2 # SPDX-License-Identifier: LGPL-2.1-or-later
3 # vi: ts=4 sw=4 tw=0 et:
14 # shellcheck source=test/units/util.sh
15 .
"$(dirname "$0")"/util.sh
17 # We need at least Knot 3.0 which support (among others) the ds-push directive
18 if ! knotc
-c /usr
/lib
/systemd
/tests
/testdata
/knot-data
/knot.conf conf-check
; then
19 echo "This test requires at least Knot 3.0. skipping..." |
tee --append /skipped
26 "$@" |
& tee "$RUN_OUT"
30 # Since [0] delv no longer loads /etc/(bind/)bind.keys by default, so we
31 # have to do that explicitly for each invocation
32 run delv
-a /etc
/bind.keys
"$@"
36 sysctl
-w net.ipv6.conf.all.disable_ipv6
=1
40 sysctl
-w net.ipv6.conf.all.disable_ipv6
=0
41 networkctl reconfigure dns0
42 /usr
/lib
/systemd
/systemd-networkd-wait-online
--ipv4 --ipv6 --interface=dns0
:routable
--timeout=30
51 # Wait until the first mention of the specified log message is
52 # displayed. We turn off pipefail for this, since we don't care about the
53 # lhs of this pipe expression, we only care about the rhs' result to be
55 timeout
-v 30s journalctl
-u resolvectl-monitor.service
--since "$since" -f --full |
grep -m1 "$match"
59 systemctl stop systemd-resolved.service
60 (! systemctl is-failed systemd-resolved.service
)
61 # Reset the restart counter since we call this method a bunch of times
62 # and can occasionally hit the default rate limit
63 systemctl reset-failed systemd-resolved.service
64 systemctl start systemd-resolved.service
65 systemctl service-log-level systemd-resolved.service debug
68 # Test for resolvectl, resolvconf
69 systemctl unmask systemd-resolved.service
70 systemctl
enable --now systemd-resolved.service
71 systemctl service-log-level systemd-resolved.service debug
72 ip link add hoge
type dummy
73 ip link add hoge.foo
type dummy
74 resolvectl dns hoge
10.0.0.1 10.0.0.2
75 resolvectl dns hoge.foo
10.0.0.3 10.0.0.4
76 assert_in
'10.0.0.1 10.0.0.2' "$(resolvectl dns hoge)"
77 assert_in
'10.0.0.3 10.0.0.4' "$(resolvectl dns hoge.foo)"
78 resolvectl dns hoge
10.0.1.1 10.0.1.2
79 resolvectl dns hoge.foo
10.0.1.3 10.0.1.4
80 assert_in
'10.0.1.1 10.0.1.2' "$(resolvectl dns hoge)"
81 assert_in
'10.0.1.3 10.0.1.4' "$(resolvectl dns hoge.foo)"
82 if ! RESOLVCONF
=$
(command -v resolvconf
2>/dev
/null
); then
83 TMPDIR
=$
(mktemp
-d -p /tmp resolvconf-tests.XXXXXX
)
84 RESOLVCONF
="$TMPDIR"/resolvconf
85 ln -s "$(command -v resolvectl 2>/dev/null)" "$RESOLVCONF"
87 echo nameserver
10.0.2.1 10.0.2.2 |
"$RESOLVCONF" -a hoge
88 echo nameserver
10.0.2.3 10.0.2.4 |
"$RESOLVCONF" -a hoge.foo
89 assert_in
'10.0.2.1 10.0.2.2' "$(resolvectl dns hoge)"
90 assert_in
'10.0.2.3 10.0.2.4' "$(resolvectl dns hoge.foo)"
91 echo nameserver
10.0.3.1 10.0.3.2 |
"$RESOLVCONF" -a hoge.inet.ipsec
.192.168.35
92 echo nameserver
10.0.3.3 10.0.3.4 |
"$RESOLVCONF" -a hoge.foo.dhcp
93 assert_in
'10.0.3.1 10.0.3.2' "$(resolvectl dns hoge)"
94 assert_in
'10.0.3.3 10.0.3.4' "$(resolvectl dns hoge.foo)"
96 # Tests for _localdnsstub and _localdnsproxy
97 assert_in
'127.0.0.53' "$(resolvectl query _localdnsstub)"
98 assert_in
'_localdnsstub' "$(resolvectl query 127.0.0.53)"
99 assert_in
'127.0.0.54' "$(resolvectl query _localdnsproxy)"
100 assert_in
'_localdnsproxy' "$(resolvectl query 127.0.0.54)"
102 assert_in
'127.0.0.53' "$(dig @127.0.0.53 _localdnsstub)"
103 assert_in
'_localdnsstub' "$(dig @127.0.0.53 -x 127.0.0.53)"
104 assert_in
'127.0.0.54' "$(dig @127.0.0.53 _localdnsproxy)"
105 assert_in
'_localdnsproxy' "$(dig @127.0.0.53 -x 127.0.0.54)"
107 # Tests for mDNS and LLMNR settings
108 mkdir
-p /run
/systemd
/resolved.conf.d
111 echo "MulticastDNS=no"
113 } >/run
/systemd
/resolved.conf.d
/mdns-llmnr.conf
115 # make sure networkd is not running.
116 systemctl stop systemd-networkd.service
117 assert_in
'no' "$(resolvectl mdns hoge)"
118 assert_in
'no' "$(resolvectl llmnr hoge)"
119 # Tests that reloading works
122 echo "MulticastDNS=yes"
124 } >/run
/systemd
/resolved.conf.d
/mdns-llmnr.conf
125 systemctl reload systemd-resolved.service
126 # defaults to yes (both the global and per-link settings are yes)
127 assert_in
'yes' "$(resolvectl mdns hoge)"
128 assert_in
'yes' "$(resolvectl llmnr hoge)"
129 # set per-link setting
130 resolvectl mdns hoge
yes
131 resolvectl llmnr hoge
yes
132 assert_in
'yes' "$(resolvectl mdns hoge)"
133 assert_in
'yes' "$(resolvectl llmnr hoge)"
134 resolvectl mdns hoge resolve
135 resolvectl llmnr hoge resolve
136 assert_in
'resolve' "$(resolvectl mdns hoge)"
137 assert_in
'resolve' "$(resolvectl llmnr hoge)"
138 resolvectl mdns hoge no
139 resolvectl llmnr hoge no
140 assert_in
'no' "$(resolvectl mdns hoge)"
141 assert_in
'no' "$(resolvectl llmnr hoge)"
142 # downgrade global setting to resolve
145 echo "MulticastDNS=resolve"
147 } >/run
/systemd
/resolved.conf.d
/mdns-llmnr.conf
148 systemctl reload systemd-resolved.service
149 # set per-link setting
150 resolvectl mdns hoge
yes
151 resolvectl llmnr hoge
yes
152 assert_in
'resolve' "$(resolvectl mdns hoge)"
153 assert_in
'resolve' "$(resolvectl llmnr hoge)"
154 resolvectl mdns hoge resolve
155 resolvectl llmnr hoge resolve
156 assert_in
'resolve' "$(resolvectl mdns hoge)"
157 assert_in
'resolve' "$(resolvectl llmnr hoge)"
158 resolvectl mdns hoge no
159 resolvectl llmnr hoge no
160 assert_in
'no' "$(resolvectl mdns hoge)"
161 assert_in
'no' "$(resolvectl llmnr hoge)"
162 # downgrade global setting to no
165 echo "MulticastDNS=no"
167 } >/run
/systemd
/resolved.conf.d
/mdns-llmnr.conf
168 systemctl reload systemd-resolved.service
169 # set per-link setting
170 resolvectl mdns hoge
yes
171 resolvectl llmnr hoge
yes
172 assert_in
'no' "$(resolvectl mdns hoge)"
173 assert_in
'no' "$(resolvectl llmnr hoge)"
174 resolvectl mdns hoge resolve
175 resolvectl llmnr hoge resolve
176 assert_in
'no' "$(resolvectl mdns hoge)"
177 assert_in
'no' "$(resolvectl llmnr hoge)"
178 resolvectl mdns hoge no
179 resolvectl llmnr hoge no
180 assert_in
'no' "$(resolvectl mdns hoge)"
181 assert_in
'no' "$(resolvectl llmnr hoge)"
184 rm -f /run
/systemd
/resolved.conf.d
/mdns-llmnr.conf
190 hostnamectl hostname ns1.unsigned.
test
191 cat >>/etc
/hosts
<<EOF
192 10.0.0.1 ns1.unsigned.test
193 fd00:dead:beef:cafe::1 ns1.unsigned.test
195 127.128.0.5 localhost5 localhost5.localdomain localhost5.localdomain4 localhost.localdomain5 localhost5.localdomain5
198 mkdir
-p /run
/systemd
/network
199 cat >/run
/systemd
/network
/10-dns0.netdev
<<EOF
204 cat >/run
/systemd
/network
/10-dns0.network
<<EOF
211 Address=fd00:dead:beef:cafe::1/64
212 DNSSEC=allow-downgrade
214 DNS=fd00:dead:beef:cafe::1
216 cat >/run
/systemd
/network
/10-dns1.netdev
<<EOF
221 cat >/run
/systemd
/network
/10-dns1.network
<<EOF
230 systemctl edit
--stdin --full --runtime --force "resolved-dummy-server.service" <<EOF
233 Environment=SYSTEMD_LOG_LEVEL=debug
234 ExecStart=/usr/lib/systemd/tests/unit-tests/manual/test-resolved-dummy-server 10.99.0.1:53
239 "fd00:dead:beef:cafe::1"
242 mkdir
-p /run
/systemd
/resolved.conf.d
246 echo "DNSSEC=allow-downgrade"
247 echo "DNSOverTLS=opportunistic"
248 } >/run
/systemd
/resolved.conf.d
/test.conf
249 ln -svf /run
/systemd
/resolve
/stub-resolv.conf
/etc
/resolv.conf
250 # Override the default NTA list, which turns off DNSSEC validation for (among
251 # others) the test. domain
252 mkdir
-p "/etc/dnssec-trust-anchors.d/"
253 echo local >/etc
/dnssec-trust-anchors.d
/local.negative
255 # Copy over our knot configuration
256 mkdir
-p /var
/lib
/knot
/zones
/ /etc
/knot
/
257 cp -rfv /usr
/lib
/systemd
/tests
/testdata
/knot-data
/zones
/* /var
/lib
/knot
/zones
/
258 cp -fv /usr
/lib
/systemd
/tests
/testdata
/knot-data
/knot.conf
/etc
/knot
/knot.conf
259 chgrp
-R knot
/etc
/knot
/ /var
/lib
/knot
/
260 chmod -R ug
+rwX
/var
/lib
/knot
/
261 chmod -R g
+r
/etc
/knot
/
264 keymgr . generate algorithm
=ECDSAP256SHA256 ksk
=yes zsk
=yes
265 # Create a trust anchor for resolved with our root zone
266 keymgr . ds |
sed 's/ DS/ IN DS/g' >/etc
/dnssec-trust-anchors.d
/root.positive
267 # Create a bind-compatible trust anchor (for delv)
268 # Note: the trust-anchors directive is relatively new, so use the original
269 # managed-keys one until it's widespread enough
271 echo 'managed-keys {'
272 keymgr . dnskey |
sed -r 's/^\. DNSKEY ([0-9]+ [0-9]+ [0-9]+) (.+)$/. static-key \1 "\2";/g'
275 # Create an /etc/bind/bind.keys symlink, which is used by delv on Ubuntu
277 ln -svf /etc
/bind.keys
/etc
/bind
/bind.keys
280 systemctl unmask systemd-networkd
281 systemctl restart systemd-networkd
282 /usr
/lib
/systemd
/systemd-networkd-wait-online
--interface=dns1
:routable
--timeout=60
283 systemctl reload systemd-resolved
284 systemctl start resolved-dummy-server
286 # Create knot's runtime dir, since from certain version it's provided only by
287 # the package and not created by tmpfiles/systemd
288 if [[ ! -d /run
/knot
]]; then
290 chown
-R knot
:knot
/run
/knot
293 # Wait a bit for the keys to propagate
296 systemctl status resolved-dummy-server
299 resolvectl log-level debug
301 # Start monitoring queries
302 systemd-run
-u resolvectl-monitor.service
-p Type
=notify resolvectl monitor
303 systemd-run
-u resolvectl-monitor-json.service
-p Type
=notify resolvectl monitor
--json=short
305 # FIXME: knot, unfortunately, incorrectly complains about missing zone files for zones
306 # that are forwarded using the `dnsproxy` module. Until the issue is resolved,
307 # let's fall back to pre-processing the `zone-check` output a bit before checking it
309 # See: https://gitlab.nic.cz/knot/knot-dns/-/issues/913
310 run knotc zone-check ||
:
311 sed -i '/forwarded.test./d' "$RUN_OUT"
312 [[ ! -s "$RUN_OUT" ]]
313 # We need to manually propagate the DS records of onlinesign.test. to the parent
314 # zone, since they're generated online
315 knotc zone-begin
test.
316 if knotc zone-get
test. onlinesign.
test. ds |
grep .
; then
317 # Drop any old DS records, if present (e.g. on test re-run)
318 knotc zone-unset
test. onlinesign.
test. ds
320 # Propagate the new DS records
321 while read -ra line
; do
322 knotc zone-set
test.
"${line[0]}" 600 "${line[@]:1}"
323 done < <(keymgr onlinesign.
test. ds
)
324 knotc zone-commit
test.
330 : "--- nss-resolve/nss-myhostname tests"
332 TIMESTAMP
=$
(date '+%F %T')
333 # Issue: https://github.com/systemd/systemd/issues/23951
335 run getent
-s resolve ahosts ns1.unsigned.
test
336 grep -qE "^fd00:dead:beef:cafe::1\s+STREAM\s+ns1\.unsigned\.test" "$RUN_OUT"
337 monitor_check_rr
"$TIMESTAMP" "ns1.unsigned.test IN AAAA fd00:dead:beef:cafe::1"
339 # Issue: https://github.com/systemd/systemd/issues/23951
341 run getent
-s resolve ahosts ns1.unsigned.
test
342 grep -qE "^10\.0\.0\.1\s+STREAM\s+ns1\.unsigned\.test" "$RUN_OUT"
343 (! grep -qE "fd00:dead:beef:cafe::1" "$RUN_OUT")
344 monitor_check_rr
"$TIMESTAMP" "ns1.unsigned.test IN A 10.0.0.1"
347 # Issue: https://github.com/systemd/systemd/issues/18812
348 # PR: https://github.com/systemd/systemd/pull/18896
349 # Follow-up issue: https://github.com/systemd/systemd/issues/23152
350 # Follow-up PR: https://github.com/systemd/systemd/pull/23161
352 run getent
-s resolve ahosts localhost
353 grep -qE "^::1\s+STREAM\s+localhost" "$RUN_OUT"
354 run getent
-s myhostname ahosts localhost
355 grep -qE "^::1\s+STREAM\s+localhost" "$RUN_OUT"
358 run getent
-s resolve ahosts localhost
359 grep -qE "^127\.0\.0\.1\s+STREAM\s+localhost" "$RUN_OUT"
360 (! grep -qE "::1" "$RUN_OUT")
361 run getent
-s myhostname ahosts localhost
362 grep -qE "^127\.0\.0\.1\s+STREAM\s+localhost" "$RUN_OUT"
365 # Issue: https://github.com/systemd/systemd/issues/25088
366 run getent
-s resolve hosts
127.128.0.5
367 grep -qEx '127\.128\.0\.5\s+localhost5(\s+localhost5?\.localdomain[45]?){4}' "$RUN_OUT"
368 [ "$(wc -l <"$RUN_OUT")" -eq 1 ]
370 # Issue: https://github.com/systemd/systemd/issues/20158
371 run
dig +noall
+answer
+additional localhost5.
372 grep -qEx 'localhost5\.\s+0\s+IN\s+A\s+127\.128\.0\.5' "$RUN_OUT"
373 [ "$(wc -l <"$RUN_OUT")" -eq 1 ]
374 run
dig +noall
+answer
+additional localhost5.localdomain4.
375 grep -qEx 'localhost5\.localdomain4\.\s+0\s+IN\s+CNAME\s+localhost5\.' "$RUN_OUT"
376 grep -qEx 'localhost5\.\s+0\s+IN\s+A\s+127\.128\.0\.5' "$RUN_OUT"
377 [ "$(wc -l <"$RUN_OUT")" -eq 2 ]
379 : "--- Basic resolved tests ---"
380 # Issue: https://github.com/systemd/systemd/issues/22229
381 # PR: https://github.com/systemd/systemd/pull/22231
384 "255.255.255.255.in-addr.arpa"
385 "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa"
390 for name
in "${FILTERED_NAMES[@]}"; do
392 grep -qF "NXDOMAIN" "$RUN_OUT"
396 # Issue: https://github.com/systemd/systemd/issues/22401
397 # PR: https://github.com/systemd/systemd/pull/22414
398 run
dig +noall
+authority
+comments SRV .
399 grep -qF "status: NOERROR" "$RUN_OUT"
400 grep -qE "IN\s+SOA\s+ns1\.unsigned\.test\." "$RUN_OUT"
402 run resolvectl query
-t SVCB svcb.
test
403 grep -qF 'alpn="dot"' "$RUN_OUT"
404 grep -qF "ipv4hint=10.0.0.1" "$RUN_OUT"
406 run resolvectl query
-t HTTPS https.
test
407 grep -qF 'alpn="h2,h3"' "$RUN_OUT"
409 : "--- ZONE: unsigned.test. ---"
410 run
dig @ns1.unsigned.
test +short unsigned.
test A unsigned.
test AAAA
411 grep -qF "10.0.0.101" "$RUN_OUT"
412 grep -qF "fd00:dead:beef:cafe::101" "$RUN_OUT"
413 run resolvectl query unsigned.
test
414 grep -qF "10.0.0.10" "$RUN_OUT"
415 grep -qF "fd00:dead:beef:cafe::101" "$RUN_OUT"
416 grep -qF "authenticated: no" "$RUN_OUT"
417 run
dig @ns1.unsigned.
test +short MX unsigned.
test
418 grep -qF "15 mail.unsigned.test." "$RUN_OUT"
419 run resolvectl query
--legend=no
-t MX unsigned.
test
420 grep -qF "unsigned.test IN MX 15 mail.unsigned.test" "$RUN_OUT"
423 : "--- ZONE: signed.test (static DNSSEC) ---"
424 # Check the trust chain (with and without systemd-resolved in between
425 # Issue: https://github.com/systemd/systemd/issues/22002
426 # PR: https://github.com/systemd/systemd/pull/23289
427 run_delv @ns1.unsigned.
test signed.
test
428 grep -qF "; fully validated" "$RUN_OUT"
430 grep -qF "; fully validated" "$RUN_OUT"
432 for addr
in "${DNS_ADDRESSES[@]}"; do
433 run_delv
"@$addr" -t A
mail.signed.
test
434 grep -qF "; fully validated" "$RUN_OUT"
435 run_delv
"@$addr" -t AAAA
mail.signed.
test
436 grep -qF "; fully validated" "$RUN_OUT"
438 run resolvectl query
mail.signed.
test
439 grep -qF "10.0.0.11" "$RUN_OUT"
440 grep -qF "fd00:dead:beef:cafe::11" "$RUN_OUT"
441 grep -qF "authenticated: yes" "$RUN_OUT"
443 run
dig +short signed.
test
444 grep -qF "10.0.0.10" "$RUN_OUT"
445 run resolvectl query signed.
test
446 grep -qF "signed.test: 10.0.0.10" "$RUN_OUT"
447 grep -qF "authenticated: yes" "$RUN_OUT"
448 run
dig @ns1.unsigned.
test +short MX signed.
test
449 grep -qF "10 mail.signed.test." "$RUN_OUT"
450 run resolvectl query
--legend=no
-t MX signed.
test
451 grep -qF "signed.test IN MX 10 mail.signed.test" "$RUN_OUT"
452 # Check a non-existent domain
453 run
dig +dnssec this.does.not.exist.signed.
test
454 grep -qF "status: NXDOMAIN" "$RUN_OUT"
455 # Check a wildcard record
456 run resolvectl query
-t TXT this.should.be.authenticated.wild.signed.
test
457 grep -qF 'this.should.be.authenticated.wild.signed.test IN TXT "this is a wildcard"' "$RUN_OUT"
458 grep -qF "authenticated: yes" "$RUN_OUT"
460 run resolvectl service _mysvc._tcp signed.
test
461 grep -qF "myservice.signed.test:1234" "$RUN_OUT"
462 grep -qF "10.0.0.20" "$RUN_OUT"
463 grep -qF "fd00:dead:beef:cafe::17" "$RUN_OUT"
464 grep -qF "authenticated: yes" "$RUN_OUT"
466 # Test service resolve over Varlink
467 run varlinkctl call
/run
/systemd
/resolve
/io.systemd.Resolve io.systemd.Resolve.ResolveService
'{"name":"","type":"_mysvc._tcp","domain":"signed.test"}'
468 grep -qF '"services":[{"priority":10,"weight":5,"port":1234,"hostname":"myservice.signed.test","canonicalName":"myservice.signed.test","addresses":[{"ifindex":' "$RUN_OUT"
469 grep -qF '"family":10,"address":[253,0,222,173,190,239,202,254,0,0,0,0,0,0,0,23]' "$RUN_OUT"
470 grep -qF '"family":2,"address":[10,0,0,20]' "$RUN_OUT"
471 grep -qF '}]}],"txt":["This is TXT for myservice"],"canonical":{"name":null,"type":"_mysvc._tcp","domain":"signed.test"},"flags":' "$RUN_OUT"
474 run varlinkctl call
/run
/systemd
/resolve
/io.systemd.Resolve io.systemd.Resolve.ResolveService
'{"type":"_mysvc._tcp","domain":"signed.test"}'
475 # without txt (SD_RESOLVE_NO_TXT)
476 run varlinkctl call
/run
/systemd
/resolve
/io.systemd.Resolve io.systemd.Resolve.ResolveService
'{"type":"_mysvc._tcp","domain":"signed.test","flags":64}'
477 (! grep -qF '"txt"' "$RUN_OUT")
478 # without address (SD_RESOLVE_NO_ADDRESS)
479 run varlinkctl call
/run
/systemd
/resolve
/io.systemd.Resolve io.systemd.Resolve.ResolveService
'{"type":"_mysvc._tcp","domain":"signed.test","flags":128}'
480 (! grep -qF '"addresses"' "$RUN_OUT")
481 # without txt and address
482 run varlinkctl call
/run
/systemd
/resolve
/io.systemd.Resolve io.systemd.Resolve.ResolveService
'{"type":"_mysvc._tcp","domain":"signed.test","flags":192}'
483 (! grep -qF '"txt"' "$RUN_OUT")
484 (! grep -qF '"addresses"' "$RUN_OUT")
486 (! run resolvectl service _invalidsvc._udp signed.
test)
487 grep -qE "invalidservice\.signed\.test' not found" "$RUN_OUT"
488 run resolvectl service _untrustedsvc._udp signed.
test
489 grep -qF "myservice.untrusted.test:1111" "$RUN_OUT"
490 grep -qF "10.0.0.123" "$RUN_OUT"
491 grep -qF "fd00:dead:beef:cafe::123" "$RUN_OUT"
492 grep -qF "authenticated: yes" "$RUN_OUT"
493 # Check OPENPGPKEY support
494 run_delv
-t OPENPGPKEY
5a786cdc59c161cdafd818143705026636962198c66ed4c5b3da321e._openpgpkey.signed.
test
495 grep -qF "; fully validated" "$RUN_OUT"
496 run resolvectl openpgp mr.smith@signed.
test
497 grep -qF "5a786cdc59c161cdafd818143705026636962198c66ed4c5b3da321e._openpgpkey.signed.test" "$RUN_OUT"
498 grep -qF "authenticated: yes" "$RUN_OUT"
499 # Check zone transfers (AXFR/IXFR)
500 # Note: since resolved doesn't support zone transfers, let's just make sure it
501 # simply refuses such requests without choking on them
502 # See: https://github.com/systemd/systemd/pull/30809#issuecomment-1880102804
503 run
dig @ns1.unsigned.
test AXFR signed.
test
504 grep -qE "SOA\s+ns1.unsigned.test. root.unsigned.test." "$RUN_OUT"
505 run
dig AXFR signed.
test
506 grep -qF "; Transfer failed" "$RUN_OUT"
507 run
dig @ns1.unsigned.
test IXFR
=43 signed.
test
508 grep -qE "SOA\s+ns1.unsigned.test. root.unsigned.test." "$RUN_OUT"
509 run
dig IXFR
=43 signed.
test
510 grep -qF "; Transfer failed" "$RUN_OUT"
512 # DNSSEC validation with multiple records of the same type for the same name
513 # Issue: https://github.com/systemd/systemd/issues/22002
514 # PR: https://github.com/systemd/systemd/pull/23289
516 local domain
="${1:?}"
517 local record
="${2:?}"
518 local message
="${3:?}"
521 for addr
in "${DNS_ADDRESSES[@]}"; do
522 run_delv
"@$addr" -t "$record" "$domain"
523 grep -qF "$message" "$RUN_OUT"
526 run_delv
-t "$record" "$domain"
527 grep -qF "$message" "$RUN_OUT"
529 run resolvectl query
"$domain"
530 grep -qF "authenticated: yes" "$RUN_OUT"
533 check_domain
"dupe.signed.test" "A" "; fully validated"
534 check_domain
"dupe.signed.test" "AAAA" "; negative response, fully validated"
535 check_domain
"dupe-ipv6.signed.test" "AAAA" "; fully validated"
536 check_domain
"dupe-ipv6.signed.test" "A" "; negative response, fully validated"
537 check_domain
"dupe-mixed.signed.test" "A" "; fully validated"
538 check_domain
"dupe-mixed.signed.test" "AAAA" "; fully validated"
540 # Test resolution of CNAME chains
541 TIMESTAMP
=$
(date '+%F %T')
542 run resolvectl query
-t A cname-chain.signed.
test
543 grep -qF "follow14.final.signed.test IN A 10.0.0.14" "$RUN_OUT"
544 grep -qF "authenticated: yes" "$RUN_OUT"
546 monitor_check_rr
"$TIMESTAMP" "follow10.so.close.signed.test IN CNAME follow11.yet.so.far.signed.test"
547 monitor_check_rr
"$TIMESTAMP" "follow11.yet.so.far.signed.test IN CNAME follow12.getting.hot.signed.test"
548 monitor_check_rr
"$TIMESTAMP" "follow12.getting.hot.signed.test IN CNAME follow13.almost.final.signed.test"
549 monitor_check_rr
"$TIMESTAMP" "follow13.almost.final.signed.test IN CNAME follow14.final.signed.test"
550 monitor_check_rr
"$TIMESTAMP" "follow14.final.signed.test IN A 10.0.0.14"
552 # Non-existing RR + CNAME chain
553 #run dig +dnssec AAAA cname-chain.signed.test
554 #grep -qF "status: NOERROR" "$RUN_OUT"
555 #grep -qE "^follow14\.final\.signed\.test\..+IN\s+NSEC\s+" "$RUN_OUT"
558 : "--- ZONE: onlinesign.test (dynamic DNSSEC) ---"
559 # Check the trust chain (with and without systemd-resolved in between
560 # Issue: https://github.com/systemd/systemd/issues/22002
561 # PR: https://github.com/systemd/systemd/pull/23289
562 run_delv @ns1.unsigned.
test sub.onlinesign.
test
563 grep -qF "; fully validated" "$RUN_OUT"
564 run_delv sub.onlinesign.
test
565 grep -qF "; fully validated" "$RUN_OUT"
567 run
dig +short sub.onlinesign.
test
568 grep -qF "10.0.0.133" "$RUN_OUT"
569 run resolvectl query sub.onlinesign.
test
570 grep -qF "sub.onlinesign.test: 10.0.0.133" "$RUN_OUT"
571 grep -qF "authenticated: yes" "$RUN_OUT"
572 run
dig @ns1.unsigned.
test +short TXT onlinesign.
test
573 grep -qF '"hello from onlinesign"' "$RUN_OUT"
574 run resolvectl query
--legend=no
-t TXT onlinesign.
test
575 grep -qF 'onlinesign.test IN TXT "hello from onlinesign"' "$RUN_OUT"
577 for addr
in "${DNS_ADDRESSES[@]}"; do
578 run_delv
"@$addr" -t A dual.onlinesign.
test
579 grep -qF "10.0.0.135" "$RUN_OUT"
580 run_delv
"@$addr" -t AAAA dual.onlinesign.
test
581 grep -qF "fd00:dead:beef:cafe::135" "$RUN_OUT"
582 run_delv
"@$addr" -t ANY ipv6.onlinesign.
test
583 grep -qF "fd00:dead:beef:cafe::136" "$RUN_OUT"
585 run resolvectl query dual.onlinesign.
test
586 grep -qF "10.0.0.135" "$RUN_OUT"
587 grep -qF "fd00:dead:beef:cafe::135" "$RUN_OUT"
588 grep -qF "authenticated: yes" "$RUN_OUT"
589 run resolvectl query ipv6.onlinesign.
test
590 grep -qF "fd00:dead:beef:cafe::136" "$RUN_OUT"
591 grep -qF "authenticated: yes" "$RUN_OUT"
593 # Check a non-existent domain
594 # Note: mod-onlinesign utilizes Minimally Covering NSEC Records, hence the
595 # different response than with "standard" DNSSEC
596 run
dig +dnssec this.does.not.exist.onlinesign.
test
597 grep -qF "status: NOERROR" "$RUN_OUT"
598 grep -qF "NSEC \\000.this.does.not.exist.onlinesign.test." "$RUN_OUT"
599 # Check a wildcard record
600 run resolvectl query
-t TXT this.should.be.authenticated.wild.onlinesign.
test
601 grep -qF 'this.should.be.authenticated.wild.onlinesign.test IN TXT "this is an onlinesign wildcard"' "$RUN_OUT"
602 grep -qF "authenticated: yes" "$RUN_OUT"
604 # Resolve via dbus method
605 TIMESTAMP
=$
(date '+%F %T')
606 run busctl call org.freedesktop.resolve1
/org
/freedesktop
/resolve1 org.freedesktop.resolve1.Manager ResolveHostname
'isit' 0 secondsub.onlinesign.
test 0 0
607 grep -qF '10 0 0 134 "secondsub.onlinesign.test"' "$RUN_OUT"
608 monitor_check_rr
"$TIMESTAMP" "secondsub.onlinesign.test IN A 10.0.0.134"
611 : "--- ZONE: untrusted.test (DNSSEC without propagated DS records) ---"
612 # Issue: https://github.com/systemd/systemd/issues/23955
614 resolvectl flush-caches
615 #run dig +short untrusted.test A untrusted.test AAAA
616 #grep -qF "10.0.0.121" "$RUN_OUT"
617 #grep -qF "fd00:dead:beef:cafe::121" "$RUN_OUT"
618 run resolvectl query untrusted.
test
619 grep -qF "untrusted.test:" "$RUN_OUT"
620 grep -qF "10.0.0.121" "$RUN_OUT"
621 grep -qF "fd00:dead:beef:cafe::121" "$RUN_OUT"
622 grep -qF "authenticated: no" "$RUN_OUT"
623 run resolvectl service _mysvc._tcp untrusted.
test
624 grep -qF "myservice.untrusted.test:1234" "$RUN_OUT"
625 grep -qF "10.0.0.123" "$RUN_OUT"
626 grep -qF "fd00:dead:beef:cafe::123" "$RUN_OUT"
628 # Issue: https://github.com/systemd/systemd/issues/19472
629 # 1) Query for a non-existing RR should return NOERROR + NSEC (?), not NXDOMAIN
630 # FIXME: re-enable once the issue is resolved
631 #run dig +dnssec AAAA untrusted.test
632 #grep -qF "status: NOERROR" "$RUN_OUT"
633 #grep -qE "^untrusted\.test\..+IN\s+NSEC\s+" "$RUN_OUT"
634 ## 2) Query for a non-existing name should return NXDOMAIN, not SERVFAIL
635 #run dig +dnssec this.does.not.exist.untrusted.test
636 #grep -qF "status: NXDOMAIN" "$RUN_OUT"
638 : "--- ZONE: forwarded.test (queries forwarded to our dummy test server) ---"
639 JOURNAL_CURSOR
="$(mktemp)"
640 journalctl
-n0 -q --cursor-file="$JOURNAL_CURSOR"
642 # See "test-resolved-dummy-server.c" for the server part
643 (! run resolvectl query nope.forwarded.
test)
644 grep -qF "nope.forwarded.test" "$RUN_OUT"
645 grep -qF "not found" "$RUN_OUT"
647 # SERVFAIL + EDE code 6: DNSSEC Bogus
648 (! run resolvectl query edns-bogus-dnssec.forwarded.
test)
649 grep -qE "^edns-bogus-dnssec.forwarded.test:.+: upstream-failure \(DNSSEC Bogus\)" "$RUN_OUT"
650 # Same thing, but over Varlink
651 (! run varlinkctl call
/run
/systemd
/resolve
/io.systemd.Resolve io.systemd.Resolve.ResolveHostname
'{"name" : "edns-bogus-dnssec.forwarded.test"}')
652 grep -qF "io.systemd.Resolve.DNSSECValidationFailed" "$RUN_OUT"
653 grep -qF '{"result":"upstream-failure","extendedDNSErrorCode":6}' "$RUN_OUT"
655 journalctl
-u systemd-resolved.service
--cursor-file="$JOURNAL_CURSOR" --grep "Server returned error: SERVFAIL \(DNSSEC Bogus\). Lookup failed."
657 # SERVFAIL + EDE code 16: Censored + extra text
658 (! run resolvectl query edns-extra-text.forwarded.
test)
659 grep -qE "^edns-extra-text.forwarded.test.+: SERVFAIL \(Censored: Nothing to see here!\)" "$RUN_OUT"
660 (! run varlinkctl call
/run
/systemd
/resolve
/io.systemd.Resolve io.systemd.Resolve.ResolveHostname
'{"name" : "edns-extra-text.forwarded.test"}')
661 grep -qF "io.systemd.Resolve.DNSError" "$RUN_OUT"
662 grep -qF '{"rcode":2,"extendedDNSErrorCode":16,"extendedDNSErrorMessage":"Nothing to see here!"}' "$RUN_OUT"
664 journalctl
-u systemd-resolved.service
--cursor-file="$JOURNAL_CURSOR" --grep "Server returned error: SERVFAIL \(Censored: Nothing to see here!\)"
666 # SERVFAIL + EDE code 0: Other + extra text
667 (! run resolvectl query edns-code-zero.forwarded.
test)
668 grep -qE "^edns-code-zero.forwarded.test:.+: SERVFAIL \(Other: 🐱\)" "$RUN_OUT"
669 (! run varlinkctl call
/run
/systemd
/resolve
/io.systemd.Resolve io.systemd.Resolve.ResolveHostname
'{"name" : "edns-code-zero.forwarded.test"}')
670 grep -qF "io.systemd.Resolve.DNSError" "$RUN_OUT"
671 grep -qF '{"rcode":2,"extendedDNSErrorCode":0,"extendedDNSErrorMessage":"🐱"}' "$RUN_OUT"
673 journalctl
-u systemd-resolved.service
--cursor-file="$JOURNAL_CURSOR" --grep "Server returned error: SERVFAIL \(Other: 🐱\)"
675 # SERVFAIL + invalid EDE code
676 (! run resolvectl query edns-invalid-code.forwarded.
test)
677 grep -qE "^edns-invalid-code.forwarded.test:.+: SERVFAIL \([0-9]+\)" "$RUN_OUT"
678 (! run varlinkctl call
/run
/systemd
/resolve
/io.systemd.Resolve io.systemd.Resolve.ResolveHostname
'{"name" : "edns-invalid-code.forwarded.test"}')
679 grep -qF "io.systemd.Resolve.DNSError" "$RUN_OUT"
680 grep -qE '{"rcode":2,"extendedDNSErrorCode":[0-9]+}' "$RUN_OUT"
682 journalctl
-u systemd-resolved.service
--cursor-file="$JOURNAL_CURSOR" --grep "Server returned error: SERVFAIL \(\d+\)"
684 # SERVFAIL + invalid EDE code + extra text
685 (! run resolvectl query edns-invalid-code-with-extra-text.forwarded.
test)
686 grep -qE '^edns-invalid-code-with-extra-text.forwarded.test:.+: SERVFAIL \([0-9]+: Hello \[#\]\$%~ World\)' "$RUN_OUT"
687 (! run varlinkctl call
/run
/systemd
/resolve
/io.systemd.Resolve io.systemd.Resolve.ResolveHostname
'{"name" : "edns-invalid-code-with-extra-text.forwarded.test"}')
688 grep -qF "io.systemd.Resolve.DNSError" "$RUN_OUT"
689 grep -qE '{"rcode":2,"extendedDNSErrorCode":[0-9]+,"extendedDNSErrorMessage":"Hello \[#\]\$%~ World"}' "$RUN_OUT"
691 journalctl
-u systemd-resolved.service
--cursor-file="$JOURNAL_CURSOR" --grep "Server returned error: SERVFAIL \(\d+: Hello \[\#\]\\$%~ World\)"
693 ### Test resolvectl show-cache
694 run resolvectl show-cache
695 run resolvectl show-cache
--json=short
696 run resolvectl show-cache
--json=pretty
698 # Issue: https://github.com/systemd/systemd/issues/29580 (part #1)
699 dig @
127.0.0.54 signed.
test
701 systemctl stop resolvectl-monitor.service
702 systemctl stop resolvectl-monitor-json.service
704 # Issue: https://github.com/systemd/systemd/issues/29580 (part #2)
706 # Check for any warnings regarding malformed messages
707 (! journalctl
-u resolvectl-monitor.service
-u reseolvectl-monitor-json.service
-p warning
--grep malformed
)
708 # Verify that all queries recorded by `resolvectl monitor --json` produced a valid JSON
709 # with expected fields
710 journalctl
-p info
-o cat _SYSTEMD_UNIT
="resolvectl-monitor-json.service" |
while read -r line
; do
711 # Check that both "question" and "answer" fields are arrays
713 # The expression is slightly more complicated due to the fact that the "answer" field is optional,
714 # so we need to select it only if it's present, otherwise the type == "array" check would fail
715 echo "$line" | jq
-e '[. | .question, (select(has("answer")) | .answer) | type == "array"] | all'
718 # Test serve stale feature and NFTSet= if nftables is installed
719 if command -v nft
>/dev
/null
; then
720 ### Test without serve stale feature ###
721 NFT_FILTER_NAME
=dns_port_filter
723 drop_dns_outbound_traffic
() {
724 nft add table inet
$NFT_FILTER_NAME
725 nft add chain inet
$NFT_FILTER_NAME output \
{ type filter hook output priority
0 \
; \
}
726 nft add rule inet
$NFT_FILTER_NAME output ip daddr
10.0.0.1 udp dport
53 drop
727 nft add rule inet
$NFT_FILTER_NAME output ip daddr
10.0.0.1 tcp dport
53 drop
728 nft add rule inet
$NFT_FILTER_NAME output ip6 daddr fd00
:dead
:beef
:cafe
::1 udp dport
53 drop
729 nft add rule inet
$NFT_FILTER_NAME output ip6 daddr fd00
:dead
:beef
:cafe
::1 tcp dport
53 drop
732 run
dig stale1.unsigned.
test -t A
733 grep -qE "NOERROR" "$RUN_OUT"
735 drop_dns_outbound_traffic
737 # Make sure we give sd-resolved enough time to timeout (5-10s) before giving up
738 # See: https://github.com/systemd/systemd/issues/31639#issuecomment-2009152617
739 run
dig +tries
=1 +timeout
=15 stale1.unsigned.
test -t A
741 grep -qE "no servers could be reached" "$RUN_OUT"
744 ### Test TIMEOUT with serve stale feature ###
746 mkdir
-p /run
/systemd
/resolved.conf.d
749 echo "StaleRetentionSec=1d"
750 } >/run
/systemd
/resolved.conf.d
/test.conf
751 ln -svf /run
/systemd
/resolve
/stub-resolv.conf
/etc
/resolv.conf
752 systemctl reload systemd-resolved.service
754 run
dig stale1.unsigned.
test -t A
755 grep -qE "NOERROR" "$RUN_OUT"
757 drop_dns_outbound_traffic
758 # Make sure we give sd-resolved enough time to timeout (5-10s) and serve the stale data (see above)
759 run
dig +tries
=1 +timeout
=15 stale1.unsigned.
test -t A
760 grep -qE "NOERROR" "$RUN_OUT"
761 grep -qE "10.0.0.112" "$RUN_OUT"
765 ### Test NXDOMAIN with serve stale feature ###
766 # NXDOMAIN response should replace the cache with NXDOMAIN response
767 run
dig stale1.unsigned.
test -t A
768 grep -qE "NOERROR" "$RUN_OUT"
769 # Delete stale1 record from zone
770 knotc zone-begin unsigned.
test
771 knotc zone-unset unsigned.
test stale1 A
772 knotc zone-commit unsigned.
test
775 run
dig stale1.unsigned.
test -t A
776 grep -qE "NXDOMAIN" "$RUN_OUT"
781 nft add table inet sd_test
782 nft add
set inet sd_test c
'{ type cgroupsv2; }'
783 nft add
set inet sd_test u
'{ typeof meta skuid; }'
784 nft add
set inet sd_test g
'{ typeof meta skgid; }'
787 systemd-run
--unit test-nft.service
--service-type=exec -p DynamicUser
=yes \
788 -p 'NFTSet=cgroup:inet:sd_test:c user:inet:sd_test:u group:inet:sd_test:g' sleep 10000
789 run nft list
set inet sd_test c
790 grep -qF "test-nft.service" "$RUN_OUT"
791 uid
=$
(getent passwd test-nft | cut
-d':' -f3)
792 run nft list
set inet sd_test u
793 grep -qF "$uid" "$RUN_OUT"
794 gid
=$
(getent passwd test-nft | cut
-d':' -f4)
795 run nft list
set inet sd_test g
796 grep -qF "$gid" "$RUN_OUT"
797 systemctl stop test-nft.service
800 run systemd-run
--scope -u test-nft.scope
-p 'NFTSet=cgroup:inet:sd_test:c' nft list
set inet sd_test c
801 grep -qF "test-nft.scope" "$RUN_OUT"
803 mkdir
-p /run
/systemd
/system
807 echo "ListenStream=12345"
808 echo "BindToDevice=lo"
809 echo "NFTSet=cgroup:inet:sd_test:c"
810 } >/run
/systemd
/system
/test-nft.socket
813 echo "ExecStart=/usr/bin/sleep 10000"
814 } >/run
/systemd
/system
/test-nft.service
815 systemctl daemon-reload
816 systemctl start test-nft.socket
817 systemctl status test-nft.socket
818 run nft list
set inet sd_test c
819 grep -qF "test-nft.socket" "$RUN_OUT"
820 systemctl stop test-nft.socket
821 rm -f /run
/systemd
/system
/test-nft.
{socket
,service
}
824 mkdir
/run
/systemd
/system
/system.slice.d
827 echo "NFTSet=cgroup:inet:sd_test:c"
828 } >/run
/systemd
/system
/system.slice.d
/00-test-nft.conf
829 systemctl daemon-reload
830 run nft list
set inet sd_test c
831 grep -qF "system.slice" "$RUN_OUT"
832 rm -rf /run
/systemd
/system
/system.slice.d
836 echo "nftables is not installed. Skipped serve stale feature and NFTSet= tests."
839 ### Test resolvectl show-server-state ###
840 run resolvectl show-server-state
841 grep -qF "10.0.0.1" "$RUN_OUT"
842 grep -qF "Interface" "$RUN_OUT"
844 run resolvectl show-server-state
--json=short
845 grep -qF "10.0.0.1" "$RUN_OUT"
846 grep -qF "Interface" "$RUN_OUT"
848 run resolvectl show-server-state
--json=pretty
849 grep -qF "10.0.0.1" "$RUN_OUT"
850 grep -qF "Interface" "$RUN_OUT"
852 ### Test resolvectl statistics ###
853 run resolvectl statistics
854 grep -qF "Transactions" "$RUN_OUT"
855 grep -qF "Cache" "$RUN_OUT"
856 grep -qF "Failure Transactions" "$RUN_OUT"
857 grep -qF "DNSSEC Verdicts" "$RUN_OUT"
859 run resolvectl statistics
--json=short
860 grep -qF "transactions" "$RUN_OUT"
861 grep -qF "cache" "$RUN_OUT"
862 grep -qF "dnssec" "$RUN_OUT"
864 run resolvectl statistics
--json=pretty
865 grep -qF "transactions" "$RUN_OUT"
866 grep -qF "cache" "$RUN_OUT"
867 grep -qF "dnssec" "$RUN_OUT"
869 ### Test resolvectl reset-statistics ###
870 run resolvectl reset-statistics
872 run resolvectl reset-statistics
--json=pretty
874 run resolvectl reset-statistics
--json=short
876 test "$(resolvectl --json=short query -t AAAA localhost)" == '{"key":{"class":1,"type":28,"name":"localhost"},"address":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1]}'
877 test "$(resolvectl --json=short query -t A localhost)" == '{"key":{"class":1,"type":1,"name":"localhost"},"address":[127,0,0,1]}'
879 # Test ResolveRecord RR resolving via Varlink
880 test "$(varlinkctl call /run/systemd/resolve/io.systemd.Resolve io.systemd.Resolve.ResolveRecord '{"name
":"localhost
","type":1}' --json=short)" == '{"rrs":[{"ifindex":1,"rr":{"key":{"class":1,"type":1,"name":"localhost"},"address":[127,0,0,1]},"raw":"CWxvY2FsaG9zdAAAAQABAAAAAAAEfwAAAQ=="}],"flags":786945}'
881 test "$(varlinkctl call /run/systemd/resolve/io.systemd.Resolve io.systemd.Resolve.ResolveRecord '{"name
":"localhost
","type":28}' --json=short)" == '{"rrs":[{"ifindex":1,"rr":{"key":{"class":1,"type":28,"name":"localhost"},"address":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1]},"raw":"CWxvY2FsaG9zdAAAHAABAAAAAAAQAAAAAAAAAAAAAAAAAAAAAQ=="}],"flags":786945}'
883 # Ensure that reloading keeps the manually configured address
887 } >/run
/systemd
/resolved.conf.d
/reload.conf
888 resolvectl dns dns0
1.1.1.1
889 systemctl reload systemd-resolved.service
891 resolvectl dns dns0 |
grep -qF "1.1.1.1"
892 # For some reason piping this last command to grep fails with:
893 # 'resolvectl[1378]: Failed to print table: Broken pipe'
894 # so use an intermediate file in /tmp/
895 resolvectl
>/tmp
/output
896 grep -qF "DNS Servers: 8.8.8.8" /tmp
/output
898 # Check if resolved exits cleanly.