1 files changed, 115 insertions, 20 deletions

diff --git a/test/units/testsuite-75.sh b/test/units/testsuite-75.sh
index 852caac605..76b8f5b3c7 100755
--- a/test/units/testsuite-75.sh
+++ b/test/units/testsuite-75.sh
@@ -2,6 +2,12 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 # vi: ts=4 sw=4 tw=0 et:
 
+# TODO:
+#   - IPv6-only stack
+#   - mDNS
+#   - LLMNR
+#   - DoT/DoH
+
 set -eux
 set -o pipefail
 
@@ -16,6 +22,15 @@ run() {
     "$@" |& tee "$RUN_OUT"
 }
 
+disable_ipv6() {
+    sysctl -w net.ipv6.conf.all.disable_ipv6=1
+}
+
+enable_ipv6() {
+    sysctl -w net.ipv6.conf.all.disable_ipv6=0
+    networkctl reconfigure dns0
+}
+
 monitor_check_rr() (
     set +x
     set +o pipefail
@@ -146,7 +161,10 @@ ip link del hoge.foo
 ### SETUP ###
 # Configure network
 hostnamectl hostname ns1.unsigned.test
-echo "10.0.0.1 ns1.unsigned.test" >>/etc/hosts
+{
+    echo "10.0.0.1               ns1.unsigned.test"
+    echo "fd00:dead:beef:cafe::1 ns1.unsigned.test"
+} >>/etc/hosts
 
 mkdir -p /etc/systemd/network
 cat >/etc/systemd/network/dns0.netdev <<EOF
@@ -160,10 +178,17 @@ Name=dns0
 
 [Network]
 Address=10.0.0.1/24
+Address=fd00:dead:beef:cafe::1/64
 DNSSEC=allow-downgrade
 DNS=10.0.0.1
+DNS=fd00:dead:beef:cafe::1
 EOF
 
+DNS_ADDRESSES=(
+    "10.0.0.1"
+    "fd00:dead:beef:cafe::1"
+)
+
 mkdir -p /run/systemd/resolved.conf.d
 {
     echo "[Resolve]"
@@ -214,6 +239,10 @@ resolvectl log-level debug
 # Start monitoring queries
 systemd-run -u resmontest.service -p Type=notify resolvectl monitor
 
+# Check if all the zones are valid (zone-check always returns 0, so let's check
+# if it produces any errors/warnings)
+run knotc zone-check
+[[ ! -s "$RUN_OUT" ]]
 # We need to manually propagate the DS records of onlinesign.test. to the parent
 # zone, since they're generated online
 knotc zone-begin test.
@@ -234,9 +263,19 @@ knotc reload
 : "--- nss-resolve/nss-myhostname tests"
 # Sanity check
 TIMESTAMP=$(date '+%F %T')
+# Issue: https://github.com/systemd/systemd/issues/23951
+# With IPv6 enabled
 run getent -s resolve hosts ns1.unsigned.test
-grep -qE "^10\.0\.0\.1\s+ns1\.unsigned\.test" "$RUN_OUT"
-monitor_check_rr "$TIMESTAMP" "ns1.unsigned.test IN A 10.0.0.1"
+grep -qE "^fd00:dead:beef:cafe::1\s+ns1\.unsigned\.test" "$RUN_OUT"
+monitor_check_rr "$TIMESTAMP" "ns1.unsigned.test IN AAAA fd00:dead:beef:cafe::1"
+# With IPv6 disabled
+# Issue: https://github.com/systemd/systemd/issues/23951
+# FIXME
+#disable_ipv6
+#run getent -s resolve hosts ns1.unsigned.test
+#grep -qE "^10\.0\.0\.1\s+ns1\.unsigned\.test" "$RUN_OUT"
+#monitor_check_rr "$TIMESTAMP" "ns1.unsigned.test IN A 10.0.0.1"
+enable_ipv6
 
 # Issue: https://github.com/systemd/systemd/issues/18812
 # PR: https://github.com/systemd/systemd/pull/18896
@@ -248,13 +287,12 @@ grep -qE "^::1\s+localhost" "$RUN_OUT"
 run getent -s myhostname hosts localhost
 grep -qE "^::1\s+localhost" "$RUN_OUT"
 # With IPv6 disabled
-sysctl -w net.ipv6.conf.all.disable_ipv6=1
+disable_ipv6
 run getent -s resolve hosts localhost
 grep -qE "^127\.0\.0\.1\s+localhost" "$RUN_OUT"
 run getent -s myhostname hosts localhost
 grep -qE "^127\.0\.0\.1\s+localhost" "$RUN_OUT"
-sysctl -w net.ipv6.conf.all.disable_ipv6=0
-
+enable_ipv6
 
 : "--- Basic resolved tests ---"
 # Issue: https://github.com/systemd/systemd/issues/22229
@@ -280,12 +318,14 @@ grep -qE "IN\s+SOA\s+ns1\.unsigned\.test\." "$RUN_OUT"
 
 
 : "--- ZONE: unsigned.test. ---"
-run dig @10.0.0.1 +short unsigned.test
+run dig @ns1.unsigned.test +short unsigned.test A unsigned.test AAAA
 grep -qF "10.0.0.101" "$RUN_OUT"
+grep -qF "fd00:dead:beef:cafe::101" "$RUN_OUT"
 run resolvectl query unsigned.test
-grep -qF "unsigned.test: 10.0.0.10" "$RUN_OUT"
+grep -qF "10.0.0.10" "$RUN_OUT"
+grep -qF "fd00:dead:beef:cafe::101" "$RUN_OUT"
 grep -qF "authenticated: no" "$RUN_OUT"
-run dig @10.0.0.1 +short MX unsigned.test
+run dig @ns1.unsigned.test +short MX unsigned.test
 grep -qF "15 mail.unsigned.test." "$RUN_OUT"
 run resolvectl query --legend=no -t MX unsigned.test
 grep -qF "unsigned.test IN MX 15 mail.unsigned.test" "$RUN_OUT"
@@ -295,17 +335,28 @@ grep -qF "unsigned.test IN MX 15 mail.unsigned.test" "$RUN_OUT"
 # Check the trust chain (with and without systemd-resolved in between
 # Issue: https://github.com/systemd/systemd/issues/22002
 # PR: https://github.com/systemd/systemd/pull/23289
-run delv @10.0.0.1 signed.test
+run delv @ns1.unsigned.test signed.test
 grep -qF "; fully validated" "$RUN_OUT"
 run delv signed.test
 grep -qF "; fully validated" "$RUN_OUT"
 
+for addr in "${DNS_ADDRESSES[@]}"; do
+    run delv "@$addr" -t A mail.signed.test
+    grep -qF "; fully validated" "$RUN_OUT"
+    run delv "@$addr" -t AAAA mail.signed.test
+    grep -qF "; fully validated" "$RUN_OUT"
+done
+run resolvectl query mail.signed.test
+grep -qF "10.0.0.11" "$RUN_OUT"
+grep -qF "fd00:dead:beef:cafe::11" "$RUN_OUT"
+grep -qF "authenticated: yes" "$RUN_OUT"
+
 run dig +short signed.test
 grep -qF "10.0.0.10" "$RUN_OUT"
 run resolvectl query signed.test
 grep -qF "signed.test: 10.0.0.10" "$RUN_OUT"
 grep -qF "authenticated: yes" "$RUN_OUT"
-run dig @10.0.0.1 +short MX signed.test
+run dig @ns1.unsigned.test +short MX signed.test
 grep -qF "10 mail.signed.test." "$RUN_OUT"
 run resolvectl query --legend=no -t MX signed.test
 grep -qF "signed.test IN MX 10 mail.signed.test" "$RUN_OUT"
@@ -320,10 +371,30 @@ grep -qF "authenticated: yes" "$RUN_OUT"
 # DNSSEC validation with multiple records of the same type for the same name
 # Issue: https://github.com/systemd/systemd/issues/22002
 # PR: https://github.com/systemd/systemd/pull/23289
-run delv @10.0.0.1 dupe.signed.test
-grep -qF "; fully validated" "$RUN_OUT"
-run delv dupe.signed.test
-grep -qF "; fully validated" "$RUN_OUT"
+check_domain() {
+    local domain="${1:?}"
+    local record="${2:?}"
+    local message="${3:?}"
+    local addr
+
+    for addr in "${DNS_ADDRESSES[@]}"; do
+        run delv "@$addr" -t "$record" "$domain"
+        grep -qF "$message" "$RUN_OUT"
+    done
+
+    run delv -t "$record" "$domain"
+    grep -qF "$message" "$RUN_OUT"
+
+    run resolvectl query "$domain"
+    grep -qF "authenticated: yes" "$RUN_OUT"
+}
+
+check_domain "dupe.signed.test"       "A"    "; fully validated"
+check_domain "dupe.signed.test"       "AAAA" "; negative response, fully validated"
+check_domain "dupe-ipv6.signed.test"  "AAAA" "; fully validated"
+check_domain "dupe-ipv6.signed.test"  "A"    "; negative response, fully validated"
+check_domain "dupe-mixed.signed.test" "A"    "; fully validated"
+check_domain "dupe-mixed.signed.test" "AAAA" "; fully validated"
 
 # Test resolution of CNAME chains
 TIMESTAMP=$(date '+%F %T')
@@ -347,7 +418,7 @@ grep -qE "^follow14\.final\.signed\.test\..+IN\s+NSEC\s+" "$RUN_OUT"
 # Check the trust chain (with and without systemd-resolved in between
 # Issue: https://github.com/systemd/systemd/issues/22002
 # PR: https://github.com/systemd/systemd/pull/23289
-run delv @10.0.0.1 sub.onlinesign.test
+run delv @ns1.unsigned.test sub.onlinesign.test
 grep -qF "; fully validated" "$RUN_OUT"
 run delv sub.onlinesign.test
 grep -qF "; fully validated" "$RUN_OUT"
@@ -357,10 +428,27 @@ grep -qF "10.0.0.133" "$RUN_OUT"
 run resolvectl query sub.onlinesign.test
 grep -qF "sub.onlinesign.test: 10.0.0.133" "$RUN_OUT"
 grep -qF "authenticated: yes" "$RUN_OUT"
-run dig @10.0.0.1 +short TXT onlinesign.test
+run dig @ns1.unsigned.test +short TXT onlinesign.test
 grep -qF '"hello from onlinesign"' "$RUN_OUT"
 run resolvectl query --legend=no -t TXT onlinesign.test
 grep -qF 'onlinesign.test IN TXT "hello from onlinesign"' "$RUN_OUT"
+
+for addr in "${DNS_ADDRESSES[@]}"; do
+    run delv "@$addr" -t A dual.onlinesign.test
+    grep -qF "10.0.0.135" "$RUN_OUT"
+    run delv "@$addr" -t AAAA dual.onlinesign.test
+    grep -qF "fd00:dead:beef:cafe::135" "$RUN_OUT"
+    run delv "@$addr" -t ANY ipv6.onlinesign.test
+    grep -qF "fd00:dead:beef:cafe::136" "$RUN_OUT"
+done
+run resolvectl query dual.onlinesign.test
+grep -qF "10.0.0.135" "$RUN_OUT"
+grep -qF "fd00:dead:beef:cafe::135" "$RUN_OUT"
+grep -qF "authenticated: yes" "$RUN_OUT"
+run resolvectl query ipv6.onlinesign.test
+grep -qF "fd00:dead:beef:cafe::136" "$RUN_OUT"
+grep -qF "authenticated: yes" "$RUN_OUT"
+
 # Check a non-existent domain
 # Note: mod-onlinesign utilizes Minimally Covering NSEC Records, hence the
 #       different response than with "standard" DNSSEC
@@ -378,11 +466,18 @@ run busctl call org.freedesktop.resolve1 /org/freedesktop/resolve1 org.freedeskt
 grep -qF '10 0 0 134 "secondsub.onlinesign.test"' "$RUN_OUT"
 monitor_check_rr "$TIMESTAMP" "secondsub.onlinesign.test IN A 10.0.0.134"
 
+
 : "--- ZONE: untrusted.test (DNSSEC without propagated DS records) ---"
-run dig +short untrusted.test
-grep -qF "10.0.0.121" "$RUN_OUT"
+# Issue: https://github.com/systemd/systemd/issues/23955
+# FIXME
+resolvectl flush-caches
+#run dig +short untrusted.test A untrusted.test AAAA
+#grep -qF "10.0.0.121" "$RUN_OUT"
+#grep -qF "fd00:dead:beef:cafe::121" "$RUN_OUT"
 run resolvectl query untrusted.test
-grep -qF "untrusted.test: 10.0.0.121" "$RUN_OUT"
+grep -qF "untrusted.test:" "$RUN_OUT"
+grep -qF "10.0.0.121" "$RUN_OUT"
+grep -qF "fd00:dead:beef:cafe::121" "$RUN_OUT"
 grep -qF "authenticated: no" "$RUN_OUT"
 
 # Issue: https://github.com/systemd/systemd/issues/19472