]> git.ipfire.org Git - thirdparty/systemd.git/blob - test/units/testsuite-75.sh
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #30661 from rpigott/resolved-https-record
[thirdparty/systemd.git] / test / units / testsuite-75.sh
1 #!/usr/bin/env bash
2 # SPDX-License-Identifier: LGPL-2.1-or-later
3 # vi: ts=4 sw=4 tw=0 et:
4
5 # TODO:
6 # - IPv6-only stack
7 # - mDNS
8 # - LLMNR
9 # - DoT/DoH
10
11 set -eux
12 set -o pipefail
13
14 # shellcheck source=test/units/util.sh
15 . "$(dirname "$0")"/util.sh
16
17 RUN_OUT="$(mktemp)"
18
19 run() {
20 "$@" |& tee "$RUN_OUT"
21 }
22
23 run_delv() {
24 # Since [0] delv no longer loads /etc/(bind/)bind.keys by default, so we
25 # have to do that explicitly for each invocation
26 run delv -a /etc/bind.keys "$@"
27 }
28
29 disable_ipv6() {
30 sysctl -w net.ipv6.conf.all.disable_ipv6=1
31 }
32
33 enable_ipv6() {
34 sysctl -w net.ipv6.conf.all.disable_ipv6=0
35 networkctl reconfigure dns0
36 /usr/lib/systemd/systemd-networkd-wait-online --ipv4 --ipv6 --interface=dns0:routable --timeout=30
37 }
38
39 monitor_check_rr() (
40 set +x
41 set +o pipefail
42 local since="${1:?}"
43 local match="${2:?}"
44
45 # Wait until the first mention of the specified log message is
46 # displayed. We turn off pipefail for this, since we don't care about the
47 # lhs of this pipe expression, we only care about the rhs' result to be
48 # clean
49 timeout -v 30s journalctl -u resolvectl-monitor.service --since "$since" -f --full | grep -m1 "$match"
50 )
51
52 restart_resolved() {
53 systemctl stop systemd-resolved.service
54 (! systemctl is-failed systemd-resolved.service)
55 # Reset the restart counter since we call this method a bunch of times
56 # and can occasionally hit the default rate limit
57 systemctl reset-failed systemd-resolved.service
58 systemctl start systemd-resolved.service
59 systemctl service-log-level systemd-resolved.service debug
60 }
61
62 # Test for resolvectl, resolvconf
63 systemctl unmask systemd-resolved.service
64 systemctl enable --now systemd-resolved.service
65 systemctl service-log-level systemd-resolved.service debug
66 ip link add hoge type dummy
67 ip link add hoge.foo type dummy
68 resolvectl dns hoge 10.0.0.1 10.0.0.2
69 resolvectl dns hoge.foo 10.0.0.3 10.0.0.4
70 assert_in '10.0.0.1 10.0.0.2' "$(resolvectl dns hoge)"
71 assert_in '10.0.0.3 10.0.0.4' "$(resolvectl dns hoge.foo)"
72 resolvectl dns hoge 10.0.1.1 10.0.1.2
73 resolvectl dns hoge.foo 10.0.1.3 10.0.1.4
74 assert_in '10.0.1.1 10.0.1.2' "$(resolvectl dns hoge)"
75 assert_in '10.0.1.3 10.0.1.4' "$(resolvectl dns hoge.foo)"
76 if ! RESOLVCONF=$(command -v resolvconf 2>/dev/null); then
77 TMPDIR=$(mktemp -d -p /tmp resolvconf-tests.XXXXXX)
78 RESOLVCONF="$TMPDIR"/resolvconf
79 ln -s "$(command -v resolvectl 2>/dev/null)" "$RESOLVCONF"
80 fi
81 echo nameserver 10.0.2.1 10.0.2.2 | "$RESOLVCONF" -a hoge
82 echo nameserver 10.0.2.3 10.0.2.4 | "$RESOLVCONF" -a hoge.foo
83 assert_in '10.0.2.1 10.0.2.2' "$(resolvectl dns hoge)"
84 assert_in '10.0.2.3 10.0.2.4' "$(resolvectl dns hoge.foo)"
85 echo nameserver 10.0.3.1 10.0.3.2 | "$RESOLVCONF" -a hoge.inet.ipsec.192.168.35
86 echo nameserver 10.0.3.3 10.0.3.4 | "$RESOLVCONF" -a hoge.foo.dhcp
87 assert_in '10.0.3.1 10.0.3.2' "$(resolvectl dns hoge)"
88 assert_in '10.0.3.3 10.0.3.4' "$(resolvectl dns hoge.foo)"
89
90 # Tests for _localdnsstub and _localdnsproxy
91 assert_in '127.0.0.53' "$(resolvectl query _localdnsstub)"
92 assert_in '_localdnsstub' "$(resolvectl query 127.0.0.53)"
93 assert_in '127.0.0.54' "$(resolvectl query _localdnsproxy)"
94 assert_in '_localdnsproxy' "$(resolvectl query 127.0.0.54)"
95
96 assert_in '127.0.0.53' "$(dig @127.0.0.53 _localdnsstub)"
97 assert_in '_localdnsstub' "$(dig @127.0.0.53 -x 127.0.0.53)"
98 assert_in '127.0.0.54' "$(dig @127.0.0.53 _localdnsproxy)"
99 assert_in '_localdnsproxy' "$(dig @127.0.0.53 -x 127.0.0.54)"
100
101 # Tests for mDNS and LLMNR settings
102 mkdir -p /run/systemd/resolved.conf.d
103 {
104 echo "[Resolve]"
105 echo "MulticastDNS=yes"
106 echo "LLMNR=yes"
107 } >/run/systemd/resolved.conf.d/mdns-llmnr.conf
108 restart_resolved
109 # make sure networkd is not running.
110 systemctl stop systemd-networkd.service
111 # defaults to yes (both the global and per-link settings are yes)
112 assert_in 'yes' "$(resolvectl mdns hoge)"
113 assert_in 'yes' "$(resolvectl llmnr hoge)"
114 # set per-link setting
115 resolvectl mdns hoge yes
116 resolvectl llmnr hoge yes
117 assert_in 'yes' "$(resolvectl mdns hoge)"
118 assert_in 'yes' "$(resolvectl llmnr hoge)"
119 resolvectl mdns hoge resolve
120 resolvectl llmnr hoge resolve
121 assert_in 'resolve' "$(resolvectl mdns hoge)"
122 assert_in 'resolve' "$(resolvectl llmnr hoge)"
123 resolvectl mdns hoge no
124 resolvectl llmnr hoge no
125 assert_in 'no' "$(resolvectl mdns hoge)"
126 assert_in 'no' "$(resolvectl llmnr hoge)"
127 # downgrade global setting to resolve
128 {
129 echo "[Resolve]"
130 echo "MulticastDNS=resolve"
131 echo "LLMNR=resolve"
132 } >/run/systemd/resolved.conf.d/mdns-llmnr.conf
133 restart_resolved
134 # set per-link setting
135 resolvectl mdns hoge yes
136 resolvectl llmnr hoge yes
137 assert_in 'resolve' "$(resolvectl mdns hoge)"
138 assert_in 'resolve' "$(resolvectl llmnr hoge)"
139 resolvectl mdns hoge resolve
140 resolvectl llmnr hoge resolve
141 assert_in 'resolve' "$(resolvectl mdns hoge)"
142 assert_in 'resolve' "$(resolvectl llmnr hoge)"
143 resolvectl mdns hoge no
144 resolvectl llmnr hoge no
145 assert_in 'no' "$(resolvectl mdns hoge)"
146 assert_in 'no' "$(resolvectl llmnr hoge)"
147 # downgrade global setting to no
148 {
149 echo "[Resolve]"
150 echo "MulticastDNS=no"
151 echo "LLMNR=no"
152 } >/run/systemd/resolved.conf.d/mdns-llmnr.conf
153 restart_resolved
154 # set per-link setting
155 resolvectl mdns hoge yes
156 resolvectl llmnr hoge yes
157 assert_in 'no' "$(resolvectl mdns hoge)"
158 assert_in 'no' "$(resolvectl llmnr hoge)"
159 resolvectl mdns hoge resolve
160 resolvectl llmnr hoge resolve
161 assert_in 'no' "$(resolvectl mdns hoge)"
162 assert_in 'no' "$(resolvectl llmnr hoge)"
163 resolvectl mdns hoge no
164 resolvectl llmnr hoge no
165 assert_in 'no' "$(resolvectl mdns hoge)"
166 assert_in 'no' "$(resolvectl llmnr hoge)"
167
168 # Cleanup
169 rm -f /run/systemd/resolved.conf.d/mdns-llmnr.conf
170 ip link del hoge
171 ip link del hoge.foo
172
173 ### SETUP ###
174 # Configure network
175 hostnamectl hostname ns1.unsigned.test
176 cat >>/etc/hosts <<EOF
177 10.0.0.1 ns1.unsigned.test
178 fd00:dead:beef:cafe::1 ns1.unsigned.test
179
180 127.128.0.5 localhost5 localhost5.localdomain localhost5.localdomain4 localhost.localdomain5 localhost5.localdomain5
181 EOF
182
183 mkdir -p /etc/systemd/network
184 cat >/etc/systemd/network/10-dns0.netdev <<EOF
185 [NetDev]
186 Name=dns0
187 Kind=dummy
188 EOF
189 cat >/etc/systemd/network/10-dns0.network <<EOF
190 [Match]
191 Name=dns0
192
193 [Network]
194 Address=10.0.0.1/24
195 Address=fd00:dead:beef:cafe::1/64
196 DNSSEC=allow-downgrade
197 DNS=10.0.0.1
198 DNS=fd00:dead:beef:cafe::1
199 EOF
200 cat >/etc/systemd/network/10-dns1.netdev <<EOF
201 [NetDev]
202 Name=dns1
203 Kind=dummy
204 EOF
205 cat >/etc/systemd/network/10-dns1.network <<EOF
206 [Match]
207 Name=dns1
208
209 [Network]
210 Address=10.99.0.1/24
211 DNSSEC=no
212 EOF
213 systemctl edit --stdin --full --runtime --force "resolved-dummy-server.service" <<EOF
214 [Service]
215 Type=notify
216 Environment=SYSTEMD_LOG_LEVEL=debug
217 ExecStart=/usr/lib/systemd/tests/unit-tests/manual/test-resolved-dummy-server 10.99.0.1:53
218 EOF
219
220 DNS_ADDRESSES=(
221 "10.0.0.1"
222 "fd00:dead:beef:cafe::1"
223 )
224
225 mkdir -p /run/systemd/resolved.conf.d
226 {
227 echo "[Resolve]"
228 echo "FallbackDNS="
229 echo "DNSSEC=allow-downgrade"
230 echo "DNSOverTLS=opportunistic"
231 } >/run/systemd/resolved.conf.d/test.conf
232 ln -svf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
233 # Override the default NTA list, which turns off DNSSEC validation for (among
234 # others) the test. domain
235 mkdir -p "/etc/dnssec-trust-anchors.d/"
236 echo local >/etc/dnssec-trust-anchors.d/local.negative
237
238 # Sign the root zone
239 keymgr . generate algorithm=ECDSAP256SHA256 ksk=yes zsk=yes
240 # Create a trust anchor for resolved with our root zone
241 keymgr . ds | sed 's/ DS/ IN DS/g' >/etc/dnssec-trust-anchors.d/root.positive
242 # Create a bind-compatible trust anchor (for delv)
243 # Note: the trust-anchors directive is relatively new, so use the original
244 # managed-keys one until it's widespread enough
245 {
246 echo 'managed-keys {'
247 keymgr . dnskey | sed -r 's/^\. DNSKEY ([0-9]+ [0-9]+ [0-9]+) (.+)$/. static-key \1 "\2";/g'
248 echo '};'
249 } >/etc/bind.keys
250 # Create an /etc/bind/bind.keys symlink, which is used by delv on Ubuntu
251 mkdir -p /etc/bind
252 ln -svf /etc/bind.keys /etc/bind/bind.keys
253
254 # Start the services
255 systemctl unmask systemd-networkd
256 systemctl start systemd-networkd
257 restart_resolved
258 systemctl start resolved-dummy-server
259 # Create knot's runtime dir, since from certain version it's provided only by
260 # the package and not created by tmpfiles/systemd
261 if [[ ! -d /run/knot ]]; then
262 mkdir -p /run/knot
263 chown -R knot:knot /run/knot
264 fi
265 systemctl start knot
266 # Wait a bit for the keys to propagate
267 sleep 4
268
269 systemctl status resolved-dummy-server
270 networkctl status
271 resolvectl status
272 resolvectl log-level debug
273
274 # Start monitoring queries
275 systemd-run -u resolvectl-monitor.service -p Type=notify resolvectl monitor
276 systemd-run -u resolvectl-monitor-json.service -p Type=notify resolvectl monitor --json=short
277
278 # FIXME: knot, unfortunately, incorrectly complains about missing zone files for zones
279 # that are forwarded using the `dnsproxy` module. Until the issue is resolved,
280 # let's fall back to pre-processing the `zone-check` output a bit before checking it
281 #
282 # See: https://gitlab.nic.cz/knot/knot-dns/-/issues/913
283 run knotc zone-check || :
284 sed -i '/forwarded.test./d' "$RUN_OUT"
285 [[ ! -s "$RUN_OUT" ]]
286 # We need to manually propagate the DS records of onlinesign.test. to the parent
287 # zone, since they're generated online
288 knotc zone-begin test.
289 if knotc zone-get test. onlinesign.test. ds | grep .; then
290 # Drop any old DS records, if present (e.g. on test re-run)
291 knotc zone-unset test. onlinesign.test. ds
292 fi
293 # Propagate the new DS records
294 while read -ra line; do
295 knotc zone-set test. "${line[0]}" 600 "${line[@]:1}"
296 done < <(keymgr onlinesign.test. ds)
297 knotc zone-commit test.
298
299 knotc reload
300
301 ### SETUP END ###
302
303 : "--- nss-resolve/nss-myhostname tests"
304 # Sanity check
305 TIMESTAMP=$(date '+%F %T')
306 # Issue: https://github.com/systemd/systemd/issues/23951
307 # With IPv6 enabled
308 run getent -s resolve hosts ns1.unsigned.test
309 grep -qE "^fd00:dead:beef:cafe::1\s+ns1\.unsigned\.test" "$RUN_OUT"
310 monitor_check_rr "$TIMESTAMP" "ns1.unsigned.test IN AAAA fd00:dead:beef:cafe::1"
311 # With IPv6 disabled
312 # Issue: https://github.com/systemd/systemd/issues/23951
313 # FIXME
314 #disable_ipv6
315 #run getent -s resolve hosts ns1.unsigned.test
316 #grep -qE "^10\.0\.0\.1\s+ns1\.unsigned\.test" "$RUN_OUT"
317 #monitor_check_rr "$TIMESTAMP" "ns1.unsigned.test IN A 10.0.0.1"
318 enable_ipv6
319
320 # Issue: https://github.com/systemd/systemd/issues/18812
321 # PR: https://github.com/systemd/systemd/pull/18896
322 # Follow-up issue: https://github.com/systemd/systemd/issues/23152
323 # Follow-up PR: https://github.com/systemd/systemd/pull/23161
324 # With IPv6 enabled
325 run getent -s resolve hosts localhost
326 grep -qE "^::1\s+localhost" "$RUN_OUT"
327 run getent -s myhostname hosts localhost
328 grep -qE "^::1\s+localhost" "$RUN_OUT"
329 # With IPv6 disabled
330 disable_ipv6
331 run getent -s resolve hosts localhost
332 grep -qE "^127\.0\.0\.1\s+localhost" "$RUN_OUT"
333 run getent -s myhostname hosts localhost
334 grep -qE "^127\.0\.0\.1\s+localhost" "$RUN_OUT"
335 enable_ipv6
336
337 # Issue: https://github.com/systemd/systemd/issues/25088
338 run getent -s resolve hosts 127.128.0.5
339 grep -qEx '127\.128\.0\.5\s+localhost5(\s+localhost5?\.localdomain[45]?){4}' "$RUN_OUT"
340 [ "$(wc -l <"$RUN_OUT")" -eq 1 ]
341
342 # Issue: https://github.com/systemd/systemd/issues/20158
343 run dig +noall +answer +additional localhost5.
344 grep -qEx 'localhost5\.\s+0\s+IN\s+A\s+127\.128\.0\.5' "$RUN_OUT"
345 [ "$(wc -l <"$RUN_OUT")" -eq 1 ]
346 run dig +noall +answer +additional localhost5.localdomain4.
347 grep -qEx 'localhost5\.localdomain4\.\s+0\s+IN\s+CNAME\s+localhost5\.' "$RUN_OUT"
348 grep -qEx 'localhost5\.\s+0\s+IN\s+A\s+127\.128\.0\.5' "$RUN_OUT"
349 [ "$(wc -l <"$RUN_OUT")" -eq 2 ]
350
351 : "--- Basic resolved tests ---"
352 # Issue: https://github.com/systemd/systemd/issues/22229
353 # PR: https://github.com/systemd/systemd/pull/22231
354 FILTERED_NAMES=(
355 "0.in-addr.arpa"
356 "255.255.255.255.in-addr.arpa"
357 "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa"
358 "hello.invalid"
359 "hello.alt"
360 )
361
362 for name in "${FILTERED_NAMES[@]}"; do
363 (! run host "$name")
364 grep -qF "NXDOMAIN" "$RUN_OUT"
365 done
366
367 # Follow-up
368 # Issue: https://github.com/systemd/systemd/issues/22401
369 # PR: https://github.com/systemd/systemd/pull/22414
370 run dig +noall +authority +comments SRV .
371 grep -qF "status: NOERROR" "$RUN_OUT"
372 grep -qE "IN\s+SOA\s+ns1\.unsigned\.test\." "$RUN_OUT"
373
374 run resolvectl query -t SVCB svcb.test
375 grep -qF 'alpn="dot"' "$RUN_OUT"
376 grep -qF "ipv4hint=10.0.0.1" "$RUN_OUT"
377
378 run resolvectl query -t HTTPS https.test
379 grep -qF 'alpn="h2,h3"' "$RUN_OUT"
380
381 : "--- ZONE: unsigned.test. ---"
382 run dig @ns1.unsigned.test +short unsigned.test A unsigned.test AAAA
383 grep -qF "10.0.0.101" "$RUN_OUT"
384 grep -qF "fd00:dead:beef:cafe::101" "$RUN_OUT"
385 run resolvectl query unsigned.test
386 grep -qF "10.0.0.10" "$RUN_OUT"
387 grep -qF "fd00:dead:beef:cafe::101" "$RUN_OUT"
388 grep -qF "authenticated: no" "$RUN_OUT"
389 run dig @ns1.unsigned.test +short MX unsigned.test
390 grep -qF "15 mail.unsigned.test." "$RUN_OUT"
391 run resolvectl query --legend=no -t MX unsigned.test
392 grep -qF "unsigned.test IN MX 15 mail.unsigned.test" "$RUN_OUT"
393
394
395 : "--- ZONE: signed.test (static DNSSEC) ---"
396 # Check the trust chain (with and without systemd-resolved in between
397 # Issue: https://github.com/systemd/systemd/issues/22002
398 # PR: https://github.com/systemd/systemd/pull/23289
399 run_delv @ns1.unsigned.test signed.test
400 grep -qF "; fully validated" "$RUN_OUT"
401 run_delv signed.test
402 grep -qF "; fully validated" "$RUN_OUT"
403
404 for addr in "${DNS_ADDRESSES[@]}"; do
405 run_delv "@$addr" -t A mail.signed.test
406 grep -qF "; fully validated" "$RUN_OUT"
407 run_delv "@$addr" -t AAAA mail.signed.test
408 grep -qF "; fully validated" "$RUN_OUT"
409 done
410 run resolvectl query mail.signed.test
411 grep -qF "10.0.0.11" "$RUN_OUT"
412 grep -qF "fd00:dead:beef:cafe::11" "$RUN_OUT"
413 grep -qF "authenticated: yes" "$RUN_OUT"
414
415 run dig +short signed.test
416 grep -qF "10.0.0.10" "$RUN_OUT"
417 run resolvectl query signed.test
418 grep -qF "signed.test: 10.0.0.10" "$RUN_OUT"
419 grep -qF "authenticated: yes" "$RUN_OUT"
420 run dig @ns1.unsigned.test +short MX signed.test
421 grep -qF "10 mail.signed.test." "$RUN_OUT"
422 run resolvectl query --legend=no -t MX signed.test
423 grep -qF "signed.test IN MX 10 mail.signed.test" "$RUN_OUT"
424 # Check a non-existent domain
425 run dig +dnssec this.does.not.exist.signed.test
426 grep -qF "status: NXDOMAIN" "$RUN_OUT"
427 # Check a wildcard record
428 run resolvectl query -t TXT this.should.be.authenticated.wild.signed.test
429 grep -qF 'this.should.be.authenticated.wild.signed.test IN TXT "this is a wildcard"' "$RUN_OUT"
430 grep -qF "authenticated: yes" "$RUN_OUT"
431 # Check SRV support
432 run resolvectl service _mysvc._tcp signed.test
433 grep -qF "myservice.signed.test:1234" "$RUN_OUT"
434 grep -qF "10.0.0.20" "$RUN_OUT"
435 grep -qF "fd00:dead:beef:cafe::17" "$RUN_OUT"
436 grep -qF "authenticated: yes" "$RUN_OUT"
437 (! run resolvectl service _invalidsvc._udp signed.test)
438 grep -qE "invalidservice\.signed\.test' not found" "$RUN_OUT"
439 run resolvectl service _untrustedsvc._udp signed.test
440 grep -qF "myservice.untrusted.test:1111" "$RUN_OUT"
441 grep -qF "10.0.0.123" "$RUN_OUT"
442 grep -qF "fd00:dead:beef:cafe::123" "$RUN_OUT"
443 grep -qF "authenticated: yes" "$RUN_OUT"
444 # Check OPENPGPKEY support
445 run_delv -t OPENPGPKEY 5a786cdc59c161cdafd818143705026636962198c66ed4c5b3da321e._openpgpkey.signed.test
446 grep -qF "; fully validated" "$RUN_OUT"
447 run resolvectl openpgp mr.smith@signed.test
448 grep -qF "5a786cdc59c161cdafd818143705026636962198c66ed4c5b3da321e._openpgpkey.signed.test" "$RUN_OUT"
449 grep -qF "authenticated: yes" "$RUN_OUT"
450 # Check zone transfers (AXFR/IXFR)
451 # Note: since resolved doesn't support zone transfers, let's just make sure it
452 # simply refuses such requests without choking on them
453 # See: https://github.com/systemd/systemd/pull/30809#issuecomment-1880102804
454 run dig @ns1.unsigned.test AXFR signed.test
455 grep -qE "SOA\s+ns1.unsigned.test. root.unsigned.test." "$RUN_OUT"
456 run dig AXFR signed.test
457 grep -qF "; Transfer failed" "$RUN_OUT"
458 run dig @ns1.unsigned.test IXFR=43 signed.test
459 grep -qE "SOA\s+ns1.unsigned.test. root.unsigned.test." "$RUN_OUT"
460 run dig IXFR=43 signed.test
461 grep -qF "; Transfer failed" "$RUN_OUT"
462
463 # DNSSEC validation with multiple records of the same type for the same name
464 # Issue: https://github.com/systemd/systemd/issues/22002
465 # PR: https://github.com/systemd/systemd/pull/23289
466 check_domain() {
467 local domain="${1:?}"
468 local record="${2:?}"
469 local message="${3:?}"
470 local addr
471
472 for addr in "${DNS_ADDRESSES[@]}"; do
473 run_delv "@$addr" -t "$record" "$domain"
474 grep -qF "$message" "$RUN_OUT"
475 done
476
477 run_delv -t "$record" "$domain"
478 grep -qF "$message" "$RUN_OUT"
479
480 run resolvectl query "$domain"
481 grep -qF "authenticated: yes" "$RUN_OUT"
482 }
483
484 check_domain "dupe.signed.test" "A" "; fully validated"
485 check_domain "dupe.signed.test" "AAAA" "; negative response, fully validated"
486 check_domain "dupe-ipv6.signed.test" "AAAA" "; fully validated"
487 check_domain "dupe-ipv6.signed.test" "A" "; negative response, fully validated"
488 check_domain "dupe-mixed.signed.test" "A" "; fully validated"
489 check_domain "dupe-mixed.signed.test" "AAAA" "; fully validated"
490
491 # Test resolution of CNAME chains
492 TIMESTAMP=$(date '+%F %T')
493 run resolvectl query -t A cname-chain.signed.test
494 grep -qF "follow14.final.signed.test IN A 10.0.0.14" "$RUN_OUT"
495 grep -qF "authenticated: yes" "$RUN_OUT"
496
497 monitor_check_rr "$TIMESTAMP" "follow10.so.close.signed.test IN CNAME follow11.yet.so.far.signed.test"
498 monitor_check_rr "$TIMESTAMP" "follow11.yet.so.far.signed.test IN CNAME follow12.getting.hot.signed.test"
499 monitor_check_rr "$TIMESTAMP" "follow12.getting.hot.signed.test IN CNAME follow13.almost.final.signed.test"
500 monitor_check_rr "$TIMESTAMP" "follow13.almost.final.signed.test IN CNAME follow14.final.signed.test"
501 monitor_check_rr "$TIMESTAMP" "follow14.final.signed.test IN A 10.0.0.14"
502
503 # Non-existing RR + CNAME chain
504 run dig +dnssec AAAA cname-chain.signed.test
505 grep -qF "status: NOERROR" "$RUN_OUT"
506 grep -qE "^follow14\.final\.signed\.test\..+IN\s+NSEC\s+" "$RUN_OUT"
507
508
509 : "--- ZONE: onlinesign.test (dynamic DNSSEC) ---"
510 # Check the trust chain (with and without systemd-resolved in between
511 # Issue: https://github.com/systemd/systemd/issues/22002
512 # PR: https://github.com/systemd/systemd/pull/23289
513 run_delv @ns1.unsigned.test sub.onlinesign.test
514 grep -qF "; fully validated" "$RUN_OUT"
515 run_delv sub.onlinesign.test
516 grep -qF "; fully validated" "$RUN_OUT"
517
518 run dig +short sub.onlinesign.test
519 grep -qF "10.0.0.133" "$RUN_OUT"
520 run resolvectl query sub.onlinesign.test
521 grep -qF "sub.onlinesign.test: 10.0.0.133" "$RUN_OUT"
522 grep -qF "authenticated: yes" "$RUN_OUT"
523 run dig @ns1.unsigned.test +short TXT onlinesign.test
524 grep -qF '"hello from onlinesign"' "$RUN_OUT"
525 run resolvectl query --legend=no -t TXT onlinesign.test
526 grep -qF 'onlinesign.test IN TXT "hello from onlinesign"' "$RUN_OUT"
527
528 for addr in "${DNS_ADDRESSES[@]}"; do
529 run_delv "@$addr" -t A dual.onlinesign.test
530 grep -qF "10.0.0.135" "$RUN_OUT"
531 run_delv "@$addr" -t AAAA dual.onlinesign.test
532 grep -qF "fd00:dead:beef:cafe::135" "$RUN_OUT"
533 run_delv "@$addr" -t ANY ipv6.onlinesign.test
534 grep -qF "fd00:dead:beef:cafe::136" "$RUN_OUT"
535 done
536 run resolvectl query dual.onlinesign.test
537 grep -qF "10.0.0.135" "$RUN_OUT"
538 grep -qF "fd00:dead:beef:cafe::135" "$RUN_OUT"
539 grep -qF "authenticated: yes" "$RUN_OUT"
540 run resolvectl query ipv6.onlinesign.test
541 grep -qF "fd00:dead:beef:cafe::136" "$RUN_OUT"
542 grep -qF "authenticated: yes" "$RUN_OUT"
543
544 # Check a non-existent domain
545 # Note: mod-onlinesign utilizes Minimally Covering NSEC Records, hence the
546 # different response than with "standard" DNSSEC
547 run dig +dnssec this.does.not.exist.onlinesign.test
548 grep -qF "status: NOERROR" "$RUN_OUT"
549 grep -qF "NSEC \\000.this.does.not.exist.onlinesign.test." "$RUN_OUT"
550 # Check a wildcard record
551 run resolvectl query -t TXT this.should.be.authenticated.wild.onlinesign.test
552 grep -qF 'this.should.be.authenticated.wild.onlinesign.test IN TXT "this is an onlinesign wildcard"' "$RUN_OUT"
553 grep -qF "authenticated: yes" "$RUN_OUT"
554
555 # Resolve via dbus method
556 TIMESTAMP=$(date '+%F %T')
557 run busctl call org.freedesktop.resolve1 /org/freedesktop/resolve1 org.freedesktop.resolve1.Manager ResolveHostname 'isit' 0 secondsub.onlinesign.test 0 0
558 grep -qF '10 0 0 134 "secondsub.onlinesign.test"' "$RUN_OUT"
559 monitor_check_rr "$TIMESTAMP" "secondsub.onlinesign.test IN A 10.0.0.134"
560
561
562 : "--- ZONE: untrusted.test (DNSSEC without propagated DS records) ---"
563 # Issue: https://github.com/systemd/systemd/issues/23955
564 # FIXME
565 resolvectl flush-caches
566 #run dig +short untrusted.test A untrusted.test AAAA
567 #grep -qF "10.0.0.121" "$RUN_OUT"
568 #grep -qF "fd00:dead:beef:cafe::121" "$RUN_OUT"
569 run resolvectl query untrusted.test
570 grep -qF "untrusted.test:" "$RUN_OUT"
571 grep -qF "10.0.0.121" "$RUN_OUT"
572 grep -qF "fd00:dead:beef:cafe::121" "$RUN_OUT"
573 grep -qF "authenticated: no" "$RUN_OUT"
574 run resolvectl service _mysvc._tcp untrusted.test
575 grep -qF "myservice.untrusted.test:1234" "$RUN_OUT"
576 grep -qF "10.0.0.123" "$RUN_OUT"
577 grep -qF "fd00:dead:beef:cafe::123" "$RUN_OUT"
578
579 # Issue: https://github.com/systemd/systemd/issues/19472
580 # 1) Query for a non-existing RR should return NOERROR + NSEC (?), not NXDOMAIN
581 # FIXME: re-enable once the issue is resolved
582 #run dig +dnssec AAAA untrusted.test
583 #grep -qF "status: NOERROR" "$RUN_OUT"
584 #grep -qE "^untrusted\.test\..+IN\s+NSEC\s+" "$RUN_OUT"
585 ## 2) Query for a non-existing name should return NXDOMAIN, not SERVFAIL
586 #run dig +dnssec this.does.not.exist.untrusted.test
587 #grep -qF "status: NXDOMAIN" "$RUN_OUT"
588
589 : "--- ZONE: forwarded.test (queries forwarded to our dummy test server) ---"
590 JOURNAL_CURSOR="$(mktemp)"
591 journalctl -n0 -q --cursor-file="$JOURNAL_CURSOR"
592
593 # See "test-resolved-dummy-server.c" for the server part
594 (! run resolvectl query nope.forwarded.test)
595 grep -qF "nope.forwarded.test" "$RUN_OUT"
596 grep -qF "not found" "$RUN_OUT"
597
598 # SERVFAIL + EDE code 6: DNSSEC Bogus
599 (! run resolvectl query edns-bogus-dnssec.forwarded.test)
600 grep -qE "^edns-bogus-dnssec.forwarded.test:.+: upstream-failure \(DNSSEC Bogus\)" "$RUN_OUT"
601 # Same thing, but over Varlink
602 (! run varlinkctl call /run/systemd/resolve/io.systemd.Resolve io.systemd.Resolve.ResolveHostname '{"name" : "edns-bogus-dnssec.forwarded.test"}')
603 grep -qF "io.systemd.Resolve.DNSSECValidationFailed" "$RUN_OUT"
604 grep -qF '{"result":"upstream-failure","extendedDNSErrorCode":6}' "$RUN_OUT"
605 journalctl --sync
606 journalctl -u systemd-resolved.service --cursor-file="$JOURNAL_CURSOR" --grep "Server returned error: SERVFAIL \(DNSSEC Bogus\). Lookup failed."
607
608 # SERVFAIL + EDE code 16: Censored + extra text
609 (! run resolvectl query edns-extra-text.forwarded.test)
610 grep -qE "^edns-extra-text.forwarded.test.+: SERVFAIL \(Censored: Nothing to see here!\)" "$RUN_OUT"
611 (! run varlinkctl call /run/systemd/resolve/io.systemd.Resolve io.systemd.Resolve.ResolveHostname '{"name" : "edns-extra-text.forwarded.test"}')
612 grep -qF "io.systemd.Resolve.DNSError" "$RUN_OUT"
613 grep -qF '{"rcode":2,"extendedDNSErrorCode":16,"extendedDNSErrorMessage":"Nothing to see here!"}' "$RUN_OUT"
614 journalctl --sync
615 journalctl -u systemd-resolved.service --cursor-file="$JOURNAL_CURSOR" --grep "Server returned error: SERVFAIL \(Censored: Nothing to see here!\)"
616
617 # SERVFAIL + EDE code 0: Other + extra text
618 (! run resolvectl query edns-code-zero.forwarded.test)
619 grep -qE "^edns-code-zero.forwarded.test:.+: SERVFAIL \(Other: 🐱\)" "$RUN_OUT"
620 (! run varlinkctl call /run/systemd/resolve/io.systemd.Resolve io.systemd.Resolve.ResolveHostname '{"name" : "edns-code-zero.forwarded.test"}')
621 grep -qF "io.systemd.Resolve.DNSError" "$RUN_OUT"
622 grep -qF '{"rcode":2,"extendedDNSErrorCode":0,"extendedDNSErrorMessage":"🐱"}' "$RUN_OUT"
623 journalctl --sync
624 journalctl -u systemd-resolved.service --cursor-file="$JOURNAL_CURSOR" --grep "Server returned error: SERVFAIL \(Other: 🐱\)"
625
626 # SERVFAIL + invalid EDE code
627 (! run resolvectl query edns-invalid-code.forwarded.test)
628 grep -qE "^edns-invalid-code.forwarded.test:.+: SERVFAIL \([0-9]+\)" "$RUN_OUT"
629 (! run varlinkctl call /run/systemd/resolve/io.systemd.Resolve io.systemd.Resolve.ResolveHostname '{"name" : "edns-invalid-code.forwarded.test"}')
630 grep -qF "io.systemd.Resolve.DNSError" "$RUN_OUT"
631 grep -qE '{"rcode":2,"extendedDNSErrorCode":[0-9]+}' "$RUN_OUT"
632 journalctl --sync
633 journalctl -u systemd-resolved.service --cursor-file="$JOURNAL_CURSOR" --grep "Server returned error: SERVFAIL \(\d+\)"
634
635 # SERVFAIL + invalid EDE code + extra text
636 (! run resolvectl query edns-invalid-code-with-extra-text.forwarded.test)
637 grep -qE '^edns-invalid-code-with-extra-text.forwarded.test:.+: SERVFAIL \([0-9]+: Hello \[#\]\$%~ World\)' "$RUN_OUT"
638 (! run varlinkctl call /run/systemd/resolve/io.systemd.Resolve io.systemd.Resolve.ResolveHostname '{"name" : "edns-invalid-code-with-extra-text.forwarded.test"}')
639 grep -qF "io.systemd.Resolve.DNSError" "$RUN_OUT"
640 grep -qE '{"rcode":2,"extendedDNSErrorCode":[0-9]+,"extendedDNSErrorMessage":"Hello \[#\]\$%~ World"}' "$RUN_OUT"
641 journalctl --sync
642 journalctl -u systemd-resolved.service --cursor-file="$JOURNAL_CURSOR" --grep "Server returned error: SERVFAIL \(\d+: Hello \[\#\]\\$%~ World\)"
643
644 ### Test resolvectl show-cache
645 run resolvectl show-cache
646 run resolvectl show-cache --json=short
647 run resolvectl show-cache --json=pretty
648
649 # Issue: https://github.com/systemd/systemd/issues/29580 (part #1)
650 dig @127.0.0.54 signed.test
651
652 systemctl stop resolvectl-monitor.service
653 systemctl stop resolvectl-monitor-json.service
654
655 # Issue: https://github.com/systemd/systemd/issues/29580 (part #2)
656 #
657 # Check for any warnings regarding malformed messages
658 (! journalctl -u resolvectl-monitor.service -u reseolvectl-monitor-json.service -p warning --grep malformed)
659 # Verify that all queries recorded by `resolvectl monitor --json` produced a valid JSON
660 # with expected fields
661 journalctl -p info -o cat _SYSTEMD_UNIT="resolvectl-monitor-json.service" | while read -r line; do
662 # Check that both "question" and "answer" fields are arrays
663 #
664 # The expression is slightly more complicated due to the fact that the "answer" field is optional,
665 # so we need to select it only if it's present, otherwise the type == "array" check would fail
666 echo "$line" | jq -e '[. | .question, (select(has("answer")) | .answer) | type == "array"] | all'
667 done
668
669 # Test serve stale feature and NFTSet= if nftables is installed
670 if command -v nft >/dev/null; then
671 ### Test without serve stale feature ###
672 NFT_FILTER_NAME=dns_port_filter
673
674 drop_dns_outbound_traffic() {
675 nft add table inet $NFT_FILTER_NAME
676 nft add chain inet $NFT_FILTER_NAME output \{ type filter hook output priority 0 \; \}
677 nft add rule inet $NFT_FILTER_NAME output ip daddr 10.0.0.1 udp dport 53 drop
678 nft add rule inet $NFT_FILTER_NAME output ip daddr 10.0.0.1 tcp dport 53 drop
679 nft add rule inet $NFT_FILTER_NAME output ip6 daddr fd00:dead:beef:cafe::1 udp dport 53 drop
680 nft add rule inet $NFT_FILTER_NAME output ip6 daddr fd00:dead:beef:cafe::1 tcp dport 53 drop
681 }
682
683 run dig stale1.unsigned.test -t A
684 grep -qE "NOERROR" "$RUN_OUT"
685 sleep 2
686 drop_dns_outbound_traffic
687 set +e
688 run dig stale1.unsigned.test -t A
689 set -eux
690 grep -qE "no servers could be reached" "$RUN_OUT"
691 nft flush ruleset
692
693 ### Test TIMEOUT with serve stale feature ###
694
695 mkdir -p /run/systemd/resolved.conf.d
696 {
697 echo "[Resolve]"
698 echo "StaleRetentionSec=1d"
699 } >/run/systemd/resolved.conf.d/test.conf
700 ln -svf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
701 restart_resolved
702
703 run dig stale1.unsigned.test -t A
704 grep -qE "NOERROR" "$RUN_OUT"
705 sleep 2
706 drop_dns_outbound_traffic
707 run dig stale1.unsigned.test -t A
708 grep -qE "NOERROR" "$RUN_OUT"
709 grep -qE "10.0.0.112" "$RUN_OUT"
710
711 nft flush ruleset
712
713 ### Test NXDOMAIN with serve stale feature ###
714 # NXDOMAIN response should replace the cache with NXDOMAIN response
715 run dig stale1.unsigned.test -t A
716 grep -qE "NOERROR" "$RUN_OUT"
717 # Delete stale1 record from zone
718 knotc zone-begin unsigned.test
719 knotc zone-unset unsigned.test stale1 A
720 knotc zone-commit unsigned.test
721 knotc reload
722 sleep 2
723 run dig stale1.unsigned.test -t A
724 grep -qE "NXDOMAIN" "$RUN_OUT"
725
726 nft flush ruleset
727
728 ### NFTSet= test
729 nft add table inet sd_test
730 nft add set inet sd_test c '{ type cgroupsv2; }'
731 nft add set inet sd_test u '{ typeof meta skuid; }'
732 nft add set inet sd_test g '{ typeof meta skgid; }'
733
734 # service
735 systemd-run --unit test-nft.service --service-type=exec -p DynamicUser=yes \
736 -p 'NFTSet=cgroup:inet:sd_test:c user:inet:sd_test:u group:inet:sd_test:g' sleep 10000
737 run nft list set inet sd_test c
738 grep -qF "test-nft.service" "$RUN_OUT"
739 uid=$(getent passwd test-nft | cut -d':' -f3)
740 run nft list set inet sd_test u
741 grep -qF "$uid" "$RUN_OUT"
742 gid=$(getent passwd test-nft | cut -d':' -f4)
743 run nft list set inet sd_test g
744 grep -qF "$gid" "$RUN_OUT"
745 systemctl stop test-nft.service
746
747 # scope
748 run systemd-run --scope -u test-nft.scope -p 'NFTSet=cgroup:inet:sd_test:c' nft list set inet sd_test c
749 grep -qF "test-nft.scope" "$RUN_OUT"
750
751 mkdir -p /run/systemd/system
752 # socket
753 {
754 echo "[Socket]"
755 echo "ListenStream=12345"
756 echo "BindToDevice=lo"
757 echo "NFTSet=cgroup:inet:sd_test:c"
758 } >/run/systemd/system/test-nft.socket
759 {
760 echo "[Service]"
761 echo "ExecStart=/usr/bin/sleep 10000"
762 } >/run/systemd/system/test-nft.service
763 systemctl daemon-reload
764 systemctl start test-nft.socket
765 systemctl status test-nft.socket
766 run nft list set inet sd_test c
767 grep -qF "test-nft.socket" "$RUN_OUT"
768 systemctl stop test-nft.socket
769 rm -f /run/systemd/system/test-nft.{socket,service}
770
771 # slice
772 mkdir /run/systemd/system/system.slice.d
773 {
774 echo "[Slice]"
775 echo "NFTSet=cgroup:inet:sd_test:c"
776 } >/run/systemd/system/system.slice.d/00-test-nft.conf
777 systemctl daemon-reload
778 run nft list set inet sd_test c
779 grep -qF "system.slice" "$RUN_OUT"
780 rm -rf /run/systemd/system/system.slice.d
781
782 nft flush ruleset
783 else
784 echo "nftables is not installed. Skipped serve stale feature and NFTSet= tests."
785 fi
786
787 ### Test resolvectl show-server-state ###
788 run resolvectl show-server-state
789 grep -qF "10.0.0.1" "$RUN_OUT"
790 grep -qF "Interface" "$RUN_OUT"
791
792 run resolvectl show-server-state --json=short
793 grep -qF "10.0.0.1" "$RUN_OUT"
794 grep -qF "Interface" "$RUN_OUT"
795
796 run resolvectl show-server-state --json=pretty
797 grep -qF "10.0.0.1" "$RUN_OUT"
798 grep -qF "Interface" "$RUN_OUT"
799
800 ### Test resolvectl statistics ###
801 run resolvectl statistics
802 grep -qF "Transactions" "$RUN_OUT"
803 grep -qF "Cache" "$RUN_OUT"
804 grep -qF "Failure Transactions" "$RUN_OUT"
805 grep -qF "DNSSEC Verdicts" "$RUN_OUT"
806
807 run resolvectl statistics --json=short
808 grep -qF "transactions" "$RUN_OUT"
809 grep -qF "cache" "$RUN_OUT"
810 grep -qF "dnssec" "$RUN_OUT"
811
812 run resolvectl statistics --json=pretty
813 grep -qF "transactions" "$RUN_OUT"
814 grep -qF "cache" "$RUN_OUT"
815 grep -qF "dnssec" "$RUN_OUT"
816
817 ### Test resolvectl reset-statistics ###
818 run resolvectl reset-statistics
819
820 run resolvectl reset-statistics --json=pretty
821
822 run resolvectl reset-statistics --json=short
823
824 # Check if resolved exits cleanly.
825 restart_resolved
826
827 touch /testok
Unnamed repository; edit this file 'description' to name the repository.