2 # SPDX-License-Identifier: LGPL-2.1-or-later
3 # vi: ts=4 sw=4 tw=0 et:
14 # shellcheck source=test/units/assert.sh
15 .
"$(dirname "$0")"/assert.sh
22 "$@" |
& tee "$RUN_OUT"
26 sysctl
-w net.ipv6.conf.all.disable_ipv6
=1
30 sysctl
-w net.ipv6.conf.all.disable_ipv6
=0
31 networkctl reconfigure dns0
40 # Wait until the first mention of the specified log message is
41 # displayed. We turn off pipefail for this, since we don't care about the
42 # lhs of this pipe expression, we only care about the rhs' result to be
44 timeout
-v 30s journalctl
-u resmontest.service
--since "$since" -f --full |
grep -m1 "$match"
47 # Test for resolvectl, resolvconf
48 systemctl unmask systemd-resolved.service
49 systemctl
enable --now systemd-resolved.service
50 systemctl service-log-level systemd-resolved.service debug
51 ip link add hoge
type dummy
52 ip link add hoge.foo
type dummy
53 resolvectl dns hoge
10.0.0.1 10.0.0.2
54 resolvectl dns hoge.foo
10.0.0.3 10.0.0.4
55 assert_in
'10.0.0.1 10.0.0.2' "$(resolvectl dns hoge)"
56 assert_in
'10.0.0.3 10.0.0.4' "$(resolvectl dns hoge.foo)"
57 resolvectl dns hoge
10.0.1.1 10.0.1.2
58 resolvectl dns hoge.foo
10.0.1.3 10.0.1.4
59 assert_in
'10.0.1.1 10.0.1.2' "$(resolvectl dns hoge)"
60 assert_in
'10.0.1.3 10.0.1.4' "$(resolvectl dns hoge.foo)"
61 if ! RESOLVCONF
=$
(command -v resolvconf
2>/dev
/null
); then
62 TMPDIR
=$
(mktemp
-d -p /tmp resolvconf-tests.XXXXXX
)
63 RESOLVCONF
="$TMPDIR"/resolvconf
64 ln -s "$(command -v resolvectl 2>/dev/null)" "$RESOLVCONF"
66 echo nameserver
10.0.2.1 10.0.2.2 |
"$RESOLVCONF" -a hoge
67 echo nameserver
10.0.2.3 10.0.2.4 |
"$RESOLVCONF" -a hoge.foo
68 assert_in
'10.0.2.1 10.0.2.2' "$(resolvectl dns hoge)"
69 assert_in
'10.0.2.3 10.0.2.4' "$(resolvectl dns hoge.foo)"
70 echo nameserver
10.0.3.1 10.0.3.2 |
"$RESOLVCONF" -a hoge.inet.ipsec
.192.168.35
71 echo nameserver
10.0.3.3 10.0.3.4 |
"$RESOLVCONF" -a hoge.foo.dhcp
72 assert_in
'10.0.3.1 10.0.3.2' "$(resolvectl dns hoge)"
73 assert_in
'10.0.3.3 10.0.3.4' "$(resolvectl dns hoge.foo)"
75 # Tests for _localdnsstub and _localdnsproxy
76 assert_in
'127.0.0.53' "$(resolvectl query _localdnsstub)"
77 assert_in
'_localdnsstub' "$(resolvectl query 127.0.0.53)"
78 assert_in
'127.0.0.54' "$(resolvectl query _localdnsproxy)"
79 assert_in
'_localdnsproxy' "$(resolvectl query 127.0.0.54)"
81 assert_in
'127.0.0.53' "$(dig @127.0.0.53 _localdnsstub)"
82 assert_in
'_localdnsstub' "$(dig @127.0.0.53 -x 127.0.0.53)"
83 assert_in
'127.0.0.54' "$(dig @127.0.0.53 _localdnsproxy)"
84 assert_in
'_localdnsproxy' "$(dig @127.0.0.53 -x 127.0.0.54)"
86 # Tests for mDNS and LLMNR settings
87 mkdir
-p /run
/systemd
/resolved.conf.d
90 echo "MulticastDNS=yes"
92 } >/run
/systemd
/resolved.conf.d
/mdns-llmnr.conf
93 systemctl restart systemd-resolved.service
94 systemctl service-log-level systemd-resolved.service debug
95 # make sure networkd is not running.
96 systemctl stop systemd-networkd.service
97 # defaults to yes (both the global and per-link settings are yes)
98 assert_in
'yes' "$(resolvectl mdns hoge)"
99 assert_in
'yes' "$(resolvectl llmnr hoge)"
100 # set per-link setting
101 resolvectl mdns hoge
yes
102 resolvectl llmnr hoge
yes
103 assert_in
'yes' "$(resolvectl mdns hoge)"
104 assert_in
'yes' "$(resolvectl llmnr hoge)"
105 resolvectl mdns hoge resolve
106 resolvectl llmnr hoge resolve
107 assert_in
'resolve' "$(resolvectl mdns hoge)"
108 assert_in
'resolve' "$(resolvectl llmnr hoge)"
109 resolvectl mdns hoge no
110 resolvectl llmnr hoge no
111 assert_in
'no' "$(resolvectl mdns hoge)"
112 assert_in
'no' "$(resolvectl llmnr hoge)"
113 # downgrade global setting to resolve
116 echo "MulticastDNS=resolve"
118 } >/run
/systemd
/resolved.conf.d
/mdns-llmnr.conf
119 systemctl restart systemd-resolved.service
120 systemctl service-log-level systemd-resolved.service debug
121 # set per-link setting
122 resolvectl mdns hoge
yes
123 resolvectl llmnr hoge
yes
124 assert_in
'resolve' "$(resolvectl mdns hoge)"
125 assert_in
'resolve' "$(resolvectl llmnr hoge)"
126 resolvectl mdns hoge resolve
127 resolvectl llmnr hoge resolve
128 assert_in
'resolve' "$(resolvectl mdns hoge)"
129 assert_in
'resolve' "$(resolvectl llmnr hoge)"
130 resolvectl mdns hoge no
131 resolvectl llmnr hoge no
132 assert_in
'no' "$(resolvectl mdns hoge)"
133 assert_in
'no' "$(resolvectl llmnr hoge)"
134 # downgrade global setting to no
137 echo "MulticastDNS=no"
139 } >/run
/systemd
/resolved.conf.d
/mdns-llmnr.conf
140 systemctl restart systemd-resolved.service
141 systemctl service-log-level systemd-resolved.service debug
142 # set per-link setting
143 resolvectl mdns hoge
yes
144 resolvectl llmnr hoge
yes
145 assert_in
'no' "$(resolvectl mdns hoge)"
146 assert_in
'no' "$(resolvectl llmnr hoge)"
147 resolvectl mdns hoge resolve
148 resolvectl llmnr hoge resolve
149 assert_in
'no' "$(resolvectl mdns hoge)"
150 assert_in
'no' "$(resolvectl llmnr hoge)"
151 resolvectl mdns hoge no
152 resolvectl llmnr hoge no
153 assert_in
'no' "$(resolvectl mdns hoge)"
154 assert_in
'no' "$(resolvectl llmnr hoge)"
157 rm -f /run
/systemd
/resolved.conf.d
/mdns-llmnr.conf
163 hostnamectl hostname ns1.unsigned.
test
165 echo "10.0.0.1 ns1.unsigned.test"
166 echo "fd00:dead:beef:cafe::1 ns1.unsigned.test"
169 mkdir
-p /etc
/systemd
/network
170 cat >/etc
/systemd
/network
/dns0.netdev
<<EOF
175 cat >/etc
/systemd
/network
/dns0.network
<<EOF
181 Address=fd00:dead:beef:cafe::1/64
182 DNSSEC=allow-downgrade
184 DNS=fd00:dead:beef:cafe::1
189 "fd00:dead:beef:cafe::1"
192 mkdir
-p /run
/systemd
/resolved.conf.d
196 echo "DNSSEC=allow-downgrade"
197 echo "DNSOverTLS=opportunistic"
198 } >/run
/systemd
/resolved.conf.d
/test.conf
199 ln -svf /run
/systemd
/resolve
/stub-resolv.conf
/etc
/resolv.conf
200 # Override the default NTA list, which turns off DNSSEC validation for (among
201 # others) the test. domain
202 mkdir
-p "/etc/dnssec-trust-anchors.d/"
203 echo local >/etc
/dnssec-trust-anchors.d
/local.negative
206 keymgr . generate algorithm
=ECDSAP256SHA256 ksk
=yes zsk
=yes
207 # Create a trust anchor for resolved with our root zone
208 keymgr . ds |
sed 's/ DS/ IN DS/g' >/etc
/dnssec-trust-anchors.d
/root.positive
209 # Create a bind-compatible trust anchor (for delv)
210 # Note: the trust-anchors directive is relatively new, so use the original
211 # managed-keys one until it's widespread enough
213 echo 'managed-keys {'
214 keymgr . dnskey |
sed -r 's/^\. DNSKEY ([0-9]+ [0-9]+ [0-9]+) (.+)$/. static-key \1 "\2";/g'
217 # Create an /etc/bind/bind.keys symlink, which is used by delv on Ubuntu
219 ln -svf /etc
/bind.keys
/etc
/bind
/bind.keys
222 systemctl unmask systemd-networkd
223 systemctl start systemd-networkd
224 systemctl restart systemd-resolved
225 # Create knot's runtime dir, since from certain version it's provided only by
226 # the package and not created by tmpfiles/systemd
227 if [[ ! -d /run
/knot
]]; then
229 chown
-R knot
:knot
/run
/knot
232 # Wait a bit for the keys to propagate
237 resolvectl log-level debug
239 # Start monitoring queries
240 systemd-run
-u resmontest.service
-p Type
=notify resolvectl monitor
242 # Check if all the zones are valid (zone-check always returns 0, so let's check
243 # if it produces any errors/warnings)
245 [[ ! -s "$RUN_OUT" ]]
246 # We need to manually propagate the DS records of onlinesign.test. to the parent
247 # zone, since they're generated online
248 knotc zone-begin
test.
249 if knotc zone-get
test. onlinesign.
test. ds |
grep .
; then
250 # Drop any old DS records, if present (e.g. on test re-run)
251 knotc zone-unset
test. onlinesign.
test. ds
253 # Propagate the new DS records
254 while read -ra line
; do
255 knotc zone-set
test.
"${line[0]}" 600 "${line[@]:1}"
256 done < <(keymgr onlinesign.
test. ds
)
257 knotc zone-commit
test.
263 : "--- nss-resolve/nss-myhostname tests"
265 TIMESTAMP
=$
(date '+%F %T')
266 # Issue: https://github.com/systemd/systemd/issues/23951
268 run getent
-s resolve hosts ns1.unsigned.
test
269 grep -qE "^fd00:dead:beef:cafe::1\s+ns1\.unsigned\.test" "$RUN_OUT"
270 monitor_check_rr
"$TIMESTAMP" "ns1.unsigned.test IN AAAA fd00:dead:beef:cafe::1"
272 # Issue: https://github.com/systemd/systemd/issues/23951
275 #run getent -s resolve hosts ns1.unsigned.test
276 #grep -qE "^10\.0\.0\.1\s+ns1\.unsigned\.test" "$RUN_OUT"
277 #monitor_check_rr "$TIMESTAMP" "ns1.unsigned.test IN A 10.0.0.1"
280 # Issue: https://github.com/systemd/systemd/issues/18812
281 # PR: https://github.com/systemd/systemd/pull/18896
282 # Follow-up issue: https://github.com/systemd/systemd/issues/23152
283 # Follow-up PR: https://github.com/systemd/systemd/pull/23161
285 run getent
-s resolve hosts localhost
286 grep -qE "^::1\s+localhost" "$RUN_OUT"
287 run getent
-s myhostname hosts localhost
288 grep -qE "^::1\s+localhost" "$RUN_OUT"
291 run getent
-s resolve hosts localhost
292 grep -qE "^127\.0\.0\.1\s+localhost" "$RUN_OUT"
293 run getent
-s myhostname hosts localhost
294 grep -qE "^127\.0\.0\.1\s+localhost" "$RUN_OUT"
297 : "--- Basic resolved tests ---"
298 # Issue: https://github.com/systemd/systemd/issues/22229
299 # PR: https://github.com/systemd/systemd/pull/22231
302 "255.255.255.255.in-addr.arpa"
303 "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa"
307 for name
in "${FILTERED_NAMES[@]}"; do
309 grep -qF "NXDOMAIN" "$RUN_OUT"
313 # Issue: https://github.com/systemd/systemd/issues/22401
314 # PR: https://github.com/systemd/systemd/pull/22414
315 run
dig +noall
+authority
+comments SRV .
316 grep -qF "status: NOERROR" "$RUN_OUT"
317 grep -qE "IN\s+SOA\s+ns1\.unsigned\.test\." "$RUN_OUT"
320 : "--- ZONE: unsigned.test. ---"
321 run
dig @ns1.unsigned.
test +short unsigned.
test A unsigned.
test AAAA
322 grep -qF "10.0.0.101" "$RUN_OUT"
323 grep -qF "fd00:dead:beef:cafe::101" "$RUN_OUT"
324 run resolvectl query unsigned.
test
325 grep -qF "10.0.0.10" "$RUN_OUT"
326 grep -qF "fd00:dead:beef:cafe::101" "$RUN_OUT"
327 grep -qF "authenticated: no" "$RUN_OUT"
328 run
dig @ns1.unsigned.
test +short MX unsigned.
test
329 grep -qF "15 mail.unsigned.test." "$RUN_OUT"
330 run resolvectl query
--legend=no
-t MX unsigned.
test
331 grep -qF "unsigned.test IN MX 15 mail.unsigned.test" "$RUN_OUT"
334 : "--- ZONE: signed.test (static DNSSEC) ---"
335 # Check the trust chain (with and without systemd-resolved in between
336 # Issue: https://github.com/systemd/systemd/issues/22002
337 # PR: https://github.com/systemd/systemd/pull/23289
338 run delv @ns1.unsigned.
test signed.
test
339 grep -qF "; fully validated" "$RUN_OUT"
341 grep -qF "; fully validated" "$RUN_OUT"
343 for addr
in "${DNS_ADDRESSES[@]}"; do
344 run delv
"@$addr" -t A
mail.signed.
test
345 grep -qF "; fully validated" "$RUN_OUT"
346 run delv
"@$addr" -t AAAA
mail.signed.
test
347 grep -qF "; fully validated" "$RUN_OUT"
349 run resolvectl query
mail.signed.
test
350 grep -qF "10.0.0.11" "$RUN_OUT"
351 grep -qF "fd00:dead:beef:cafe::11" "$RUN_OUT"
352 grep -qF "authenticated: yes" "$RUN_OUT"
354 run
dig +short signed.
test
355 grep -qF "10.0.0.10" "$RUN_OUT"
356 run resolvectl query signed.
test
357 grep -qF "signed.test: 10.0.0.10" "$RUN_OUT"
358 grep -qF "authenticated: yes" "$RUN_OUT"
359 run
dig @ns1.unsigned.
test +short MX signed.
test
360 grep -qF "10 mail.signed.test." "$RUN_OUT"
361 run resolvectl query
--legend=no
-t MX signed.
test
362 grep -qF "signed.test IN MX 10 mail.signed.test" "$RUN_OUT"
363 # Check a non-existent domain
364 run
dig +dnssec this.does.not.exist.signed.
test
365 grep -qF "status: NXDOMAIN" "$RUN_OUT"
366 # Check a wildcard record
367 run resolvectl query
-t TXT this.should.be.authenticated.wild.signed.
test
368 grep -qF 'this.should.be.authenticated.wild.signed.test IN TXT "this is a wildcard"' "$RUN_OUT"
369 grep -qF "authenticated: yes" "$RUN_OUT"
371 run resolvectl service _mysvc._tcp signed.
test
372 grep -qF "myservice.signed.test:1234" "$RUN_OUT"
373 grep -qF "10.0.0.20" "$RUN_OUT"
374 grep -qF "fd00:dead:beef:cafe::17" "$RUN_OUT"
375 grep -qF "authenticated: yes" "$RUN_OUT"
376 (! run resolvectl service _invalidsvc._udp signed.
test)
377 grep -qE "invalidservice\.signed\.test' not found" "$RUN_OUT"
378 run resolvectl service _untrustedsvc._udp signed.
test
379 grep -qF "myservice.untrusted.test:1111" "$RUN_OUT"
380 grep -qF "10.0.0.123" "$RUN_OUT"
381 grep -qF "fd00:dead:beef:cafe::123" "$RUN_OUT"
382 grep -qF "authenticated: yes" "$RUN_OUT"
383 # Check OPENPGPKEY support
384 run delv
-t OPENPGPKEY
5a786cdc59c161cdafd818143705026636962198c66ed4c5b3da321e._openpgpkey.signed.
test
385 grep -qF "; fully validated" "$RUN_OUT"
386 run resolvectl openpgp mr.smith@signed.
test
387 grep -qF "5a786cdc59c161cdafd818143705026636962198c66ed4c5b3da321e._openpgpkey.signed.test" "$RUN_OUT"
388 grep -qF "authenticated: yes" "$RUN_OUT"
390 # DNSSEC validation with multiple records of the same type for the same name
391 # Issue: https://github.com/systemd/systemd/issues/22002
392 # PR: https://github.com/systemd/systemd/pull/23289
394 local domain
="${1:?}"
395 local record
="${2:?}"
396 local message
="${3:?}"
399 for addr
in "${DNS_ADDRESSES[@]}"; do
400 run delv
"@$addr" -t "$record" "$domain"
401 grep -qF "$message" "$RUN_OUT"
404 run delv
-t "$record" "$domain"
405 grep -qF "$message" "$RUN_OUT"
407 run resolvectl query
"$domain"
408 grep -qF "authenticated: yes" "$RUN_OUT"
411 check_domain
"dupe.signed.test" "A" "; fully validated"
412 check_domain
"dupe.signed.test" "AAAA" "; negative response, fully validated"
413 check_domain
"dupe-ipv6.signed.test" "AAAA" "; fully validated"
414 check_domain
"dupe-ipv6.signed.test" "A" "; negative response, fully validated"
415 check_domain
"dupe-mixed.signed.test" "A" "; fully validated"
416 check_domain
"dupe-mixed.signed.test" "AAAA" "; fully validated"
418 # Test resolution of CNAME chains
419 TIMESTAMP
=$
(date '+%F %T')
420 run resolvectl query
-t A cname-chain.signed.
test
421 grep -qF "follow14.final.signed.test IN A 10.0.0.14" "$RUN_OUT"
422 grep -qF "authenticated: yes" "$RUN_OUT"
424 monitor_check_rr
"$TIMESTAMP" "follow10.so.close.signed.test IN CNAME follow11.yet.so.far.signed.test"
425 monitor_check_rr
"$TIMESTAMP" "follow11.yet.so.far.signed.test IN CNAME follow12.getting.hot.signed.test"
426 monitor_check_rr
"$TIMESTAMP" "follow12.getting.hot.signed.test IN CNAME follow13.almost.final.signed.test"
427 monitor_check_rr
"$TIMESTAMP" "follow13.almost.final.signed.test IN CNAME follow14.final.signed.test"
428 monitor_check_rr
"$TIMESTAMP" "follow14.final.signed.test IN A 10.0.0.14"
430 # Non-existing RR + CNAME chain
431 run
dig +dnssec AAAA cname-chain.signed.
test
432 grep -qF "status: NOERROR" "$RUN_OUT"
433 grep -qE "^follow14\.final\.signed\.test\..+IN\s+NSEC\s+" "$RUN_OUT"
436 : "--- ZONE: onlinesign.test (dynamic DNSSEC) ---"
437 # Check the trust chain (with and without systemd-resolved in between
438 # Issue: https://github.com/systemd/systemd/issues/22002
439 # PR: https://github.com/systemd/systemd/pull/23289
440 run delv @ns1.unsigned.
test sub.onlinesign.
test
441 grep -qF "; fully validated" "$RUN_OUT"
442 run delv sub.onlinesign.
test
443 grep -qF "; fully validated" "$RUN_OUT"
445 run
dig +short sub.onlinesign.
test
446 grep -qF "10.0.0.133" "$RUN_OUT"
447 run resolvectl query sub.onlinesign.
test
448 grep -qF "sub.onlinesign.test: 10.0.0.133" "$RUN_OUT"
449 grep -qF "authenticated: yes" "$RUN_OUT"
450 run
dig @ns1.unsigned.
test +short TXT onlinesign.
test
451 grep -qF '"hello from onlinesign"' "$RUN_OUT"
452 run resolvectl query
--legend=no
-t TXT onlinesign.
test
453 grep -qF 'onlinesign.test IN TXT "hello from onlinesign"' "$RUN_OUT"
455 for addr
in "${DNS_ADDRESSES[@]}"; do
456 run delv
"@$addr" -t A dual.onlinesign.
test
457 grep -qF "10.0.0.135" "$RUN_OUT"
458 run delv
"@$addr" -t AAAA dual.onlinesign.
test
459 grep -qF "fd00:dead:beef:cafe::135" "$RUN_OUT"
460 run delv
"@$addr" -t ANY ipv6.onlinesign.
test
461 grep -qF "fd00:dead:beef:cafe::136" "$RUN_OUT"
463 run resolvectl query dual.onlinesign.
test
464 grep -qF "10.0.0.135" "$RUN_OUT"
465 grep -qF "fd00:dead:beef:cafe::135" "$RUN_OUT"
466 grep -qF "authenticated: yes" "$RUN_OUT"
467 run resolvectl query ipv6.onlinesign.
test
468 grep -qF "fd00:dead:beef:cafe::136" "$RUN_OUT"
469 grep -qF "authenticated: yes" "$RUN_OUT"
471 # Check a non-existent domain
472 # Note: mod-onlinesign utilizes Minimally Covering NSEC Records, hence the
473 # different response than with "standard" DNSSEC
474 run
dig +dnssec this.does.not.exist.onlinesign.
test
475 grep -qF "status: NOERROR" "$RUN_OUT"
476 grep -qF "NSEC \\000.this.does.not.exist.onlinesign.test." "$RUN_OUT"
477 # Check a wildcard record
478 run resolvectl query
-t TXT this.should.be.authenticated.wild.onlinesign.
test
479 grep -qF 'this.should.be.authenticated.wild.onlinesign.test IN TXT "this is an onlinesign wildcard"' "$RUN_OUT"
480 grep -qF "authenticated: yes" "$RUN_OUT"
482 # Resolve via dbus method
483 TIMESTAMP
=$
(date '+%F %T')
484 run busctl call org.freedesktop.resolve1
/org
/freedesktop
/resolve1 org.freedesktop.resolve1.Manager ResolveHostname
'isit' 0 secondsub.onlinesign.
test 0 0
485 grep -qF '10 0 0 134 "secondsub.onlinesign.test"' "$RUN_OUT"
486 monitor_check_rr
"$TIMESTAMP" "secondsub.onlinesign.test IN A 10.0.0.134"
489 : "--- ZONE: untrusted.test (DNSSEC without propagated DS records) ---"
490 # Issue: https://github.com/systemd/systemd/issues/23955
492 resolvectl flush-caches
493 #run dig +short untrusted.test A untrusted.test AAAA
494 #grep -qF "10.0.0.121" "$RUN_OUT"
495 #grep -qF "fd00:dead:beef:cafe::121" "$RUN_OUT"
496 run resolvectl query untrusted.
test
497 grep -qF "untrusted.test:" "$RUN_OUT"
498 grep -qF "10.0.0.121" "$RUN_OUT"
499 grep -qF "fd00:dead:beef:cafe::121" "$RUN_OUT"
500 grep -qF "authenticated: no" "$RUN_OUT"
501 run resolvectl service _mysvc._tcp untrusted.
test
502 grep -qF "myservice.untrusted.test:1234" "$RUN_OUT"
503 grep -qF "10.0.0.123" "$RUN_OUT"
504 grep -qF "fd00:dead:beef:cafe::123" "$RUN_OUT"
506 # Issue: https://github.com/systemd/systemd/issues/19472
507 # 1) Query for a non-existing RR should return NOERROR + NSEC (?), not NXDOMAIN
508 # FIXME: re-enable once the issue is resolved
509 #run dig +dnssec AAAA untrusted.test
510 #grep -qF "status: NOERROR" "$RUN_OUT"
511 #grep -qE "^untrusted\.test\..+IN\s+NSEC\s+" "$RUN_OUT"
512 ## 2) Query for a non-existing name should return NXDOMAIN, not SERVFAIL
513 #run dig +dnssec this.does.not.exist.untrusted.test
514 #grep -qF "status: NXDOMAIN" "$RUN_OUT"
516 systemctl stop resmontest.service