Merge pull request #23956 from mrc0mmand/resolved-ipv6

test: cover (not only) IPv6 in the resolved test suite
author: Yu Watanabe <watanabe.yu+github@gmail.com> 2023-01-30 19:21:19 +0900
committer: GitHub <noreply@github.com> 2023-01-30 19:21:19 +0900
commit: 808f7c94f09c43b2567b16c005b24df4081a25fa (patch)
tree: 570783414437d85d3845b3d318fa8cd3d87007fd /test
parent: 0a5bd40a709d20c35bddf5c8a8342cae440ec4a3 (diff)
parent: 42262f3e1b43eb3833adf71a3a030122b8f112b3 (diff)
download: systemd-808f7c94f09c43b2567b16c005b24df4081a25fa.tar.gz
9 files changed, 221 insertions, 52 deletions
diff --git a/test/knot-data/knot.conf b/test/knot-data/knot.conf
index e3de69d0f4..6ea0cca3db 100644
--- a/test/knot-data/knot.conf
+++ b/test/knot-data/knot.conf
@@ -4,6 +4,7 @@ server:
     rundir: "/run/knot"
     user: knot:knot
     listen: 10.0.0.1@53
+    listen: fd00:dead:beef:cafe::1@53
 
 log:
     - target: syslog
@@ -15,11 +16,13 @@ database:
 acl:
     - id: update_acl
       address: 10.0.0.0/24
+      address: fd00:dead:beef:cafe::/64
       action: update
 
 remote:
     - id: parent_zone_server
       address: 10.0.0.1@53
+      address: fd00:dead:beef:cafe::1@53
 
 submission:
     - id: parent_zone_sbm
diff --git a/test/knot-data/zones/onlinesign.test.zone b/test/knot-data/zones/onlinesign.test.zone
index c12c6b3396..c8662fa3ed 100644
--- a/test/knot-data/zones/onlinesign.test.zone
+++ b/test/knot-data/zones/onlinesign.test.zone
@@ -11,12 +11,17 @@ $ORIGIN onlinesign.test.
 )
 
 ; NS info
-                     NS ns1.unsigned.test.
+                     NS   ns1.unsigned.test.
 
-                     TXT "hello from onlinesign"
+                     TXT  "hello from onlinesign"
 
-*.wild               TXT "this is an onlinesign wildcard"
+*.wild               TXT  "this is an onlinesign wildcard"
 
 ; No A/AAAA record for the $ORIGIN
-sub                  A 10.0.0.133
-secondsub            A 10.0.0.134
+sub                  A    10.0.0.133
+secondsub            A    10.0.0.134
+
+dual                 A    10.0.0.135
+dual                 AAAA fd00:dead:beef:cafe::135
+
+ipv6                 AAAA fd00:dead:beef:cafe::136
diff --git a/test/knot-data/zones/root.zone b/test/knot-data/zones/root.zone
index 72439fdc55..f601e8676d 100644
--- a/test/knot-data/zones/root.zone
+++ b/test/knot-data/zones/root.zone
@@ -8,7 +8,9 @@ $TTL 300
     1D         ; minimum TTL
 )
 
-.                   NS ns1.unsigned.test
-ns1.unsigned.test   A  10.0.0.1
+.                   NS   ns1.unsigned.test
+; NS glue records
+ns1.unsigned.test   A    10.0.0.1
+ns1.unsigned.test   AAAA fd00:dead:beef:cafe::1
 
-test                NS ns1.unsigned.test
+test                NS   ns1.unsigned.test
diff --git a/test/knot-data/zones/signed.test.zone b/test/knot-data/zones/signed.test.zone
index 38d8e2aa13..a2baac4284 100644
--- a/test/knot-data/zones/signed.test.zone
+++ b/test/knot-data/zones/signed.test.zone
@@ -11,18 +11,27 @@ $ORIGIN signed.test.
 )
 
 ; NS info
-                      NS ns1.unsigned.test.
+                      NS    ns1.unsigned.test.
 
-*.wild                TXT "this is a wildcard"
+*.wild                TXT   "this is a wildcard"
 
-@                     MX 10 mail.signed.test.
+@                     MX    10 mail.signed.test.
 
-                      A 10.0.0.10
-mail                  A 10.0.0.11
+                      A     10.0.0.10
+mail                  A     10.0.0.11
+mail                  AAAA  fd00:dead:beef:cafe::11
 
 ; https://github.com/systemd/systemd/issues/22002
-dupe                  A 10.0.0.12
-dupe                  A 10.0.0.13
+dupe                  A     10.0.0.12
+dupe                  A     10.0.0.13
+dupe-ipv6             AAAA  fd00:dead:beef:cafe::12
+dupe-ipv6             AAAA  fd00:dead:beef:cafe::13
+dupe-mixed            A     10.0.0.15
+dupe-mixed            A     10.0.0.16
+dupe-mixed            A     10.0.0.17
+dupe-mixed            AAAA  fd00:dead:beef:cafe::15
+dupe-mixed            AAAA  fd00:dead:beef:cafe::16
+dupe-mixed            AAAA  fd00:dead:beef:cafe::17
 
 ; CNAME_REDIRECTS_MAX is 16, so let's test something close to that
 cname-chain           CNAME follow1.signed.test.
@@ -40,3 +49,25 @@ follow11.yet.so.far   CNAME follow12.getting.hot.signed.test.
 follow12.getting.hot  CNAME follow13.almost.final.signed.test.
 follow13.almost.final CNAME follow14.final.signed.test.
 follow14.final        A     10.0.0.14
+
+myservice             A     10.0.0.20
+myservice             AAAA  fd00:dead:beef:cafe::17
+_mysvc._tcp           SRV   10 5 1234 myservice
+
+_invalidsvc._udp      SRV   5 5 1111 invalidservice
+
+_untrustedsvc._udp    SRV   5 5 1111 myservice.untrusted.test.
+
+; OPENPGPKEY RR for mr.smith@signed.test
+; The hash was generated using `echo -ne mr.smith | sha256sum | head -c56`
+; and exported via `gpg --export mr.smith | base64`
+5a786cdc59c161cdafd818143705026636962198c66ed4c5b3da321e._openpgpkey OPENPGPKEY (
+    mDMEYshhzhYJKwYBBAHaRw8BAQdAuU2RxKaycSdaR5YZ/q+/yoHeil/1WNRDVbpjPSd6QBa0GW1y
+    LnNtaXRoQHNpZ25lZC50ZXN0LnpvbmWImQQTFggAQRYhBIOXLJwlwowvXQVeJ3d9yvMKUDBWBQJi
+    yGHOAhsDBQkDwmcABQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEHd9yvMKUDBWo6MA/2oC
+    zdnzMlK9gM5bNCFfPyagJfFfv7fW1l7WXTve6FJtAP0faW24ahE1okjmrsTUwqZHvDThysW5zTSt
+    j49S3JQDA7g4BGLIYc4SCisGAQQBl1UBBQEBB0CuNcTAt5AUE3seFN/Gm2euC+8dgtztyzoO/78K
+    ictFLAMBCAeIeAQYFggAIBYhBIOXLJwlwowvXQVeJ3d9yvMKUDBWBQJiyGHOAhsMAAoJEHd9yvMK
+    UDBWtxkA/jlbUgHpSoTKFNNTeXYbTz9jnoupe9eT4O3tU55ofwO7AQCa5ntSIuzDJ1E2iy7oOLOZ
+    m2ocNqpC7SULHhSKYfUWDg==
+)
diff --git a/test/knot-data/zones/test.zone b/test/knot-data/zones/test.zone
index 6cc2633082..ba5fcebc2d 100644
--- a/test/knot-data/zones/test.zone
+++ b/test/knot-data/zones/test.zone
@@ -11,9 +11,11 @@ $ORIGIN test.
 )
 
 ; NS info
-@                     NS ns1.unsigned
-ns1.signed            A  10.0.0.1
+@                     NS   ns1.unsigned
+; NS glue records
+ns1.unsigned          A    10.0.0.1
+ns1.unsigned          AAAA fd00:dead:beef:cafe::1
 
-onlinesign            NS ns1.unsigned
-signed                NS ns1.unsigned
-unsigned              NS ns1.unsigned
+onlinesign            NS   ns1.unsigned
+signed                NS   ns1.unsigned
+unsigned              NS   ns1.unsigned
diff --git a/test/knot-data/zones/unsigned.test.zone b/test/knot-data/zones/unsigned.test.zone
index 87d9437e2c..c5445d7672 100644
--- a/test/knot-data/zones/unsigned.test.zone
+++ b/test/knot-data/zones/unsigned.test.zone
@@ -11,10 +11,12 @@ $ORIGIN unsigned.test.
 )
 
 ; NS info
-@                     NS ns1.unsigned.test.
-ns1                   A  10.0.0.1
+@                     NS   ns1
+ns1                   A    10.0.0.1
+ns1                   AAAA fd00:dead:beef:cafe::1
 
-@                     MX 15 mail.unsigned.test.
+@                     MX   15 mail.unsigned.test.
 
-                      A 10.0.0.101
-mail                  A 10.0.0.111
+                      A    10.0.0.101
+                      AAAA fd00:dead:beef:cafe::101
+mail                  A    10.0.0.111
diff --git a/test/knot-data/zones/untrusted.test.zone b/test/knot-data/zones/untrusted.test.zone
index 6d29bd77fe..a0dca62ca8 100644
--- a/test/knot-data/zones/untrusted.test.zone
+++ b/test/knot-data/zones/untrusted.test.zone
@@ -11,11 +11,16 @@ $ORIGIN untrusted.test.
 )
 
 ; NS info
-@                     NS ns1.unsigned.test.
+@                     NS   ns1.unsigned.test.
 
-*.wild                TXT "this is an untrusted wildcard"
+*.wild                TXT  "this is an untrusted wildcard"
 
-@                     MX 10 mail.untrusted.test.
+@                     MX   10 mail.untrusted.test.
 
-                      A 10.0.0.121
-mail                  A 10.0.0.121
+                      A    10.0.0.121
+                      AAAA fd00:dead:beef:cafe::121
+mail                  A    10.0.0.122
+
+myservice             A    10.0.0.123
+                      AAAA fd00:dead:beef:cafe::123
+_mysvc._tcp           SRV  10 5 1234 myservice
diff --git a/test/test-functions b/test/test-functions
index ee44932a59..c4c192885e 100644
--- a/test/test-functions
+++ b/test/test-functions
@@ -2641,8 +2641,9 @@ inst_binary() {
     # chown, getent, login, su, useradd, userdel - dlopen()s (not only) systemd's PAM modules
     # ls, stat - pulls in nss_systemd with certain options (like ls -l) when
     #            nsswitch.conf uses [SUCCESS=merge] (like on Arch Linux)
+    # delv, dig - pulls in nss_resolve if `resolve` is in nsswitch.conf
     # tar - called by machinectl in TEST-25
-    if get_bool "$IS_BUILT_WITH_ASAN" && [[ "$bin" =~ /(chown|getent|login|ls|stat|su|tar|useradd|userdel)$ ]]; then
+    if get_bool "$IS_BUILT_WITH_ASAN" && [[ "$bin" =~ /(chown|delv|dig|getent|login|ls|stat|su|tar|useradd|userdel)$ ]]; then
         wrap_binary=1
     fi
 
diff --git a/test/units/testsuite-75.sh b/test/units/testsuite-75.sh
index 852caac605..ddd86d09bb 100755
--- a/test/units/testsuite-75.sh
+++ b/test/units/testsuite-75.sh
@@ -2,6 +2,12 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 # vi: ts=4 sw=4 tw=0 et:
 
+# TODO:
+#   - IPv6-only stack
+#   - mDNS
+#   - LLMNR
+#   - DoT/DoH
+
 set -eux
 set -o pipefail
 
@@ -16,6 +22,15 @@ run() {
     "$@" |& tee "$RUN_OUT"
 }
 
+disable_ipv6() {
+    sysctl -w net.ipv6.conf.all.disable_ipv6=1
+}
+
+enable_ipv6() {
+    sysctl -w net.ipv6.conf.all.disable_ipv6=0
+    networkctl reconfigure dns0
+}
+
 monitor_check_rr() (
     set +x
     set +o pipefail
@@ -26,7 +41,7 @@ monitor_check_rr() (
     # displayed. We turn off pipefail for this, since we don't care about the
     # lhs of this pipe expression, we only care about the rhs' result to be
     # clean
-    journalctl -u resmontest.service --since "$since" -f --full | grep -m1 "$match"
+    timeout -v 30s journalctl -u resmontest.service --since "$since" -f --full | grep -m1 "$match"
 )
 
 # Test for resolvectl, resolvconf
@@ -146,7 +161,10 @@ ip link del hoge.foo
 ### SETUP ###
 # Configure network
 hostnamectl hostname ns1.unsigned.test
-echo "10.0.0.1 ns1.unsigned.test" >>/etc/hosts
+{
+    echo "10.0.0.1               ns1.unsigned.test"
+    echo "fd00:dead:beef:cafe::1 ns1.unsigned.test"
+} >>/etc/hosts
 
 mkdir -p /etc/systemd/network
 cat >/etc/systemd/network/dns0.netdev <<EOF
@@ -160,10 +178,17 @@ Name=dns0
 
 [Network]
 Address=10.0.0.1/24
+Address=fd00:dead:beef:cafe::1/64
 DNSSEC=allow-downgrade
 DNS=10.0.0.1
+DNS=fd00:dead:beef:cafe::1
 EOF
 
+DNS_ADDRESSES=(
+    "10.0.0.1"
+    "fd00:dead:beef:cafe::1"
+)
+
 mkdir -p /run/systemd/resolved.conf.d
 {
     echo "[Resolve]"
@@ -214,6 +239,10 @@ resolvectl log-level debug
 # Start monitoring queries
 systemd-run -u resmontest.service -p Type=notify resolvectl monitor
 
+# Check if all the zones are valid (zone-check always returns 0, so let's check
+# if it produces any errors/warnings)
+run knotc zone-check
+[[ ! -s "$RUN_OUT" ]]
 # We need to manually propagate the DS records of onlinesign.test. to the parent
 # zone, since they're generated online
 knotc zone-begin test.
@@ -234,9 +263,19 @@ knotc reload
 : "--- nss-resolve/nss-myhostname tests"
 # Sanity check
 TIMESTAMP=$(date '+%F %T')
+# Issue: https://github.com/systemd/systemd/issues/23951
+# With IPv6 enabled
 run getent -s resolve hosts ns1.unsigned.test
-grep -qE "^10\.0\.0\.1\s+ns1\.unsigned\.test" "$RUN_OUT"
-monitor_check_rr "$TIMESTAMP" "ns1.unsigned.test IN A 10.0.0.1"
+grep -qE "^fd00:dead:beef:cafe::1\s+ns1\.unsigned\.test" "$RUN_OUT"
+monitor_check_rr "$TIMESTAMP" "ns1.unsigned.test IN AAAA fd00:dead:beef:cafe::1"
+# With IPv6 disabled
+# Issue: https://github.com/systemd/systemd/issues/23951
+# FIXME
+#disable_ipv6
+#run getent -s resolve hosts ns1.unsigned.test
+#grep -qE "^10\.0\.0\.1\s+ns1\.unsigned\.test" "$RUN_OUT"
+#monitor_check_rr "$TIMESTAMP" "ns1.unsigned.test IN A 10.0.0.1"
+enable_ipv6
 
 # Issue: https://github.com/systemd/systemd/issues/18812
 # PR: https://github.com/systemd/systemd/pull/18896
@@ -248,13 +287,12 @@ grep -qE "^::1\s+localhost" "$RUN_OUT"
 run getent -s myhostname hosts localhost
 grep -qE "^::1\s+localhost" "$RUN_OUT"
 # With IPv6 disabled
-sysctl -w net.ipv6.conf.all.disable_ipv6=1
+disable_ipv6
 run getent -s resolve hosts localhost
 grep -qE "^127\.0\.0\.1\s+localhost" "$RUN_OUT"
 run getent -s myhostname hosts localhost
 grep -qE "^127\.0\.0\.1\s+localhost" "$RUN_OUT"
-sysctl -w net.ipv6.conf.all.disable_ipv6=0
-
+enable_ipv6
 
 : "--- Basic resolved tests ---"
 # Issue: https://github.com/systemd/systemd/issues/22229
@@ -280,12 +318,14 @@ grep -qE "IN\s+SOA\s+ns1\.unsigned\.test\." "$RUN_OUT"
 
 
 : "--- ZONE: unsigned.test. ---"
-run dig @10.0.0.1 +short unsigned.test
+run dig @ns1.unsigned.test +short unsigned.test A unsigned.test AAAA
 grep -qF "10.0.0.101" "$RUN_OUT"
+grep -qF "fd00:dead:beef:cafe::101" "$RUN_OUT"
 run resolvectl query unsigned.test
-grep -qF "unsigned.test: 10.0.0.10" "$RUN_OUT"
+grep -qF "10.0.0.10" "$RUN_OUT"
+grep -qF "fd00:dead:beef:cafe::101" "$RUN_OUT"
 grep -qF "authenticated: no" "$RUN_OUT"
-run dig @10.0.0.1 +short MX unsigned.test
+run dig @ns1.unsigned.test +short MX unsigned.test
 grep -qF "15 mail.unsigned.test." "$RUN_OUT"
 run resolvectl query --legend=no -t MX unsigned.test
 grep -qF "unsigned.test IN MX 15 mail.unsigned.test" "$RUN_OUT"
@@ -295,17 +335,28 @@ grep -qF "unsigned.test IN MX 15 mail.unsigned.test" "$RUN_OUT"
 # Check the trust chain (with and without systemd-resolved in between
 # Issue: https://github.com/systemd/systemd/issues/22002
 # PR: https://github.com/systemd/systemd/pull/23289
-run delv @10.0.0.1 signed.test
+run delv @ns1.unsigned.test signed.test
 grep -qF "; fully validated" "$RUN_OUT"
 run delv signed.test
 grep -qF "; fully validated" "$RUN_OUT"
 
+for addr in "${DNS_ADDRESSES[@]}"; do
+    run delv "@$addr" -t A mail.signed.test
+    grep -qF "; fully validated" "$RUN_OUT"
+    run delv "@$addr" -t AAAA mail.signed.test
+    grep -qF "; fully validated" "$RUN_OUT"
+done
+run resolvectl query mail.signed.test
+grep -qF "10.0.0.11" "$RUN_OUT"
+grep -qF "fd00:dead:beef:cafe::11" "$RUN_OUT"
+grep -qF "authenticated: yes" "$RUN_OUT"
+
 run dig +short signed.test
 grep -qF "10.0.0.10" "$RUN_OUT"
 run resolvectl query signed.test
 grep -qF "signed.test: 10.0.0.10" "$RUN_OUT"
 grep -qF "authenticated: yes" "$RUN_OUT"
-run dig @10.0.0.1 +short MX signed.test
+run dig @ns1.unsigned.test +short MX signed.test
 grep -qF "10 mail.signed.test." "$RUN_OUT"
 run resolvectl query --legend=no -t MX signed.test
 grep -qF "signed.test IN MX 10 mail.signed.test" "$RUN_OUT"
@@ -316,14 +367,53 @@ grep -qF "status: NXDOMAIN" "$RUN_OUT"
 run resolvectl query -t TXT this.should.be.authenticated.wild.signed.test
 grep -qF 'this.should.be.authenticated.wild.signed.test IN TXT "this is a wildcard"' "$RUN_OUT"
 grep -qF "authenticated: yes" "$RUN_OUT"
+# Check SRV support
+run resolvectl service _mysvc._tcp signed.test
+grep -qF "myservice.signed.test:1234" "$RUN_OUT"
+grep -qF "10.0.0.20" "$RUN_OUT"
+grep -qF "fd00:dead:beef:cafe::17" "$RUN_OUT"
+grep -qF "authenticated: yes" "$RUN_OUT"
+(! run resolvectl service _invalidsvc._udp signed.test)
+grep -qE "invalidservice\.signed\.test' not found" "$RUN_OUT"
+run resolvectl service _untrustedsvc._udp signed.test
+grep -qF "myservice.untrusted.test:1111" "$RUN_OUT"
+grep -qF "10.0.0.123" "$RUN_OUT"
+grep -qF "fd00:dead:beef:cafe::123" "$RUN_OUT"
+grep -qF "authenticated: yes" "$RUN_OUT"
+# Check OPENPGPKEY support
+run delv -t OPENPGPKEY 5a786cdc59c161cdafd818143705026636962198c66ed4c5b3da321e._openpgpkey.signed.test
+grep -qF "; fully validated" "$RUN_OUT"
+run resolvectl openpgp mr.smith@signed.test
+grep -qF "5a786cdc59c161cdafd818143705026636962198c66ed4c5b3da321e._openpgpkey.signed.test" "$RUN_OUT"
+grep -qF "authenticated: yes" "$RUN_OUT"
 
 # DNSSEC validation with multiple records of the same type for the same name
 # Issue: https://github.com/systemd/systemd/issues/22002
 # PR: https://github.com/systemd/systemd/pull/23289
-run delv @10.0.0.1 dupe.signed.test
-grep -qF "; fully validated" "$RUN_OUT"
-run delv dupe.signed.test
-grep -qF "; fully validated" "$RUN_OUT"
+check_domain() {
+    local domain="${1:?}"
+    local record="${2:?}"
+    local message="${3:?}"
+    local addr
+
+    for addr in "${DNS_ADDRESSES[@]}"; do
+        run delv "@$addr" -t "$record" "$domain"
+        grep -qF "$message" "$RUN_OUT"
+    done
+
+    run delv -t "$record" "$domain"
+    grep -qF "$message" "$RUN_OUT"
+
+    run resolvectl query "$domain"
+    grep -qF "authenticated: yes" "$RUN_OUT"
+}
+
+check_domain "dupe.signed.test"       "A"    "; fully validated"
+check_domain "dupe.signed.test"       "AAAA" "; negative response, fully validated"
+check_domain "dupe-ipv6.signed.test"  "AAAA" "; fully validated"
+check_domain "dupe-ipv6.signed.test"  "A"    "; negative response, fully validated"
+check_domain "dupe-mixed.signed.test" "A"    "; fully validated"
+check_domain "dupe-mixed.signed.test" "AAAA" "; fully validated"
 
 # Test resolution of CNAME chains
 TIMESTAMP=$(date '+%F %T')
@@ -347,7 +437,7 @@ grep -qE "^follow14\.final\.signed\.test\..+IN\s+NSEC\s+" "$RUN_OUT"
 # Check the trust chain (with and without systemd-resolved in between
 # Issue: https://github.com/systemd/systemd/issues/22002
 # PR: https://github.com/systemd/systemd/pull/23289
-run delv @10.0.0.1 sub.onlinesign.test
+run delv @ns1.unsigned.test sub.onlinesign.test
 grep -qF "; fully validated" "$RUN_OUT"
 run delv sub.onlinesign.test
 grep -qF "; fully validated" "$RUN_OUT"
@@ -357,10 +447,27 @@ grep -qF "10.0.0.133" "$RUN_OUT"
 run resolvectl query sub.onlinesign.test
 grep -qF "sub.onlinesign.test: 10.0.0.133" "$RUN_OUT"
 grep -qF "authenticated: yes" "$RUN_OUT"
-run dig @10.0.0.1 +short TXT onlinesign.test
+run dig @ns1.unsigned.test +short TXT onlinesign.test
 grep -qF '"hello from onlinesign"' "$RUN_OUT"
 run resolvectl query --legend=no -t TXT onlinesign.test
 grep -qF 'onlinesign.test IN TXT "hello from onlinesign"' "$RUN_OUT"
+
+for addr in "${DNS_ADDRESSES[@]}"; do
+    run delv "@$addr" -t A dual.onlinesign.test
+    grep -qF "10.0.0.135" "$RUN_OUT"
+    run delv "@$addr" -t AAAA dual.onlinesign.test
+    grep -qF "fd00:dead:beef:cafe::135" "$RUN_OUT"
+    run delv "@$addr" -t ANY ipv6.onlinesign.test
+    grep -qF "fd00:dead:beef:cafe::136" "$RUN_OUT"
+done
+run resolvectl query dual.onlinesign.test
+grep -qF "10.0.0.135" "$RUN_OUT"
+grep -qF "fd00:dead:beef:cafe::135" "$RUN_OUT"
+grep -qF "authenticated: yes" "$RUN_OUT"
+run resolvectl query ipv6.onlinesign.test
+grep -qF "fd00:dead:beef:cafe::136" "$RUN_OUT"
+grep -qF "authenticated: yes" "$RUN_OUT"
+
 # Check a non-existent domain
 # Note: mod-onlinesign utilizes Minimally Covering NSEC Records, hence the
 #       different response than with "standard" DNSSEC
@@ -378,12 +485,23 @@ run busctl call org.freedesktop.resolve1 /org/freedesktop/resolve1 org.freedeskt
 grep -qF '10 0 0 134 "secondsub.onlinesign.test"' "$RUN_OUT"
 monitor_check_rr "$TIMESTAMP" "secondsub.onlinesign.test IN A 10.0.0.134"
 
+
 : "--- ZONE: untrusted.test (DNSSEC without propagated DS records) ---"
-run dig +short untrusted.test
-grep -qF "10.0.0.121" "$RUN_OUT"
+# Issue: https://github.com/systemd/systemd/issues/23955
+# FIXME
+resolvectl flush-caches
+#run dig +short untrusted.test A untrusted.test AAAA
+#grep -qF "10.0.0.121" "$RUN_OUT"
+#grep -qF "fd00:dead:beef:cafe::121" "$RUN_OUT"
 run resolvectl query untrusted.test
-grep -qF "untrusted.test: 10.0.0.121" "$RUN_OUT"
+grep -qF "untrusted.test:" "$RUN_OUT"
+grep -qF "10.0.0.121" "$RUN_OUT"
+grep -qF "fd00:dead:beef:cafe::121" "$RUN_OUT"
 grep -qF "authenticated: no" "$RUN_OUT"
+run resolvectl service _mysvc._tcp untrusted.test
+grep -qF "myservice.untrusted.test:1234" "$RUN_OUT"
+grep -qF "10.0.0.123" "$RUN_OUT"
+grep -qF "fd00:dead:beef:cafe::123" "$RUN_OUT"
 
 # Issue: https://github.com/systemd/systemd/issues/19472
 # 1) Query for a non-existing RR should return NOERROR + NSEC (?), not NXDOMAIN
author	Yu Watanabe <watanabe.yu+github@gmail.com>	2023-01-30 19:21:19 +0900
committer	GitHub <noreply@github.com>	2023-01-30 19:21:19 +0900
commit	808f7c94f09c43b2567b16c005b24df4081a25fa (patch)
tree	570783414437d85d3845b3d318fa8cd3d87007fd /test
parent	0a5bd40a709d20c35bddf5c8a8342cae440ec4a3 (diff)
parent	42262f3e1b43eb3833adf71a3a030122b8f112b3 (diff)
download	systemd-808f7c94f09c43b2567b16c005b24df4081a25fa.tar.gz