From 6aa57233e5981473efb4fdc4351d8f407b0b5384 Mon Sep 17 00:00:00 2001

From: Frantisek Sumsal <frantisek@sumsal.cz>

Date: Fri, 8 Jul 2022 13:36:03 +0200

Subject: [PATCH] test: cover IPv6 in the resolved test suite

(cherry picked from commit 5c9111fe779b44745256279052786e9cc499e57a)

Related: #2138081

---

 test/knot-data/knot.conf                  |   3 +

 test/knot-data/zones/onlinesign.test.zone |  15 ++-

 test/knot-data/zones/root.zone            |   8 +-

 test/knot-data/zones/signed.test.zone     |  23 ++--

 test/knot-data/zones/test.zone            |  12 +-

 test/knot-data/zones/unsigned.test.zone   |  12 +-

 test/knot-data/zones/untrusted.test.zone  |  11 +-

 test/units/testsuite-75.sh                | 135 ++++++++++++++++++----

 8 files changed, 169 insertions(+), 50 deletions(-)

diff --git a/test/knot-data/knot.conf b/test/knot-data/knot.conf

index e3de69d0f4..6ea0cca3db 100644

--- a/test/knot-data/knot.conf

+++ b/test/knot-data/knot.conf

@@ -4,6 +4,7 @@ server:

     rundir: "/run/knot"

     user: knot:knot

     listen: 10.0.0.1@53

+    listen: fd00:dead:beef:cafe::1@53

 log:

     - target: syslog

@@ -15,11 +16,13 @@ database:

 acl:

     - id: update_acl

       address: 10.0.0.0/24

+      address: fd00:dead:beef:cafe::/64

       action: update

 remote:

     - id: parent_zone_server

       address: 10.0.0.1@53

+      address: fd00:dead:beef:cafe::1@53

 submission:

     - id: parent_zone_sbm

diff --git a/test/knot-data/zones/onlinesign.test.zone b/test/knot-data/zones/onlinesign.test.zone

index c12c6b3396..c8662fa3ed 100644

--- a/test/knot-data/zones/onlinesign.test.zone

+++ b/test/knot-data/zones/onlinesign.test.zone

@@ -11,12 +11,17 @@ $ORIGIN onlinesign.test.

 )

 ; NS info

-                     NS ns1.unsigned.test.

+                     NS   ns1.unsigned.test.

-                     TXT "hello from onlinesign"

+                     TXT  "hello from onlinesign"

-*.wild               TXT "this is an onlinesign wildcard"

+*.wild               TXT  "this is an onlinesign wildcard"

 ; No A/AAAA record for the $ORIGIN

-sub                  A 10.0.0.133

-secondsub            A 10.0.0.134

+sub                  A    10.0.0.133

+secondsub            A    10.0.0.134

+

+dual                 A    10.0.0.135

+dual                 AAAA fd00:dead:beef:cafe::135

+

+ipv6                 AAAA fd00:dead:beef:cafe::136

diff --git a/test/knot-data/zones/root.zone b/test/knot-data/zones/root.zone

index 72439fdc55..f601e8676d 100644

--- a/test/knot-data/zones/root.zone

+++ b/test/knot-data/zones/root.zone

@@ -8,7 +8,9 @@ $TTL 300

     1D         ; minimum TTL

 )

-.                   NS ns1.unsigned.test

-ns1.unsigned.test   A  10.0.0.1

+.                   NS   ns1.unsigned.test

+; NS glue records

+ns1.unsigned.test   A    10.0.0.1

+ns1.unsigned.test   AAAA fd00:dead:beef:cafe::1

-test                NS ns1.unsigned.test

+test                NS   ns1.unsigned.test

diff --git a/test/knot-data/zones/signed.test.zone b/test/knot-data/zones/signed.test.zone

index 38d8e2aa13..fa6706205a 100644

--- a/test/knot-data/zones/signed.test.zone

+++ b/test/knot-data/zones/signed.test.zone

@@ -11,18 +11,27 @@ $ORIGIN signed.test.

 )

 ; NS info

-                      NS ns1.unsigned.test.

+                      NS    ns1.unsigned.test.

-*.wild                TXT "this is a wildcard"

+*.wild                TXT   "this is a wildcard"

-@                     MX 10 mail.signed.test.

+@                     MX    10 mail.signed.test.

-                      A 10.0.0.10

-mail                  A 10.0.0.11

+                      A     10.0.0.10

+mail                  A     10.0.0.11

+mail                  AAAA  fd00:dead:beef:cafe::11

 ; https://github.com/systemd/systemd/issues/22002

-dupe                  A 10.0.0.12

-dupe                  A 10.0.0.13

+dupe                  A     10.0.0.12

+dupe                  A     10.0.0.13

+dupe-ipv6             AAAA  fd00:dead:beef:cafe::12

+dupe-ipv6             AAAA  fd00:dead:beef:cafe::13

+dupe-mixed            A     10.0.0.15

+dupe-mixed            A     10.0.0.16

+dupe-mixed            A     10.0.0.17

+dupe-mixed            AAAA  fd00:dead:beef:cafe::15

+dupe-mixed            AAAA  fd00:dead:beef:cafe::16

+dupe-mixed            AAAA  fd00:dead:beef:cafe::17

 ; CNAME_REDIRECTS_MAX is 16, so let's test something close to that

 cname-chain           CNAME follow1.signed.test.

diff --git a/test/knot-data/zones/test.zone b/test/knot-data/zones/test.zone

index 6cc2633082..ba5fcebc2d 100644

--- a/test/knot-data/zones/test.zone

+++ b/test/knot-data/zones/test.zone

@@ -11,9 +11,11 @@ $ORIGIN test.

 )

 ; NS info

-@                     NS ns1.unsigned

-ns1.signed            A  10.0.0.1

+@                     NS   ns1.unsigned

+; NS glue records

+ns1.unsigned          A    10.0.0.1

+ns1.unsigned          AAAA fd00:dead:beef:cafe::1

-onlinesign            NS ns1.unsigned

-signed                NS ns1.unsigned

-unsigned              NS ns1.unsigned

+onlinesign            NS   ns1.unsigned

+signed                NS   ns1.unsigned

+unsigned              NS   ns1.unsigned

diff --git a/test/knot-data/zones/unsigned.test.zone b/test/knot-data/zones/unsigned.test.zone

index 87d9437e2c..c5445d7672 100644

--- a/test/knot-data/zones/unsigned.test.zone

+++ b/test/knot-data/zones/unsigned.test.zone

@@ -11,10 +11,12 @@ $ORIGIN unsigned.test.

 )

 ; NS info

-@                     NS ns1.unsigned.test.

-ns1                   A  10.0.0.1

+@                     NS   ns1

+ns1                   A    10.0.0.1

+ns1                   AAAA fd00:dead:beef:cafe::1

-@                     MX 15 mail.unsigned.test.

+@                     MX   15 mail.unsigned.test.

-                      A 10.0.0.101

-mail                  A 10.0.0.111

+                      A    10.0.0.101

+                      AAAA fd00:dead:beef:cafe::101

+mail                  A    10.0.0.111

diff --git a/test/knot-data/zones/untrusted.test.zone b/test/knot-data/zones/untrusted.test.zone

index 6d29bd77fe..cf0dec5296 100644

--- a/test/knot-data/zones/untrusted.test.zone

+++ b/test/knot-data/zones/untrusted.test.zone

@@ -11,11 +11,12 @@ $ORIGIN untrusted.test.

 )

 ; NS info

-@                     NS ns1.unsigned.test.

+@                     NS   ns1.unsigned.test.

-*.wild                TXT "this is an untrusted wildcard"

+*.wild                TXT  "this is an untrusted wildcard"

-@                     MX 10 mail.untrusted.test.

+@                     MX   10 mail.untrusted.test.

-                      A 10.0.0.121

-mail                  A 10.0.0.121

+                      A    10.0.0.121

+                      AAAA fd00:dead:beef:cafe::121

+mail                  A    10.0.0.122

diff --git a/test/units/testsuite-75.sh b/test/units/testsuite-75.sh

index 852caac605..76b8f5b3c7 100755

--- a/test/units/testsuite-75.sh

+++ b/test/units/testsuite-75.sh

@@ -2,6 +2,12 @@

 # SPDX-License-Identifier: LGPL-2.1-or-later

 # vi: ts=4 sw=4 tw=0 et:

+# TODO:

+#   - IPv6-only stack

+#   - mDNS

+#   - LLMNR

+#   - DoT/DoH

+

 set -eux

 set -o pipefail

@@ -16,6 +22,15 @@ run() {

     "$@" |& tee "$RUN_OUT"

 }

+disable_ipv6() {

+    sysctl -w net.ipv6.conf.all.disable_ipv6=1

+}

+

+enable_ipv6() {

+    sysctl -w net.ipv6.conf.all.disable_ipv6=0

+    networkctl reconfigure dns0

+}

+

 monitor_check_rr() (

     set +x

     set +o pipefail

@@ -146,7 +161,10 @@ ip link del hoge.foo

 ### SETUP ###

 # Configure network

 hostnamectl hostname ns1.unsigned.test

-echo "10.0.0.1 ns1.unsigned.test" >>/etc/hosts

+{

+    echo "10.0.0.1               ns1.unsigned.test"

+    echo "fd00:dead:beef:cafe::1 ns1.unsigned.test"

+} >>/etc/hosts

 mkdir -p /etc/systemd/network

 cat >/etc/systemd/network/dns0.netdev <

@@ -160,10 +178,17 @@ Name=dns0

 [Network]

 Address=10.0.0.1/24

+Address=fd00:dead:beef:cafe::1/64

 DNSSEC=allow-downgrade

 DNS=10.0.0.1

+DNS=fd00:dead:beef:cafe::1

 EOF

+DNS_ADDRESSES=(

+    "10.0.0.1"

+    "fd00:dead:beef:cafe::1"

+)

+

 mkdir -p /run/systemd/resolved.conf.d

 {

     echo "[Resolve]"

@@ -214,6 +239,10 @@ resolvectl log-level debug

 # Start monitoring queries

 systemd-run -u resmontest.service -p Type=notify resolvectl monitor

+# Check if all the zones are valid (zone-check always returns 0, so let's check

+# if it produces any errors/warnings)

+run knotc zone-check

+[[ ! -s "$RUN_OUT" ]]

 # We need to manually propagate the DS records of onlinesign.test. to the parent

 # zone, since they're generated online

 knotc zone-begin test.

@@ -234,9 +263,19 @@ knotc reload

 : "--- nss-resolve/nss-myhostname tests"

 # Sanity check

 TIMESTAMP=$(date '+%F %T')

+# Issue: https://github.com/systemd/systemd/issues/23951

+# With IPv6 enabled

 run getent -s resolve hosts ns1.unsigned.test

-grep -qE "^10\.0\.0\.1\s+ns1\.unsigned\.test" "$RUN_OUT"

-monitor_check_rr "$TIMESTAMP" "ns1.unsigned.test IN A 10.0.0.1"

+grep -qE "^fd00:dead:beef:cafe::1\s+ns1\.unsigned\.test" "$RUN_OUT"

+monitor_check_rr "$TIMESTAMP" "ns1.unsigned.test IN AAAA fd00:dead:beef:cafe::1"

+# With IPv6 disabled

+# Issue: https://github.com/systemd/systemd/issues/23951

+# FIXME

+#disable_ipv6

+#run getent -s resolve hosts ns1.unsigned.test

+#grep -qE "^10\.0\.0\.1\s+ns1\.unsigned\.test" "$RUN_OUT"

+#monitor_check_rr "$TIMESTAMP" "ns1.unsigned.test IN A 10.0.0.1"

+enable_ipv6

 # Issue: https://github.com/systemd/systemd/issues/18812

 # PR: https://github.com/systemd/systemd/pull/18896

@@ -248,13 +287,12 @@ grep -qE "^::1\s+localhost" "$RUN_OUT"

 run getent -s myhostname hosts localhost

 grep -qE "^::1\s+localhost" "$RUN_OUT"

 # With IPv6 disabled

-sysctl -w net.ipv6.conf.all.disable_ipv6=1

+disable_ipv6

 run getent -s resolve hosts localhost

 grep -qE "^127\.0\.0\.1\s+localhost" "$RUN_OUT"

 run getent -s myhostname hosts localhost

 grep -qE "^127\.0\.0\.1\s+localhost" "$RUN_OUT"

-sysctl -w net.ipv6.conf.all.disable_ipv6=0

-

+enable_ipv6

 : "--- Basic resolved tests ---"

 # Issue: https://github.com/systemd/systemd/issues/22229

@@ -280,12 +318,14 @@ grep -qE "IN\s+SOA\s+ns1\.unsigned\.test\." "$RUN_OUT"

 : "--- ZONE: unsigned.test. ---"

-run dig @10.0.0.1 +short unsigned.test

+run dig @ns1.unsigned.test +short unsigned.test A unsigned.test AAAA

 grep -qF "10.0.0.101" "$RUN_OUT"

+grep -qF "fd00:dead:beef:cafe::101" "$RUN_OUT"

 run resolvectl query unsigned.test

-grep -qF "unsigned.test: 10.0.0.10" "$RUN_OUT"

+grep -qF "10.0.0.10" "$RUN_OUT"

+grep -qF "fd00:dead:beef:cafe::101" "$RUN_OUT"

 grep -qF "authenticated: no" "$RUN_OUT"

-run dig @10.0.0.1 +short MX unsigned.test

+run dig @ns1.unsigned.test +short MX unsigned.test

 grep -qF "15 mail.unsigned.test." "$RUN_OUT"

 run resolvectl query --legend=no -t MX unsigned.test

 grep -qF "unsigned.test IN MX 15 mail.unsigned.test" "$RUN_OUT"

@@ -295,17 +335,28 @@ grep -qF "unsigned.test IN MX 15 mail.unsigned.test" "$RUN_OUT"

 # Check the trust chain (with and without systemd-resolved in between

 # Issue: https://github.com/systemd/systemd/issues/22002

 # PR: https://github.com/systemd/systemd/pull/23289

-run delv @10.0.0.1 signed.test

+run delv @ns1.unsigned.test signed.test

 grep -qF "; fully validated" "$RUN_OUT"

 run delv signed.test

 grep -qF "; fully validated" "$RUN_OUT"

+for addr in "${DNS_ADDRESSES[@]}"; do

+    run delv "@$addr" -t A mail.signed.test

+    grep -qF "; fully validated" "$RUN_OUT"

+    run delv "@$addr" -t AAAA mail.signed.test

+    grep -qF "; fully validated" "$RUN_OUT"

+done

+run resolvectl query mail.signed.test

+grep -qF "10.0.0.11" "$RUN_OUT"

+grep -qF "fd00:dead:beef:cafe::11" "$RUN_OUT"

+grep -qF "authenticated: yes" "$RUN_OUT"

+

 run dig +short signed.test

 grep -qF "10.0.0.10" "$RUN_OUT"

 run resolvectl query signed.test

 grep -qF "signed.test: 10.0.0.10" "$RUN_OUT"

 grep -qF "authenticated: yes" "$RUN_OUT"

-run dig @10.0.0.1 +short MX signed.test

+run dig @ns1.unsigned.test +short MX signed.test

 grep -qF "10 mail.signed.test." "$RUN_OUT"

 run resolvectl query --legend=no -t MX signed.test

 grep -qF "signed.test IN MX 10 mail.signed.test" "$RUN_OUT"

@@ -320,10 +371,30 @@ grep -qF "authenticated: yes" "$RUN_OUT"

 # DNSSEC validation with multiple records of the same type for the same name

 # Issue: https://github.com/systemd/systemd/issues/22002

 # PR: https://github.com/systemd/systemd/pull/23289

-run delv @10.0.0.1 dupe.signed.test

-grep -qF "; fully validated" "$RUN_OUT"

-run delv dupe.signed.test

-grep -qF "; fully validated" "$RUN_OUT"

+check_domain() {

+    local domain="${1:?}"

+    local record="${2:?}"

+    local message="${3:?}"

+    local addr

+

+    for addr in "${DNS_ADDRESSES[@]}"; do

+        run delv "@$addr" -t "$record" "$domain"

+        grep -qF "$message" "$RUN_OUT"

+    done

+

+    run delv -t "$record" "$domain"

+    grep -qF "$message" "$RUN_OUT"

+

+    run resolvectl query "$domain"

+    grep -qF "authenticated: yes" "$RUN_OUT"

+}

+

+check_domain "dupe.signed.test"       "A"    "; fully validated"

+check_domain "dupe.signed.test"       "AAAA" "; negative response, fully validated"

+check_domain "dupe-ipv6.signed.test"  "AAAA" "; fully validated"

+check_domain "dupe-ipv6.signed.test"  "A"    "; negative response, fully validated"

+check_domain "dupe-mixed.signed.test" "A"    "; fully validated"

+check_domain "dupe-mixed.signed.test" "AAAA" "; fully validated"

 # Test resolution of CNAME chains

 TIMESTAMP=$(date '+%F %T')

@@ -347,7 +418,7 @@ grep -qE "^follow14\.final\.signed\.test\..+IN\s+NSEC\s+" "$RUN_OUT"

 # Check the trust chain (with and without systemd-resolved in between

 # Issue: https://github.com/systemd/systemd/issues/22002

 # PR: https://github.com/systemd/systemd/pull/23289

-run delv @10.0.0.1 sub.onlinesign.test

+run delv @ns1.unsigned.test sub.onlinesign.test

 grep -qF "; fully validated" "$RUN_OUT"

 run delv sub.onlinesign.test

 grep -qF "; fully validated" "$RUN_OUT"

@@ -357,10 +428,27 @@ grep -qF "10.0.0.133" "$RUN_OUT"

 run resolvectl query sub.onlinesign.test

 grep -qF "sub.onlinesign.test: 10.0.0.133" "$RUN_OUT"

 grep -qF "authenticated: yes" "$RUN_OUT"

-run dig @10.0.0.1 +short TXT onlinesign.test

+run dig @ns1.unsigned.test +short TXT onlinesign.test

 grep -qF '"hello from onlinesign"' "$RUN_OUT"

 run resolvectl query --legend=no -t TXT onlinesign.test

 grep -qF 'onlinesign.test IN TXT "hello from onlinesign"' "$RUN_OUT"

+

+for addr in "${DNS_ADDRESSES[@]}"; do

+    run delv "@$addr" -t A dual.onlinesign.test

+    grep -qF "10.0.0.135" "$RUN_OUT"

+    run delv "@$addr" -t AAAA dual.onlinesign.test

+    grep -qF "fd00:dead:beef:cafe::135" "$RUN_OUT"

+    run delv "@$addr" -t ANY ipv6.onlinesign.test

+    grep -qF "fd00:dead:beef:cafe::136" "$RUN_OUT"

+done

+run resolvectl query dual.onlinesign.test

+grep -qF "10.0.0.135" "$RUN_OUT"

+grep -qF "fd00:dead:beef:cafe::135" "$RUN_OUT"

+grep -qF "authenticated: yes" "$RUN_OUT"

+run resolvectl query ipv6.onlinesign.test

+grep -qF "fd00:dead:beef:cafe::136" "$RUN_OUT"

+grep -qF "authenticated: yes" "$RUN_OUT"

+

 # Check a non-existent domain

 # Note: mod-onlinesign utilizes Minimally Covering NSEC Records, hence the

 #       different response than with "standard" DNSSEC

@@ -378,11 +466,18 @@ run busctl call org.freedesktop.resolve1 /org/freedesktop/resolve1 org.freedeskt

 grep -qF '10 0 0 134 "secondsub.onlinesign.test"' "$RUN_OUT"

 monitor_check_rr "$TIMESTAMP" "secondsub.onlinesign.test IN A 10.0.0.134"

+

 : "--- ZONE: untrusted.test (DNSSEC without propagated DS records) ---"

-run dig +short untrusted.test

-grep -qF "10.0.0.121" "$RUN_OUT"

+# Issue: https://github.com/systemd/systemd/issues/23955

+# FIXME

+resolvectl flush-caches

+#run dig +short untrusted.test A untrusted.test AAAA

+#grep -qF "10.0.0.121" "$RUN_OUT"

+#grep -qF "fd00:dead:beef:cafe::121" "$RUN_OUT"

 run resolvectl query untrusted.test

-grep -qF "untrusted.test: 10.0.0.121" "$RUN_OUT"

+grep -qF "untrusted.test:" "$RUN_OUT"

+grep -qF "10.0.0.121" "$RUN_OUT"

+grep -qF "fd00:dead:beef:cafe::121" "$RUN_OUT"

 grep -qF "authenticated: no" "$RUN_OUT"

 # Issue: https://github.com/systemd/systemd/issues/19472