test: check how systemd-resolved deals with zone transfers

Even though systemd-resolved doesn't support zone transfers (AXFR/IXFR), it should still just refuse such requests without choking on them. See: https://github.com/systemd/systemd/pull/30809#issuecomment-1880102804
2024-11-27 20:23:36 +08:00 · 2024-01-07 22:22:52 +01:00 · 2024-01-07 22:22:52 +01:00 · 5bd1122843
commit 5bd1122843
parent b4f17b07cf
2 changed files with 19 additions and 1 deletions
--- a/test/knot-data/knot.conf
+++ b/test/knot-data/knot.conf
@ -19,6 +19,11 @@ acl:
      address: fd00:dead:beef:cafe::/64
      action: update

+    - id: transfer_acl
+      address: 10.0.0.0/24
+      address: fd00:dead:beef:cafe::/64
+      action: transfer
+
 remote:
    - id: parent_zone_server
      address: 10.0.0.1@53
@ -94,8 +99,9 @@ zone:
    - domain: test
      dnssec-policy: auto_rollover_nsec3

-    # A fully (pre-)signed zone
+    # A fully (pre-)signed zone with allowed zone transfers (AXFR/IXFR)
    - domain: signed.test
+      acl: [update_acl, transfer_acl]

    # A fully (online)-signed zone
    # See: https://www.knot-dns.cz/docs/3.1/singlehtml/index.html#mod-onlinesign
--- a/test/units/testsuite-75.sh
+++ b/test/units/testsuite-75.sh
@ -413,6 +413,18 @@ grep -qF "; fully validated" "$RUN_OUT"
 run resolvectl openpgp mr.smith@signed.test
 grep -qF "5a786cdc59c161cdafd818143705026636962198c66ed4c5b3da321e._openpgpkey.signed.test" "$RUN_OUT"
 grep -qF "authenticated: yes" "$RUN_OUT"
+# Check zone transfers (AXFR/IXFR)
+# Note: since resolved doesn't support zone transfers, let's just make sure it
+#       simply refuses such requests without choking on them
+# See: https://github.com/systemd/systemd/pull/30809#issuecomment-1880102804
+run dig @ns1.unsigned.test AXFR signed.test
+grep -qE "SOA\s+ns1.unsigned.test. root.unsigned.test." "$RUN_OUT"
+run dig AXFR signed.test
+grep -qF "; Transfer failed" "$RUN_OUT"
+run dig @ns1.unsigned.test IXFR=43 signed.test
+grep -qE "SOA\s+ns1.unsigned.test. root.unsigned.test." "$RUN_OUT"
+run dig IXFR=43 signed.test
+grep -qF "; Transfer failed" "$RUN_OUT"

 # DNSSEC validation with multiple records of the same type for the same name
 # Issue: https://github.com/systemd/systemd/issues/22002