If you query for an MX RR of a host listed in /etc/hosts, let's return
an empty reply rather than NXDOMAIN, i.e. indicate that the name exists
but has no MX RR assigned, thus making ourselves authoritative.
The venerable "host" tool by default sends requests for A + AAAA + MX
and ensures we never propagate queries further on.
Fixes: #31223
Te variables indicate what kind of RRs we are looking for, but the name
so far suggests it was about what we already found. Let's rename the
variables to make the purpose clearer.
So far we only looked at the domain name when routing requests to
specific scopes. With this we'll also take the DNS RR type into account.
This takes benefit of the fact that lookups for RRs such as SOA or NS or
the various DNSSEC RR types never really make sense to be routed to
LLMNR or mDNS, since they don't have concepts there.
This hence refuses to route requests for those RR types to the
LLMNR/mDNS scopes, which hence means they'll likely be routed to classic
DNS instead.
This should improve behaviour of tools that assumes it speaks to classic
DNS only via 127.0.0.53, since it will now usually do that.
dig question with DNSSEC on will now be proxied upstream, i.e. to the
test knot server. This leads to different results, but the result isn't
tha tinteresting since we don't want to test knot, but resolved. Hence
comment this test.
There seems to be something wrong with the test though, as the upstream
server refused recursion, but if so it is not suitable as an upstream
server really, as resolved can only be client to a recursive resolver.
So far we disabled DNSSEC if local clients asked for it via DO flag if
DNSSEC=no is set. Let's instead switch to proxy mode in this case, and
thus treat client requested DO mode as a way to force proxy mode.
This means DNSSEC=no just controls whether resolved will do validation
for regular looups, but it has no effect anymore on lookups from clients
that indicated they want to do their own DNSSEC anyway.
Fixes: #19227#23737#25105
When we use proxy mode when propagating DNS queries to upstream DNS
servers, let's use the relaxed single label rules. This has the benefit
that tools such "delv" work on the proxy stub 127.0.0.54.
Dynamically load liblz4, libzstd and liblzma with dlopen().
This helps to reduce the size of the initrd image when these libraries
are not really needed.
I'm going to dlopen_many_sym_or_warn() in src/basic/compress.c, this
will introduce a circular dependency because libshared already depends
from libbasic.
To avoid this, move dlfcn-util.c from libshared to libbasic.
Some tests in test-execute are already skipped if we do not have
unprivileged user namespaces. Extend this check to look for an apparmor
specific sysctl indicating that unprivileged userns creation is
restricted.
with ExitType=cgroup
It's not clear to me what the rationale of the logic was
when ExitType=cgroup got introduced. But similar to
the previous commit, I think we should not transition to
'start-post' on cgroup empty event. This is especially
important for Type=dbus/notify services.
On Noble setting this ioctl fails:
1570s 819/1330 systemd:resolve / test-resolved-stream FAIL 0.14s killed by signal 6 SIGABRT
1570s Successfully forked off '(usernstest)' as PID 27737.
1570s Skipping PR_SET_MM, as we don't have privileges.
1570s (usernstest) succeeded.
1570s Assertion 'ioctl(socket_fd, SIOCSIFFLAGS, &req) >= 0' failed at src/resolve/test-resolved-stream.c:372, function try_isolate_network(). Aborting.
Ignore the result.
Setting up the loopback might fail due to lack of privileges, as it
happens when running unit tests in the Noble CI environment. Skip
the test when it happens.
1584s 862/1330 systemd:test / test-loopback FAIL 0.01s exit status 1
1584s /* test_loopback_setup */
1584s Failed to configure loopback network device, ignoring: Operation not permitted
1584s loopback: Operation not permitted
Old versions of hostnamed used to propagate ENODEV/ENOENT as-is. Bad
idea. This was fixed in 171ddae1a1, but
let's handle this gracefully in hostnamectl.
sulogin from the latest util-linux started falling back to vt102 instead
of linux, which makes screen sad (because we install only the linux
terminfo into the test image) and expect trips over the unexpected
warning. Let's just explicitly set TERM=linux before invoking screen to
avoid this.
+ make -C TEST-69-SHUTDOWN setup run
...
INFO:test-shutdown:log in and start screen
root
root
Last login: Sun Mar 3 13:19:31 from 18.191.105.60
-bash-5.2# screen
screen
Cannot find terminfo entry for 'vt102'.
-bash-5.2# ERROR:test-shutdown:Timeout exceeded.