From 5bd11228436978be24582f073daf6bf7a5bae8d2 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Sun, 7 Jan 2024 22:22:52 +0100
Subject: [PATCH] test: check how systemd-resolved deals with zone transfers

Even though systemd-resolved doesn't support zone transfers (AXFR/IXFR),
it should still just refuse such requests without choking on them.

See: https://github.com/systemd/systemd/pull/30809#issuecomment-1880102804
---
 test/knot-data/knot.conf   |  8 +++++++-
 test/units/testsuite-75.sh | 12 ++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/test/knot-data/knot.conf b/test/knot-data/knot.conf
index a1fc64f7a50..245fa75cf7c 100644
--- a/test/knot-data/knot.conf
+++ b/test/knot-data/knot.conf
@@ -19,6 +19,11 @@ acl:
       address: fd00:dead:beef:cafe::/64
       action: update
 
+    - id: transfer_acl
+      address: 10.0.0.0/24
+      address: fd00:dead:beef:cafe::/64
+      action: transfer
+
 remote:
     - id: parent_zone_server
       address: 10.0.0.1@53
@@ -94,8 +99,9 @@ zone:
     - domain: test
       dnssec-policy: auto_rollover_nsec3
 
-    # A fully (pre-)signed zone
+    # A fully (pre-)signed zone with allowed zone transfers (AXFR/IXFR)
     - domain: signed.test
+      acl: [update_acl, transfer_acl]
 
     # A fully (online)-signed zone
     # See: https://www.knot-dns.cz/docs/3.1/singlehtml/index.html#mod-onlinesign
diff --git a/test/units/testsuite-75.sh b/test/units/testsuite-75.sh
index f3c27db7b4f..a4e2e0547bb 100755
--- a/test/units/testsuite-75.sh
+++ b/test/units/testsuite-75.sh
@@ -413,6 +413,18 @@ grep -qF "; fully validated" "$RUN_OUT"
 run resolvectl openpgp mr.smith@signed.test
 grep -qF "5a786cdc59c161cdafd818143705026636962198c66ed4c5b3da321e._openpgpkey.signed.test" "$RUN_OUT"
 grep -qF "authenticated: yes" "$RUN_OUT"
+# Check zone transfers (AXFR/IXFR)
+# Note: since resolved doesn't support zone transfers, let's just make sure it
+#       simply refuses such requests without choking on them
+# See: https://github.com/systemd/systemd/pull/30809#issuecomment-1880102804
+run dig @ns1.unsigned.test AXFR signed.test
+grep -qE "SOA\s+ns1.unsigned.test. root.unsigned.test." "$RUN_OUT"
+run dig AXFR signed.test
+grep -qF "; Transfer failed" "$RUN_OUT"
+run dig @ns1.unsigned.test IXFR=43 signed.test
+grep -qE "SOA\s+ns1.unsigned.test. root.unsigned.test." "$RUN_OUT"
+run dig IXFR=43 signed.test
+grep -qF "; Transfer failed" "$RUN_OUT"
 
 # DNSSEC validation with multiple records of the same type for the same name
 # Issue: https://github.com/systemd/systemd/issues/22002