naccyde / rpms / systemd

Forked from rpms/systemd a year ago
Clone
ac3a84
From 6aa57233e5981473efb4fdc4351d8f407b0b5384 Mon Sep 17 00:00:00 2001
ac3a84
From: Frantisek Sumsal <frantisek@sumsal.cz>
ac3a84
Date: Fri, 8 Jul 2022 13:36:03 +0200
ac3a84
Subject: [PATCH] test: cover IPv6 in the resolved test suite
ac3a84
ac3a84
(cherry picked from commit 5c9111fe779b44745256279052786e9cc499e57a)
ac3a84
ac3a84
Related: #2138081
ac3a84
---
ac3a84
 test/knot-data/knot.conf                  |   3 +
ac3a84
 test/knot-data/zones/onlinesign.test.zone |  15 ++-
ac3a84
 test/knot-data/zones/root.zone            |   8 +-
ac3a84
 test/knot-data/zones/signed.test.zone     |  23 ++--
ac3a84
 test/knot-data/zones/test.zone            |  12 +-
ac3a84
 test/knot-data/zones/unsigned.test.zone   |  12 +-
ac3a84
 test/knot-data/zones/untrusted.test.zone  |  11 +-
ac3a84
 test/units/testsuite-75.sh                | 135 ++++++++++++++++++----
ac3a84
 8 files changed, 169 insertions(+), 50 deletions(-)
ac3a84
ac3a84
diff --git a/test/knot-data/knot.conf b/test/knot-data/knot.conf
ac3a84
index e3de69d0f4..6ea0cca3db 100644
ac3a84
--- a/test/knot-data/knot.conf
ac3a84
+++ b/test/knot-data/knot.conf
ac3a84
@@ -4,6 +4,7 @@ server:
ac3a84
     rundir: "/run/knot"
ac3a84
     user: knot:knot
ac3a84
     listen: 10.0.0.1@53
ac3a84
+    listen: fd00:dead:beef:cafe::1@53
ac3a84
 
ac3a84
 log:
ac3a84
     - target: syslog
ac3a84
@@ -15,11 +16,13 @@ database:
ac3a84
 acl:
ac3a84
     - id: update_acl
ac3a84
       address: 10.0.0.0/24
ac3a84
+      address: fd00:dead:beef:cafe::/64
ac3a84
       action: update
ac3a84
 
ac3a84
 remote:
ac3a84
     - id: parent_zone_server
ac3a84
       address: 10.0.0.1@53
ac3a84
+      address: fd00:dead:beef:cafe::1@53
ac3a84
 
ac3a84
 submission:
ac3a84
     - id: parent_zone_sbm
ac3a84
diff --git a/test/knot-data/zones/onlinesign.test.zone b/test/knot-data/zones/onlinesign.test.zone
ac3a84
index c12c6b3396..c8662fa3ed 100644
ac3a84
--- a/test/knot-data/zones/onlinesign.test.zone
ac3a84
+++ b/test/knot-data/zones/onlinesign.test.zone
ac3a84
@@ -11,12 +11,17 @@ $ORIGIN onlinesign.test.
ac3a84
 )
ac3a84
 
ac3a84
 ; NS info
ac3a84
-                     NS ns1.unsigned.test.
ac3a84
+                     NS   ns1.unsigned.test.
ac3a84
 
ac3a84
-                     TXT "hello from onlinesign"
ac3a84
+                     TXT  "hello from onlinesign"
ac3a84
 
ac3a84
-*.wild               TXT "this is an onlinesign wildcard"
ac3a84
+*.wild               TXT  "this is an onlinesign wildcard"
ac3a84
 
ac3a84
 ; No A/AAAA record for the $ORIGIN
ac3a84
-sub                  A 10.0.0.133
ac3a84
-secondsub            A 10.0.0.134
ac3a84
+sub                  A    10.0.0.133
ac3a84
+secondsub            A    10.0.0.134
ac3a84
+
ac3a84
+dual                 A    10.0.0.135
ac3a84
+dual                 AAAA fd00:dead:beef:cafe::135
ac3a84
+
ac3a84
+ipv6                 AAAA fd00:dead:beef:cafe::136
ac3a84
diff --git a/test/knot-data/zones/root.zone b/test/knot-data/zones/root.zone
ac3a84
index 72439fdc55..f601e8676d 100644
ac3a84
--- a/test/knot-data/zones/root.zone
ac3a84
+++ b/test/knot-data/zones/root.zone
ac3a84
@@ -8,7 +8,9 @@ $TTL 300
ac3a84
     1D         ; minimum TTL
ac3a84
 )
ac3a84
 
ac3a84
-.                   NS ns1.unsigned.test
ac3a84
-ns1.unsigned.test   A  10.0.0.1
ac3a84
+.                   NS   ns1.unsigned.test
ac3a84
+; NS glue records
ac3a84
+ns1.unsigned.test   A    10.0.0.1
ac3a84
+ns1.unsigned.test   AAAA fd00:dead:beef:cafe::1
ac3a84
 
ac3a84
-test                NS ns1.unsigned.test
ac3a84
+test                NS   ns1.unsigned.test
ac3a84
diff --git a/test/knot-data/zones/signed.test.zone b/test/knot-data/zones/signed.test.zone
ac3a84
index 38d8e2aa13..fa6706205a 100644
ac3a84
--- a/test/knot-data/zones/signed.test.zone
ac3a84
+++ b/test/knot-data/zones/signed.test.zone
ac3a84
@@ -11,18 +11,27 @@ $ORIGIN signed.test.
ac3a84
 )
ac3a84
 
ac3a84
 ; NS info
ac3a84
-                      NS ns1.unsigned.test.
ac3a84
+                      NS    ns1.unsigned.test.
ac3a84
 
ac3a84
-*.wild                TXT "this is a wildcard"
ac3a84
+*.wild                TXT   "this is a wildcard"
ac3a84
 
ac3a84
-@                     MX 10 mail.signed.test.
ac3a84
+@                     MX    10 mail.signed.test.
ac3a84
 
ac3a84
-                      A 10.0.0.10
ac3a84
-mail                  A 10.0.0.11
ac3a84
+                      A     10.0.0.10
ac3a84
+mail                  A     10.0.0.11
ac3a84
+mail                  AAAA  fd00:dead:beef:cafe::11
ac3a84
 
ac3a84
 ; https://github.com/systemd/systemd/issues/22002
ac3a84
-dupe                  A 10.0.0.12
ac3a84
-dupe                  A 10.0.0.13
ac3a84
+dupe                  A     10.0.0.12
ac3a84
+dupe                  A     10.0.0.13
ac3a84
+dupe-ipv6             AAAA  fd00:dead:beef:cafe::12
ac3a84
+dupe-ipv6             AAAA  fd00:dead:beef:cafe::13
ac3a84
+dupe-mixed            A     10.0.0.15
ac3a84
+dupe-mixed            A     10.0.0.16
ac3a84
+dupe-mixed            A     10.0.0.17
ac3a84
+dupe-mixed            AAAA  fd00:dead:beef:cafe::15
ac3a84
+dupe-mixed            AAAA  fd00:dead:beef:cafe::16
ac3a84
+dupe-mixed            AAAA  fd00:dead:beef:cafe::17
ac3a84
 
ac3a84
 ; CNAME_REDIRECTS_MAX is 16, so let's test something close to that
ac3a84
 cname-chain           CNAME follow1.signed.test.
ac3a84
diff --git a/test/knot-data/zones/test.zone b/test/knot-data/zones/test.zone
ac3a84
index 6cc2633082..ba5fcebc2d 100644
ac3a84
--- a/test/knot-data/zones/test.zone
ac3a84
+++ b/test/knot-data/zones/test.zone
ac3a84
@@ -11,9 +11,11 @@ $ORIGIN test.
ac3a84
 )
ac3a84
 
ac3a84
 ; NS info
ac3a84
-@                     NS ns1.unsigned
ac3a84
-ns1.signed            A  10.0.0.1
ac3a84
+@                     NS   ns1.unsigned
ac3a84
+; NS glue records
ac3a84
+ns1.unsigned          A    10.0.0.1
ac3a84
+ns1.unsigned          AAAA fd00:dead:beef:cafe::1
ac3a84
 
ac3a84
-onlinesign            NS ns1.unsigned
ac3a84
-signed                NS ns1.unsigned
ac3a84
-unsigned              NS ns1.unsigned
ac3a84
+onlinesign            NS   ns1.unsigned
ac3a84
+signed                NS   ns1.unsigned
ac3a84
+unsigned              NS   ns1.unsigned
ac3a84
diff --git a/test/knot-data/zones/unsigned.test.zone b/test/knot-data/zones/unsigned.test.zone
ac3a84
index 87d9437e2c..c5445d7672 100644
ac3a84
--- a/test/knot-data/zones/unsigned.test.zone
ac3a84
+++ b/test/knot-data/zones/unsigned.test.zone
ac3a84
@@ -11,10 +11,12 @@ $ORIGIN unsigned.test.
ac3a84
 )
ac3a84
 
ac3a84
 ; NS info
ac3a84
-@                     NS ns1.unsigned.test.
ac3a84
-ns1                   A  10.0.0.1
ac3a84
+@                     NS   ns1
ac3a84
+ns1                   A    10.0.0.1
ac3a84
+ns1                   AAAA fd00:dead:beef:cafe::1
ac3a84
 
ac3a84
-@                     MX 15 mail.unsigned.test.
ac3a84
+@                     MX   15 mail.unsigned.test.
ac3a84
 
ac3a84
-                      A 10.0.0.101
ac3a84
-mail                  A 10.0.0.111
ac3a84
+                      A    10.0.0.101
ac3a84
+                      AAAA fd00:dead:beef:cafe::101
ac3a84
+mail                  A    10.0.0.111
ac3a84
diff --git a/test/knot-data/zones/untrusted.test.zone b/test/knot-data/zones/untrusted.test.zone
ac3a84
index 6d29bd77fe..cf0dec5296 100644
ac3a84
--- a/test/knot-data/zones/untrusted.test.zone
ac3a84
+++ b/test/knot-data/zones/untrusted.test.zone
ac3a84
@@ -11,11 +11,12 @@ $ORIGIN untrusted.test.
ac3a84
 )
ac3a84
 
ac3a84
 ; NS info
ac3a84
-@                     NS ns1.unsigned.test.
ac3a84
+@                     NS   ns1.unsigned.test.
ac3a84
 
ac3a84
-*.wild                TXT "this is an untrusted wildcard"
ac3a84
+*.wild                TXT  "this is an untrusted wildcard"
ac3a84
 
ac3a84
-@                     MX 10 mail.untrusted.test.
ac3a84
+@                     MX   10 mail.untrusted.test.
ac3a84
 
ac3a84
-                      A 10.0.0.121
ac3a84
-mail                  A 10.0.0.121
ac3a84
+                      A    10.0.0.121
ac3a84
+                      AAAA fd00:dead:beef:cafe::121
ac3a84
+mail                  A    10.0.0.122
ac3a84
diff --git a/test/units/testsuite-75.sh b/test/units/testsuite-75.sh
ac3a84
index 852caac605..76b8f5b3c7 100755
ac3a84
--- a/test/units/testsuite-75.sh
ac3a84
+++ b/test/units/testsuite-75.sh
ac3a84
@@ -2,6 +2,12 @@
ac3a84
 # SPDX-License-Identifier: LGPL-2.1-or-later
ac3a84
 # vi: ts=4 sw=4 tw=0 et:
ac3a84
 
ac3a84
+# TODO:
ac3a84
+#   - IPv6-only stack
ac3a84
+#   - mDNS
ac3a84
+#   - LLMNR
ac3a84
+#   - DoT/DoH
ac3a84
+
ac3a84
 set -eux
ac3a84
 set -o pipefail
ac3a84
 
ac3a84
@@ -16,6 +22,15 @@ run() {
ac3a84
     "$@" |& tee "$RUN_OUT"
ac3a84
 }
ac3a84
 
ac3a84
+disable_ipv6() {
ac3a84
+    sysctl -w net.ipv6.conf.all.disable_ipv6=1
ac3a84
+}
ac3a84
+
ac3a84
+enable_ipv6() {
ac3a84
+    sysctl -w net.ipv6.conf.all.disable_ipv6=0
ac3a84
+    networkctl reconfigure dns0
ac3a84
+}
ac3a84
+
ac3a84
 monitor_check_rr() (
ac3a84
     set +x
ac3a84
     set +o pipefail
ac3a84
@@ -146,7 +161,10 @@ ip link del hoge.foo
ac3a84
 ### SETUP ###
ac3a84
 # Configure network
ac3a84
 hostnamectl hostname ns1.unsigned.test
ac3a84
-echo "10.0.0.1 ns1.unsigned.test" >>/etc/hosts
ac3a84
+{
ac3a84
+    echo "10.0.0.1               ns1.unsigned.test"
ac3a84
+    echo "fd00:dead:beef:cafe::1 ns1.unsigned.test"
ac3a84
+} >>/etc/hosts
ac3a84
 
ac3a84
 mkdir -p /etc/systemd/network
ac3a84
 cat >/etc/systemd/network/dns0.netdev <
ac3a84
@@ -160,10 +178,17 @@ Name=dns0
ac3a84
 
ac3a84
 [Network]
ac3a84
 Address=10.0.0.1/24
ac3a84
+Address=fd00:dead:beef:cafe::1/64
ac3a84
 DNSSEC=allow-downgrade
ac3a84
 DNS=10.0.0.1
ac3a84
+DNS=fd00:dead:beef:cafe::1
ac3a84
 EOF
ac3a84
 
ac3a84
+DNS_ADDRESSES=(
ac3a84
+    "10.0.0.1"
ac3a84
+    "fd00:dead:beef:cafe::1"
ac3a84
+)
ac3a84
+
ac3a84
 mkdir -p /run/systemd/resolved.conf.d
ac3a84
 {
ac3a84
     echo "[Resolve]"
ac3a84
@@ -214,6 +239,10 @@ resolvectl log-level debug
ac3a84
 # Start monitoring queries
ac3a84
 systemd-run -u resmontest.service -p Type=notify resolvectl monitor
ac3a84
 
ac3a84
+# Check if all the zones are valid (zone-check always returns 0, so let's check
ac3a84
+# if it produces any errors/warnings)
ac3a84
+run knotc zone-check
ac3a84
+[[ ! -s "$RUN_OUT" ]]
ac3a84
 # We need to manually propagate the DS records of onlinesign.test. to the parent
ac3a84
 # zone, since they're generated online
ac3a84
 knotc zone-begin test.
ac3a84
@@ -234,9 +263,19 @@ knotc reload
ac3a84
 : "--- nss-resolve/nss-myhostname tests"
ac3a84
 # Sanity check
ac3a84
 TIMESTAMP=$(date '+%F %T')
ac3a84
+# Issue: https://github.com/systemd/systemd/issues/23951
ac3a84
+# With IPv6 enabled
ac3a84
 run getent -s resolve hosts ns1.unsigned.test
ac3a84
-grep -qE "^10\.0\.0\.1\s+ns1\.unsigned\.test" "$RUN_OUT"
ac3a84
-monitor_check_rr "$TIMESTAMP" "ns1.unsigned.test IN A 10.0.0.1"
ac3a84
+grep -qE "^fd00:dead:beef:cafe::1\s+ns1\.unsigned\.test" "$RUN_OUT"
ac3a84
+monitor_check_rr "$TIMESTAMP" "ns1.unsigned.test IN AAAA fd00:dead:beef:cafe::1"
ac3a84
+# With IPv6 disabled
ac3a84
+# Issue: https://github.com/systemd/systemd/issues/23951
ac3a84
+# FIXME
ac3a84
+#disable_ipv6
ac3a84
+#run getent -s resolve hosts ns1.unsigned.test
ac3a84
+#grep -qE "^10\.0\.0\.1\s+ns1\.unsigned\.test" "$RUN_OUT"
ac3a84
+#monitor_check_rr "$TIMESTAMP" "ns1.unsigned.test IN A 10.0.0.1"
ac3a84
+enable_ipv6
ac3a84
 
ac3a84
 # Issue: https://github.com/systemd/systemd/issues/18812
ac3a84
 # PR: https://github.com/systemd/systemd/pull/18896
ac3a84
@@ -248,13 +287,12 @@ grep -qE "^::1\s+localhost" "$RUN_OUT"
ac3a84
 run getent -s myhostname hosts localhost
ac3a84
 grep -qE "^::1\s+localhost" "$RUN_OUT"
ac3a84
 # With IPv6 disabled
ac3a84
-sysctl -w net.ipv6.conf.all.disable_ipv6=1
ac3a84
+disable_ipv6
ac3a84
 run getent -s resolve hosts localhost
ac3a84
 grep -qE "^127\.0\.0\.1\s+localhost" "$RUN_OUT"
ac3a84
 run getent -s myhostname hosts localhost
ac3a84
 grep -qE "^127\.0\.0\.1\s+localhost" "$RUN_OUT"
ac3a84
-sysctl -w net.ipv6.conf.all.disable_ipv6=0
ac3a84
-
ac3a84
+enable_ipv6
ac3a84
 
ac3a84
 : "--- Basic resolved tests ---"
ac3a84
 # Issue: https://github.com/systemd/systemd/issues/22229
ac3a84
@@ -280,12 +318,14 @@ grep -qE "IN\s+SOA\s+ns1\.unsigned\.test\." "$RUN_OUT"
ac3a84
 
ac3a84
 
ac3a84
 : "--- ZONE: unsigned.test. ---"
ac3a84
-run dig @10.0.0.1 +short unsigned.test
ac3a84
+run dig @ns1.unsigned.test +short unsigned.test A unsigned.test AAAA
ac3a84
 grep -qF "10.0.0.101" "$RUN_OUT"
ac3a84
+grep -qF "fd00:dead:beef:cafe::101" "$RUN_OUT"
ac3a84
 run resolvectl query unsigned.test
ac3a84
-grep -qF "unsigned.test: 10.0.0.10" "$RUN_OUT"
ac3a84
+grep -qF "10.0.0.10" "$RUN_OUT"
ac3a84
+grep -qF "fd00:dead:beef:cafe::101" "$RUN_OUT"
ac3a84
 grep -qF "authenticated: no" "$RUN_OUT"
ac3a84
-run dig @10.0.0.1 +short MX unsigned.test
ac3a84
+run dig @ns1.unsigned.test +short MX unsigned.test
ac3a84
 grep -qF "15 mail.unsigned.test." "$RUN_OUT"
ac3a84
 run resolvectl query --legend=no -t MX unsigned.test
ac3a84
 grep -qF "unsigned.test IN MX 15 mail.unsigned.test" "$RUN_OUT"
ac3a84
@@ -295,17 +335,28 @@ grep -qF "unsigned.test IN MX 15 mail.unsigned.test" "$RUN_OUT"
ac3a84
 # Check the trust chain (with and without systemd-resolved in between
ac3a84
 # Issue: https://github.com/systemd/systemd/issues/22002
ac3a84
 # PR: https://github.com/systemd/systemd/pull/23289
ac3a84
-run delv @10.0.0.1 signed.test
ac3a84
+run delv @ns1.unsigned.test signed.test
ac3a84
 grep -qF "; fully validated" "$RUN_OUT"
ac3a84
 run delv signed.test
ac3a84
 grep -qF "; fully validated" "$RUN_OUT"
ac3a84
 
ac3a84
+for addr in "${DNS_ADDRESSES[@]}"; do
ac3a84
+    run delv "@$addr" -t A mail.signed.test
ac3a84
+    grep -qF "; fully validated" "$RUN_OUT"
ac3a84
+    run delv "@$addr" -t AAAA mail.signed.test
ac3a84
+    grep -qF "; fully validated" "$RUN_OUT"
ac3a84
+done
ac3a84
+run resolvectl query mail.signed.test
ac3a84
+grep -qF "10.0.0.11" "$RUN_OUT"
ac3a84
+grep -qF "fd00:dead:beef:cafe::11" "$RUN_OUT"
ac3a84
+grep -qF "authenticated: yes" "$RUN_OUT"
ac3a84
+
ac3a84
 run dig +short signed.test
ac3a84
 grep -qF "10.0.0.10" "$RUN_OUT"
ac3a84
 run resolvectl query signed.test
ac3a84
 grep -qF "signed.test: 10.0.0.10" "$RUN_OUT"
ac3a84
 grep -qF "authenticated: yes" "$RUN_OUT"
ac3a84
-run dig @10.0.0.1 +short MX signed.test
ac3a84
+run dig @ns1.unsigned.test +short MX signed.test
ac3a84
 grep -qF "10 mail.signed.test." "$RUN_OUT"
ac3a84
 run resolvectl query --legend=no -t MX signed.test
ac3a84
 grep -qF "signed.test IN MX 10 mail.signed.test" "$RUN_OUT"
ac3a84
@@ -320,10 +371,30 @@ grep -qF "authenticated: yes" "$RUN_OUT"
ac3a84
 # DNSSEC validation with multiple records of the same type for the same name
ac3a84
 # Issue: https://github.com/systemd/systemd/issues/22002
ac3a84
 # PR: https://github.com/systemd/systemd/pull/23289
ac3a84
-run delv @10.0.0.1 dupe.signed.test
ac3a84
-grep -qF "; fully validated" "$RUN_OUT"
ac3a84
-run delv dupe.signed.test
ac3a84
-grep -qF "; fully validated" "$RUN_OUT"
ac3a84
+check_domain() {
ac3a84
+    local domain="${1:?}"
ac3a84
+    local record="${2:?}"
ac3a84
+    local message="${3:?}"
ac3a84
+    local addr
ac3a84
+
ac3a84
+    for addr in "${DNS_ADDRESSES[@]}"; do
ac3a84
+        run delv "@$addr" -t "$record" "$domain"
ac3a84
+        grep -qF "$message" "$RUN_OUT"
ac3a84
+    done
ac3a84
+
ac3a84
+    run delv -t "$record" "$domain"
ac3a84
+    grep -qF "$message" "$RUN_OUT"
ac3a84
+
ac3a84
+    run resolvectl query "$domain"
ac3a84
+    grep -qF "authenticated: yes" "$RUN_OUT"
ac3a84
+}
ac3a84
+
ac3a84
+check_domain "dupe.signed.test"       "A"    "; fully validated"
ac3a84
+check_domain "dupe.signed.test"       "AAAA" "; negative response, fully validated"
ac3a84
+check_domain "dupe-ipv6.signed.test"  "AAAA" "; fully validated"
ac3a84
+check_domain "dupe-ipv6.signed.test"  "A"    "; negative response, fully validated"
ac3a84
+check_domain "dupe-mixed.signed.test" "A"    "; fully validated"
ac3a84
+check_domain "dupe-mixed.signed.test" "AAAA" "; fully validated"
ac3a84
 
ac3a84
 # Test resolution of CNAME chains
ac3a84
 TIMESTAMP=$(date '+%F %T')
ac3a84
@@ -347,7 +418,7 @@ grep -qE "^follow14\.final\.signed\.test\..+IN\s+NSEC\s+" "$RUN_OUT"
ac3a84
 # Check the trust chain (with and without systemd-resolved in between
ac3a84
 # Issue: https://github.com/systemd/systemd/issues/22002
ac3a84
 # PR: https://github.com/systemd/systemd/pull/23289
ac3a84
-run delv @10.0.0.1 sub.onlinesign.test
ac3a84
+run delv @ns1.unsigned.test sub.onlinesign.test
ac3a84
 grep -qF "; fully validated" "$RUN_OUT"
ac3a84
 run delv sub.onlinesign.test
ac3a84
 grep -qF "; fully validated" "$RUN_OUT"
ac3a84
@@ -357,10 +428,27 @@ grep -qF "10.0.0.133" "$RUN_OUT"
ac3a84
 run resolvectl query sub.onlinesign.test
ac3a84
 grep -qF "sub.onlinesign.test: 10.0.0.133" "$RUN_OUT"
ac3a84
 grep -qF "authenticated: yes" "$RUN_OUT"
ac3a84
-run dig @10.0.0.1 +short TXT onlinesign.test
ac3a84
+run dig @ns1.unsigned.test +short TXT onlinesign.test
ac3a84
 grep -qF '"hello from onlinesign"' "$RUN_OUT"
ac3a84
 run resolvectl query --legend=no -t TXT onlinesign.test
ac3a84
 grep -qF 'onlinesign.test IN TXT "hello from onlinesign"' "$RUN_OUT"
ac3a84
+
ac3a84
+for addr in "${DNS_ADDRESSES[@]}"; do
ac3a84
+    run delv "@$addr" -t A dual.onlinesign.test
ac3a84
+    grep -qF "10.0.0.135" "$RUN_OUT"
ac3a84
+    run delv "@$addr" -t AAAA dual.onlinesign.test
ac3a84
+    grep -qF "fd00:dead:beef:cafe::135" "$RUN_OUT"
ac3a84
+    run delv "@$addr" -t ANY ipv6.onlinesign.test
ac3a84
+    grep -qF "fd00:dead:beef:cafe::136" "$RUN_OUT"
ac3a84
+done
ac3a84
+run resolvectl query dual.onlinesign.test
ac3a84
+grep -qF "10.0.0.135" "$RUN_OUT"
ac3a84
+grep -qF "fd00:dead:beef:cafe::135" "$RUN_OUT"
ac3a84
+grep -qF "authenticated: yes" "$RUN_OUT"
ac3a84
+run resolvectl query ipv6.onlinesign.test
ac3a84
+grep -qF "fd00:dead:beef:cafe::136" "$RUN_OUT"
ac3a84
+grep -qF "authenticated: yes" "$RUN_OUT"
ac3a84
+
ac3a84
 # Check a non-existent domain
ac3a84
 # Note: mod-onlinesign utilizes Minimally Covering NSEC Records, hence the
ac3a84
 #       different response than with "standard" DNSSEC
ac3a84
@@ -378,11 +466,18 @@ run busctl call org.freedesktop.resolve1 /org/freedesktop/resolve1 org.freedeskt
ac3a84
 grep -qF '10 0 0 134 "secondsub.onlinesign.test"' "$RUN_OUT"
ac3a84
 monitor_check_rr "$TIMESTAMP" "secondsub.onlinesign.test IN A 10.0.0.134"
ac3a84
 
ac3a84
+
ac3a84
 : "--- ZONE: untrusted.test (DNSSEC without propagated DS records) ---"
ac3a84
-run dig +short untrusted.test
ac3a84
-grep -qF "10.0.0.121" "$RUN_OUT"
ac3a84
+# Issue: https://github.com/systemd/systemd/issues/23955
ac3a84
+# FIXME
ac3a84
+resolvectl flush-caches
ac3a84
+#run dig +short untrusted.test A untrusted.test AAAA
ac3a84
+#grep -qF "10.0.0.121" "$RUN_OUT"
ac3a84
+#grep -qF "fd00:dead:beef:cafe::121" "$RUN_OUT"
ac3a84
 run resolvectl query untrusted.test
ac3a84
-grep -qF "untrusted.test: 10.0.0.121" "$RUN_OUT"
ac3a84
+grep -qF "untrusted.test:" "$RUN_OUT"
ac3a84
+grep -qF "10.0.0.121" "$RUN_OUT"
ac3a84
+grep -qF "fd00:dead:beef:cafe::121" "$RUN_OUT"
ac3a84
 grep -qF "authenticated: no" "$RUN_OUT"
ac3a84
 
ac3a84
 # Issue: https://github.com/systemd/systemd/issues/19472