.test.
|
||||
|
||||
*.wild TXT "this is a wildcard"
|
||||
*.wild TXT "this is a wildcard"
|
||||
|
||||
@ MX 10 mail.signed.test.
|
||||
@ MX 10 mail.signed.test.
|
||||
|
||||
A 10.0.0.10
|
||||
mail A 10.0.0.11
|
||||
A 10.0.0.10
|
||||
mail A 10.0.0.11
|
||||
mail AAAA fd00:dead:beef:cafe::11
|
||||
|
||||
; https://github.com/systemd/systemd/issues/22002
|
||||
dupe A 10.0.0.12
|
||||
dupe A 10.0.0.13
|
||||
dupe A 10.0.0.12
|
||||
dupe A 10.0.0.13
|
||||
dupe-ipv6 AAAA fd00:dead:beef:cafe::12
|
||||
dupe-ipv6 AAAA fd00:dead:beef:cafe::13
|
||||
dupe-mixed A 10.0.0.15
|
||||
dupe-mixed A 10.0.0.16
|
||||
dupe-mixed A 10.0.0.17
|
||||
dupe-mixed AAAA fd00:dead:beef:cafe::15
|
||||
dupe-mixed AAAA fd00:dead:beef:cafe::16
|
||||
dupe-mixed AAAA fd00:dead:beef:cafe::17
|
||||
|
||||
; CNAME_REDIRECTS_MAX is 16, so let's test something close to that
|
||||
cname-chain CNAME follow1.signed.test.
|
||||
|
|
|
@ -11,9 +11,11 @@ $ORIGIN test.
|
|||
)
|
||||
|
||||
; NS info
|
||||
@ NS ns1.unsigned
|
||||
ns1.signed A 10.0.0.1
|
||||
@ NS ns1.unsigned
|
||||
; NS glue records
|
||||
ns1.unsigned A 10.0.0.1
|
||||
ns1.unsigned AAAA fd00:dead:beef:cafe::1
|
||||
|
||||
onlinesign NS ns1.unsigned
|
||||
signed NS ns1.unsigned
|
||||
unsigned NS ns1.unsigned
|
||||
onlinesign NS ns1.unsigned
|
||||
signed NS ns1.unsigned
|
||||
unsigned NS ns1.unsigned
|
||||
|
|
|
@ -11,10 +11,12 @@ $ORIGIN unsigned.test.
|
|||
)
|
||||
|
||||
; NS info
|
||||
@ NS ns1.unsigned.test.
|
||||
ns1 A 10.0.0.1
|
||||
@ NS ns1
|
||||
ns1 A 10.0.0.1
|
||||
ns1 AAAA fd00:dead:beef:cafe::1
|
||||
|
||||
@ MX 15 mail.unsigned.test.
|
||||
@ MX 15 mail.unsigned.test.
|
||||
|
||||
A 10.0.0.101
|
||||
mail A 10.0.0.111
|
||||
A 10.0.0.101
|
||||
AAAA fd00:dead:beef:cafe::101
|
||||
mail A 10.0.0.111
|
||||
|
|
|
@ -11,11 +11,12 @@ $ORIGIN untrusted.test.
|
|||
)
|
||||
|
||||
; NS info
|
||||
@ NS ns1.unsigned.test.
|
||||
@ NS ns1.unsigned.test.
|
||||
|
||||
*.wild TXT "this is an untrusted wildcard"
|
||||
*.wild TXT "this is an untrusted wildcard"
|
||||
|
||||
@ MX 10 mail.untrusted.test.
|
||||
@ MX 10 mail.untrusted.test.
|
||||
|
||||
A 10.0.0.121
|
||||
mail A 10.0.0.121
|
||||
A 10.0.0.121
|
||||
AAAA fd00:dead:beef:cafe::121
|
||||
mail A 10.0.0.122
|
||||
|
|
|
@ -2,6 +2,12 @@
|
|||
# SPDX-License-Identifier: LGPL-2.1-or-later
|
||||
# vi: ts=4 sw=4 tw=0 et:
|
||||
|
||||
# TODO:
|
||||
# - IPv6-only stack
|
||||
# - mDNS
|
||||
# - LLMNR
|
||||
# - DoT/DoH
|
||||
|
||||
set -eux
|
||||
set -o pipefail
|
||||
|
||||
|
@ -16,6 +22,15 @@ run() {
|
|||
"$@" |& tee "$RUN_OUT"
|
||||
}
|
||||
|
||||
disable_ipv6() {
|
||||
sysctl -w net.ipv6.conf.all.disable_ipv6=1
|
||||
}
|
||||
|
||||
enable_ipv6() {
|
||||
sysctl -w net.ipv6.conf.all.disable_ipv6=0
|
||||
networkctl reconfigure dns0
|
||||
}
|
||||
|
||||
monitor_check_rr() (
|
||||
set +x
|
||||
set +o pipefail
|
||||
|
@ -146,7 +161,10 @@ ip link del hoge.foo
|
|||
### SETUP ###
|
||||
# Configure network
|
||||
hostnamectl hostname ns1.unsigned.test
|
||||
echo "10.0.0.1 ns1.unsigned.test" >>/etc/hosts
|
||||
{
|
||||
echo "10.0.0.1 ns1.unsigned.test"
|
||||
echo "fd00:dead:beef:cafe::1 ns1.unsigned.test"
|
||||
} >>/etc/hosts
|
||||
|
||||
mkdir -p /etc/systemd/network
|
||||
cat >/etc/systemd/network/dns0.netdev <<EOF
|
||||
|
@ -160,10 +178,17 @@ Name=dns0
|
|||
|
||||
[Network]
|
||||
Address=10.0.0.1/24
|
||||
Address=fd00:dead:beef:cafe::1/64
|
||||
DNSSEC=allow-downgrade
|
||||
DNS=10.0.0.1
|
||||
DNS=fd00:dead:beef:cafe::1
|
||||
EOF
|
||||
|
||||
DNS_ADDRESSES=(
|
||||
"10.0.0.1"
|
||||
"fd00:dead:beef:cafe::1"
|
||||
)
|
||||
|
||||
mkdir -p /run/systemd/resolved.conf.d
|
||||
{
|
||||
echo "[Resolve]"
|
||||
|
@ -214,6 +239,10 @@ resolvectl log-level debug
|
|||
# Start monitoring queries
|
||||
systemd-run -u resmontest.service -p Type=notify resolvectl monitor
|
||||
|
||||
# Check if all the zones are valid (zone-check always returns 0, so let's check
|
||||
# if it produces any errors/warnings)
|
||||
run knotc zone-check
|
||||
[[ ! -s "$RUN_OUT" ]]
|
||||
# We need to manually propagate the DS records of onlinesign.test. to the parent
|
||||
# zone, since they're generated online
|
||||
knotc zone-begin test.
|
||||
|
@ -234,9 +263,19 @@ knotc reload
|
|||
: "--- nss-resolve/nss-myhostname tests"
|
||||
# Sanity check
|
||||
TIMESTAMP=$(date '+%F %T')
|
||||
# Issue: https://github.com/systemd/systemd/issues/23951
|
||||
# With IPv6 enabled
|
||||
run getent -s resolve hosts ns1.unsigned.test
|
||||
grep -qE "^10\.0\.0\.1\s+ns1\.unsigned\.test" "$RUN_OUT"
|
||||
monitor_check_rr "$TIMESTAMP" "ns1.unsigned.test IN A 10.0.0.1"
|
||||
grep -qE "^fd00:dead:beef:cafe::1\s+ns1\.unsigned\.test" "$RUN_OUT"
|
||||
monitor_check_rr "$TIMESTAMP" "ns1.unsigned.test IN AAAA fd00:dead:beef:cafe::1"
|
||||
# With IPv6 disabled
|
||||
# Issue: https://github.com/systemd/systemd/issues/23951
|
||||
# FIXME
|
||||
#disable_ipv6
|
||||
#run getent -s resolve hosts ns1.unsigned.test
|
||||
#grep -qE "^10\.0\.0\.1\s+ns1\.unsigned\.test" "$RUN_OUT"
|
||||
#monitor_check_rr "$TIMESTAMP" "ns1.unsigned.test IN A 10.0.0.1"
|
||||
enable_ipv6
|
||||
|
||||
# Issue: https://github.com/systemd/systemd/issues/18812
|
||||
# PR: https://github.com/systemd/systemd/pull/18896
|
||||
|
@ -248,13 +287,12 @@ grep -qE "^::1\s+localhost" "$RUN_OUT"
|
|||
run getent -s myhostname hosts localhost
|
||||
grep -qE "^::1\s+localhost" "$RUN_OUT"
|
||||
# With IPv6 disabled
|
||||
sysctl -w net.ipv6.conf.all.disable_ipv6=1
|
||||
disable_ipv6
|
||||
run getent -s resolve hosts localhost
|
||||
grep -qE "^127\.0\.0\.1\s+localhost" "$RUN_OUT"
|
||||
run getent -s myhostname hosts localhost
|
||||
grep -qE "^127\.0\.0\.1\s+localhost" "$RUN_OUT"
|
||||
sysctl -w net.ipv6.conf.all.disable_ipv6=0
|
||||
|
||||
enable_ipv6
|
||||
|
||||
: "--- Basic resolved tests ---"
|
||||
# Issue: https://github.com/systemd/systemd/issues/22229
|
||||
|
@ -280,12 +318,14 @@ grep -qE "IN\s+SOA\s+ns1\.unsigned\.test\." "$RUN_OUT"
|
|||
|
||||
|
||||
: "--- ZONE: unsigned.test. ---"
|
||||
run dig @10.0.0.1 +short unsigned.test
|
||||
run dig @ns1.unsigned.test +short unsigned.test A unsigned.test AAAA
|
||||
grep -qF "10.0.0.101" "$RUN_OUT"
|
||||
grep -qF "fd00:dead:beef:cafe::101" "$RUN_OUT"
|
||||
run resolvectl query unsigned.test
|
||||
grep -qF "unsigned.test: 10.0.0.10" "$RUN_OUT"
|
||||
grep -qF "10.0.0.10" "$RUN_OUT"
|
||||
grep -qF "fd00:dead:beef:cafe::101" "$RUN_OUT"
|
||||
grep -qF "authenticated: no" "$RUN_OUT"
|
||||
run dig @10.0.0.1 +short MX unsigned.test
|
||||
run dig @ns1.unsigned.test +short MX unsigned.test
|
||||
grep -qF "15 mail.unsigned.test." "$RUN_OUT"
|
||||
run resolvectl query --legend=no -t MX unsigned.test
|
||||
grep -qF "unsigned.test IN MX 15 mail.unsigned.test" "$RUN_OUT"
|
||||
|
@ -295,17 +335,28 @@ grep -qF "unsigned.test IN MX 15 mail.unsigned.test" "$RUN_OUT"
|
|||
# Check the trust chain (with and without systemd-resolved in between
|
||||
# Issue: https://github.com/systemd/systemd/issues/22002
|
||||
# PR: https://github.com/systemd/systemd/pull/23289
|
||||
run delv @10.0.0.1 signed.test
|
||||
run delv @ns1.unsigned.test signed.test
|
||||
grep -qF "; fully validated" "$RUN_OUT"
|
||||
run delv signed.test
|
||||
grep -qF "; fully validated" "$RUN_OUT"
|
||||
|
||||
for addr in "${DNS_ADDRESSES[@]}"; do
|
||||
run delv "@$addr" -t A mail.signed.test
|
||||
grep -qF "; fully validated" "$RUN_OUT"
|
||||
run delv "@$addr" -t AAAA mail.signed.test
|
||||
grep -qF "; fully validated" "$RUN_OUT"
|
||||
done
|
||||
run resolvectl query mail.signed.test
|
||||
grep -qF "10.0.0.11" "$RUN_OUT"
|
||||
grep -qF "fd00:dead:beef:cafe::11" "$RUN_OUT"
|
||||
grep -qF "authenticated: yes" "$RUN_OUT"
|
||||
|
||||
run dig +short signed.test
|
||||
grep -qF "10.0.0.10" "$RUN_OUT"
|
||||
run resolvectl query signed.test
|
||||
grep -qF "signed.test: 10.0.0.10" "$RUN_OUT"
|
||||
grep -qF "authenticated: yes" "$RUN_OUT"
|
||||
run dig @10.0.0.1 +short MX signed.test
|
||||
run dig @ns1.unsigned.test +short MX signed.test
|
||||
grep -qF "10 mail.signed.test." "$RUN_OUT"
|
||||
run resolvectl query --legend=no -t MX signed.test
|
||||
grep -qF "signed.test IN MX 10 mail.signed.test" "$RUN_OUT"
|
||||
|
@ -320,10 +371,30 @@ grep -qF "authenticated: yes" "$RUN_OUT"
|
|||
# DNSSEC validation with multiple records of the same type for the same name
|
||||
# Issue: https://github.com/systemd/systemd/issues/22002
|
||||
# PR: https://github.com/systemd/systemd/pull/23289
|
||||
run delv @10.0.0.1 dupe.signed.test
|
||||
grep -qF "; fully validated" "$RUN_OUT"
|
||||
run delv dupe.signed.test
|
||||
grep -qF "; fully validated" "$RUN_OUT"
|
||||
check_domain() {
|
||||
local domain="${1:?}"
|
||||
local record="${2:?}"
|
||||
local message="${3:?}"
|
||||
local addr
|
||||
|
||||
for addr in "${DNS_ADDRESSES[@]}"; do
|
||||
run delv "@$addr" -t "$record" "$domain"
|
||||
grep -qF "$message" "$RUN_OUT"
|
||||
done
|
||||
|
||||
run delv -t "$record" "$domain"
|
||||
grep -qF "$message" "$RUN_OUT"
|
||||
|
||||
run resolvectl query "$domain"
|
||||
grep -qF "authenticated: yes" "$RUN_OUT"
|
||||
}
|
||||
|
||||
check_domain "dupe.signed.test" "A" "; fully validated"
|
||||
check_domain "dupe.signed.test" "AAAA" "; negative response, fully validated"
|
||||
check_domain "dupe-ipv6.signed.test" "AAAA" "; fully validated"
|
||||
check_domain "dupe-ipv6.signed.test" "A" "; negative response, fully validated"
|
||||
check_domain "dupe-mixed.signed.test" "A" "; fully validated"
|
||||
check_domain "dupe-mixed.signed.test" "AAAA" "; fully validated"
|
||||
|
||||
# Test resolution of CNAME chains
|
||||
TIMESTAMP=$(date '+%F %T')
|
||||
|
@ -347,7 +418,7 @@ grep -qE "^follow14\.final\.signed\.test\..+IN\s+NSEC\s+" "$RUN_OUT"
|
|||
# Check the trust chain (with and without systemd-resolved in between
|
||||
# Issue: https://github.com/systemd/systemd/issues/22002
|
||||
# PR: https://github.com/systemd/systemd/pull/23289
|
||||
run delv @10.0.0.1 sub.onlinesign.test
|
||||
run delv @ns1.unsigned.test sub.onlinesign.test
|
||||
grep -qF "; fully validated" "$RUN_OUT"
|
||||
run delv sub.onlinesign.test
|
||||
grep -qF "; fully validated" "$RUN_OUT"
|
||||
|
@ -357,10 +428,27 @@ grep -qF "10.0.0.133" "$RUN_OUT"
|
|||
run resolvectl query sub.onlinesign.test
|
||||
grep -qF "sub.onlinesign.test: 10.0.0.133" "$RUN_OUT"
|
||||
grep -qF "authenticated: yes" "$RUN_OUT"
|
||||
run dig @10.0.0.1 +short TXT onlinesign.test
|
||||
run dig @ns1.unsigned.test +short TXT onlinesign.test
|
||||
grep -qF '"hello from onlinesign"' "$RUN_OUT"
|
||||
run resolvectl query --legend=no -t TXT onlinesign.test
|
||||
grep -qF 'onlinesign.test IN TXT "hello from onlinesign"' "$RUN_OUT"
|
||||
|
||||
for addr in "${DNS_ADDRESSES[@]}"; do
|
||||
run delv "@$addr" -t A dual.onlinesign.test
|
||||
grep -qF "10.0.0.135" "$RUN_OUT"
|
||||
run delv "@$addr" -t AAAA dual.onlinesign.test
|
||||
grep -qF "fd00:dead:beef:cafe::135" "$RUN_OUT"
|
||||
run delv "@$addr" -t ANY ipv6.onlinesign.test
|
||||
grep -qF "fd00:dead:beef:cafe::136" "$RUN_OUT"
|
||||
done
|
||||
run resolvectl query dual.onlinesign.test
|
||||
grep -qF "10.0.0.135" "$RUN_OUT"
|
||||
grep -qF "fd00:dead:beef:cafe::135" "$RUN_OUT"
|
||||
grep -qF "authenticated: yes" "$RUN_OUT"
|
||||
run resolvectl query ipv6.onlinesign.test
|
||||
grep -qF "fd00:dead:beef:cafe::136" "$RUN_OUT"
|
||||
grep -qF "authenticated: yes" "$RUN_OUT"
|
||||
|
||||
# Check a non-existent domain
|
||||
# Note: mod-onlinesign utilizes Minimally Covering NSEC Records, hence the
|
||||
# different response than with "standard" DNSSEC
|
||||
|
@ -378,11 +466,18 @@ run busctl call org.freedesktop.resolve1 /org/freedesktop/resolve1 org.freedeskt
|
|||
grep -qF '10 0 0 134 "secondsub.onlinesign.test"' "$RUN_OUT"
|
||||
monitor_check_rr "$TIMESTAMP" "secondsub.onlinesign.test IN A 10.0.0.134"
|
||||
|
||||
|
||||
: "--- ZONE: untrusted.test (DNSSEC without propagated DS records) ---"
|
||||
run dig +short untrusted.test
|
||||
grep -qF "10.0.0.121" "$RUN_OUT"
|
||||
# Issue: https://github.com/systemd/systemd/issues/23955
|
||||
# FIXME
|
||||
resolvectl flush-caches
|
||||
#run dig +short untrusted.test A untrusted.test AAAA
|
||||
#grep -qF "10.0.0.121" "$RUN_OUT"
|
||||
#grep -qF "fd00:dead:beef:cafe::121" "$RUN_OUT"
|
||||
run resolvectl query untrusted.test
|
||||
grep -qF "untrusted.test: 10.0.0.121" "$RUN_OUT"
|
||||
grep -qF "untrusted.test:" "$RUN_OUT"
|
||||
grep -qF "10.0.0.121" "$RUN_OUT"
|
||||
grep -qF "fd00:dead:beef:cafe::121" "$RUN_OUT"
|
||||
grep -qF "authenticated: no" "$RUN_OUT"
|
||||
|
||||
# Issue: https://github.com/systemd/systemd/issues/19472
|
||||
|
|
Loading…
Reference in a new issue