test: ensure that reload updates DNSSEC and DNSOverTLS on link scopes

test: use numeric prefixes in resolved.conf.d overrides
There are a lot of resolved.conf.d drop-ins used in these tests. Use proper numeric prefixes, especially to avoid confusion with sorting relative to test.conf. Make the test base config 10-test.conf, and use 90-*.conf elsewhere.
2025-09-29 16:54:46 +02:00 · 2025-08-27 22:33:38 +09:00 · 2025-08-27 22:33:38 +09:00 · 2025-08-27 22:33:38 +09:00 · 2025-08-27 22:33:38 +09:00
5 changed files with 112 additions and 27 deletions
--- a/src/resolve/resolvectl.c
+++ b/src/resolve/resolvectl.c
@ -3321,6 +3321,8 @@ static int dump_cache_scope(sd_json_variant *scope) {
                int ifindex;
                const char *ifname;
                sd_json_variant *cache;
+                const char *dnssec_mode;
+                const char *dns_over_tls_mode;
        } scope_info = {
                .family = AF_UNSPEC,
        };
@ -3333,6 +3335,8 @@ static int dump_cache_scope(sd_json_variant *scope) {
                { "ifindex",      _SD_JSON_VARIANT_TYPE_INVALID, json_dispatch_ifindex,          offsetof(struct scope_info, ifindex),           SD_JSON_RELAX     },
                { "ifname",       SD_JSON_VARIANT_STRING,        sd_json_dispatch_const_string,  offsetof(struct scope_info, ifname),            0                 },
                { "cache",        SD_JSON_VARIANT_ARRAY,         sd_json_dispatch_variant_noref, offsetof(struct scope_info, cache),             SD_JSON_MANDATORY },
+                { "dnssec",       SD_JSON_VARIANT_STRING,        sd_json_dispatch_const_string,  offsetof(struct scope_info, dnssec_mode),       0                 },
+                { "dnsOverTLS",   SD_JSON_VARIANT_STRING,        sd_json_dispatch_const_string,  offsetof(struct scope_info, dns_over_tls_mode), 0                 },
                {},
        };

@ -3350,6 +3354,13 @@ static int dump_cache_scope(sd_json_variant *scope) {
        if (scope_info.ifname)
                printf(" ifname=%s", scope_info.ifname);

+        if (dns_protocol_from_string(scope_info.protocol) == DNS_PROTOCOL_DNS) {
+                if (scope_info.dnssec_mode)
+                        printf(" DNSSEC=%s", scope_info.dnssec_mode);
+                if (scope_info.dns_over_tls_mode)
+                        printf(" DNSOverTLS=%s", scope_info.dns_over_tls_mode);
+        }
+
        printf("%s\n", ansi_normal());

        JSON_VARIANT_ARRAY_FOREACH(i, scope_info.cache) {
--- a/src/resolve/resolved-dns-scope.c
+++ b/src/resolve/resolved-dns-scope.c
@ -1427,6 +1427,14 @@ void dns_scope_dump(DnsScope *s, FILE *f) {
                fputs(s->delegate->id, f);
        }

+        if (s->protocol == DNS_PROTOCOL_DNS) {
+                fputs(" DNSSEC=", f);
+                fputs(dnssec_mode_to_string(s->dnssec_mode), f);
+
+                fputs(" DNSOverTLS=", f);
+                fputs(dns_over_tls_mode_to_string(s->dns_over_tls_mode), f);
+        }
+
        fputs("]\n", f);

        if (!dns_zone_is_empty(&s->zone)) {
@ -1802,7 +1810,13 @@ int dns_scope_dump_cache_to_json(DnsScope *scope, sd_json_variant **ret) {
                        SD_JSON_BUILD_PAIR_CONDITION(scope->family != AF_UNSPEC, "family", SD_JSON_BUILD_INTEGER(scope->family)),
                        SD_JSON_BUILD_PAIR_CONDITION(!!scope->link, "ifindex", SD_JSON_BUILD_INTEGER(dns_scope_ifindex(scope))),
                        SD_JSON_BUILD_PAIR_CONDITION(!!scope->link, "ifname", SD_JSON_BUILD_STRING(dns_scope_ifname(scope))),
-                        SD_JSON_BUILD_PAIR_VARIANT("cache", cache));
+                        SD_JSON_BUILD_PAIR_VARIANT("cache", cache),
+                        SD_JSON_BUILD_PAIR_CONDITION(scope->protocol == DNS_PROTOCOL_DNS,
+                                                     "dnssec",
+                                                     SD_JSON_BUILD_STRING(dnssec_mode_to_string(scope->dnssec_mode))),
+                        SD_JSON_BUILD_PAIR_CONDITION(scope->protocol == DNS_PROTOCOL_DNS,
+                                                     "dnsOverTLS",
+                                                     SD_JSON_BUILD_STRING(dns_over_tls_mode_to_string(scope->dns_over_tls_mode))));
 }

 int dns_type_suitable_for_protocol(uint16_t type, DnsProtocol protocol) {
--- a/src/resolve/resolved-manager.c
+++ b/src/resolve/resolved-manager.c
@ -645,6 +645,7 @@ static void manager_set_defaults(Manager *m) {

 static int manager_dispatch_reload_signal(sd_event_source *s, const struct signalfd_siginfo *si, void *userdata) {
        Manager *m = ASSERT_PTR(userdata);
+        Link *l;
        int r;

        (void) notify_reloading();
@ -679,6 +680,12 @@ static int manager_dispatch_reload_signal(sd_event_source *s, const struct signa
        if (r < 0)
                return sd_event_exit(sd_event_source_get_event(s), r);

+        /* A link's unicast scope may also be influenced by the manager's configuration. I.e., DNSSEC= and DNSOverTLS=
+         * from the manager will be used if not explicitly configured on the link. Free the scopes here so that
+         * link_allocate_scopes() in on_network_event() re-creates them. */
+        HASHMAP_FOREACH(l, m->links)
+                l->unicast_scope = dns_scope_free(l->unicast_scope);
+
        /* The configuration has changed, so reload the per-interface configuration too in order to take
         * into account any changes (e.g.: enable/disable DNSSEC). */
        r = on_network_event(/* source= */ NULL, -EBADF, /* revents= */ 0, m);
--- a/src/shared/varlink-io.systemd.Resolve.Monitor.c
+++ b/src/shared/varlink-io.systemd.Resolve.Monitor.c
@ -48,7 +48,9 @@ static SD_VARLINK_DEFINE_STRUCT_TYPE(
                SD_VARLINK_DEFINE_FIELD(family, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
                SD_VARLINK_DEFINE_FIELD(ifindex, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
                SD_VARLINK_DEFINE_FIELD(ifname, SD_VARLINK_STRING, SD_VARLINK_NULLABLE),
-                SD_VARLINK_DEFINE_FIELD_BY_TYPE(cache, CacheEntry, SD_VARLINK_ARRAY));
+                SD_VARLINK_DEFINE_FIELD_BY_TYPE(cache, CacheEntry, SD_VARLINK_ARRAY),
+                SD_VARLINK_DEFINE_FIELD(dnssec, SD_VARLINK_STRING, SD_VARLINK_NULLABLE),
+                SD_VARLINK_DEFINE_FIELD(dnsOverTLS, SD_VARLINK_STRING, SD_VARLINK_NULLABLE));

 static SD_VARLINK_DEFINE_METHOD(
                DumpCache,
--- a/test/units/TEST-75-RESOLVED.sh
+++ b/test/units/TEST-75-RESOLVED.sh
@ -135,7 +135,7 @@ EOF
        echo "FallbackDNS="
        echo "DNSSEC=allow-downgrade"
        echo "DNSOverTLS=opportunistic"
-    } >/run/systemd/resolved.conf.d/test.conf
+    } >/run/systemd/resolved.conf.d/10-test.conf
    ln -svf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
    # Override the default NTA list, which turns off DNSSEC validation for (among
    # others) the test. domain
@ -232,7 +232,6 @@ manual_testcase_01_resolvectl() {
    # Cleanup
    # shellcheck disable=SC2317
    cleanup() {
-        rm -f /run/systemd/resolved.conf.d/mdns-llmnr.conf
        ip link del hoge
        ip link del hoge.foo
    }
@ -320,7 +319,7 @@ manual_testcase_02_mdns_llmnr() {

    # Cleanup
    cleanup() {
-        rm -f /run/systemd/resolved.conf.d/mdns-llmnr.conf
+        rm -f /run/systemd/resolved.conf.d/90-mdns-llmnr.conf
        ip link del hoge
        ip link del hoge.foo
    }
@ -332,7 +331,7 @@ manual_testcase_02_mdns_llmnr() {
        echo "[Resolve]"
        echo "MulticastDNS=no"
        echo "LLMNR=no"
-    } >/run/systemd/resolved.conf.d/mdns-llmnr.conf
+    } >/run/systemd/resolved.conf.d/90-mdns-llmnr.conf
    restart_resolved
    # make sure networkd is not running.
    systemctl stop systemd-networkd.service
@ -343,7 +342,7 @@ manual_testcase_02_mdns_llmnr() {
        echo "[Resolve]"
        echo "MulticastDNS=yes"
        echo "LLMNR=yes"
-    } >/run/systemd/resolved.conf.d/mdns-llmnr.conf
+    } >/run/systemd/resolved.conf.d/90-mdns-llmnr.conf
    systemctl reload systemd-resolved.service
    # defaults to yes (both the global and per-link settings are yes)
    assert_in 'yes' "$(resolvectl mdns hoge)"
@ -367,7 +366,7 @@ manual_testcase_02_mdns_llmnr() {
        echo "[Resolve]"
        echo "MulticastDNS=resolve"
        echo "LLMNR=resolve"
-    } >/run/systemd/resolved.conf.d/mdns-llmnr.conf
+    } >/run/systemd/resolved.conf.d/90-mdns-llmnr.conf
    systemctl reload systemd-resolved.service
    # set per-link setting
    resolvectl mdns hoge yes
@ -387,7 +386,7 @@ manual_testcase_02_mdns_llmnr() {
        echo "[Resolve]"
        echo "MulticastDNS=no"
        echo "LLMNR=no"
-    } >/run/systemd/resolved.conf.d/mdns-llmnr.conf
+    } >/run/systemd/resolved.conf.d/90-mdns-llmnr.conf
    systemctl reload systemd-resolved.service
    (! lsof -p "$(systemctl show --property MainPID --value systemd-resolved.service)" | grep -q ":mdns\|:5353")
    # set per-link setting
@ -792,10 +791,62 @@ testcase_08_resolved() {
 }

 testcase_09_resolvectl_showcache() {
+    # Cleanup
+    # shellcheck disable=SC2317
+    cleanup() {
+        rm -f /run/systemd/resolved.conf.d/90-resolved.conf
+        rm -f /run/systemd/network/10-dns2.netdev
+        rm -f /run/systemd/network/10-dns2.network
+        networkctl reload
+        systemctl reload systemd-resolved.service
+        resolvectl revert dns0
+    }
+
+    trap cleanup RETURN
+
    ### Test resolvectl show-cache
    run resolvectl show-cache
    run resolvectl show-cache --json=short
    run resolvectl show-cache --json=pretty
+
+    # Use resolvectl show-cache to check that reloding resolved updates scope
+    # DNSSEC and DNSOverTLS modes.
+    {
+        echo "[NetDev]"
+        echo "Name=dns2"
+        echo "Kind=dummy"
+    } > /run/systemd/network/10-dns2.netdev
+    {
+        echo "[Match]"
+        echo "Name=dns2"
+        echo "[Network]"
+        echo "IPv6AcceptRA=no"
+        echo "Address=10.123.0.1/24"
+        echo "DNS=10.0.0.1"
+    } > /run/systemd/network/10-dns2.network
+    networkctl reload
+    networkctl reconfigure dns2
+
+    mkdir -p /run/systemd/resolved.conf.d/
+    {
+        echo "[Resolve]"
+        echo "DNSSEC=no"
+        echo "DNSOverTLS=no"
+    } > /run/systemd/resolved.conf.d/90-resolved.conf
+    systemctl reload systemd-resolved.service
+
+    test "$(resolvectl show-cache --json=short | jq -rc '.[] | select(.ifname == "dns2" and .protocol == "dns") | .dnssec')" == 'no'
+    test "$(resolvectl show-cache --json=short | jq -rc '.[] | select(.ifname == "dns2" and .protocol == "dns") | .dnsOverTLS')" == 'no'
+
+    {
+        echo "[Resolve]"
+        echo "DNSSEC=allow-downgrade"
+        echo "DNSOverTLS=opportunistic"
+    } > /run/systemd/resolved.conf.d/90-resolved.conf
+    systemctl reload systemd-resolved.service
+
+    test "$(resolvectl show-cache --json=short | jq -rc '.[] | select(.ifname == "dns2" and .protocol == "dns") | .dnssec')" == 'allow-downgrade'
+    test "$(resolvectl show-cache --json=short | jq -rc '.[] | select(.ifname == "dns2" and .protocol == "dns") | .dnsOverTLS')" == 'opportunistic'
 }

 testcase_10_resolvectl_json() {
@ -857,7 +908,7 @@ testcase_11_nft() {
    {
        echo "[Resolve]"
        echo "StaleRetentionSec=1d"
-    } >/run/systemd/resolved.conf.d/test.conf
+    } >/run/systemd/resolved.conf.d/10-test.conf
    systemctl reload systemd-resolved.service

    run dig stale1.unsigned.test -t A
@ -948,7 +999,7 @@ testcase_12_resolvectl2() {
    # Cleanup
    # shellcheck disable=SC2317
    cleanup() {
-        rm -f /run/systemd/resolved.conf.d/reload.conf
+        rm -f /run/systemd/resolved.conf.d/90-reload.conf
        systemctl reload systemd-resolved.service
        resolvectl revert dns0
    }
@ -1003,7 +1054,7 @@ testcase_12_resolvectl2() {
        echo "[Resolve]"
        echo "DNS=8.8.8.8"
        echo "DNSStubListenerExtra=127.0.0.153"
-    } >/run/systemd/resolved.conf.d/reload.conf
+    } >/run/systemd/resolved.conf.d/90-reload.conf
    resolvectl dns dns0 1.1.1.1
    systemctl reload systemd-resolved.service
    resolvectl status
@ -1021,7 +1072,7 @@ testcase_12_resolvectl2() {
        echo "[Resolve]"
        echo "DNS=8.8.4.4"
        echo "DNSStubListenerExtra=127.0.0.154"
-    } >/run/systemd/resolved.conf.d/reload.conf
+    } >/run/systemd/resolved.conf.d/90-reload.conf
    systemctl reload systemd-resolved.service
    resolvectl status

@ -1053,7 +1104,7 @@ testcase_13_varlink_subscribe_dns_configuration() {
        echo "===== io.systemd.Resolve.Monitor.SubscribeDNSConfiguration output: ====="
        cat "$tmpfile"
        echo "=========="
-        rm -f /run/systemd/resolved.conf.d/global-dns.conf
+        rm -f /run/systemd/resolved.conf.d/90-global-dns.conf
        restart_resolved
        resolvectl revert dns0
    }
@ -1071,7 +1122,7 @@ testcase_13_varlink_subscribe_dns_configuration() {
    {
        echo "[Resolve]"
        echo "DNS="
-    } > /run/systemd/resolved.conf.d/global-dns.conf
+    } > /run/systemd/resolved.conf.d/90-global-dns.conf
    systemctl reload systemd-resolved.service
    resolvectl dns dns0 ""
    resolvectl domain dns0 ""
@ -1089,7 +1140,7 @@ testcase_13_varlink_subscribe_dns_configuration() {
        echo "[Resolve]"
        echo "DNS=8.8.8.8"
        echo "Domains=lan"
-    } > /run/systemd/resolved.conf.d/global-dns.conf
+    } > /run/systemd/resolved.conf.d/90-global-dns.conf
    systemctl reload systemd-resolved.service

    # Update a link configuration.
@ -1127,7 +1178,7 @@ testcase_13_varlink_subscribe_dns_configuration() {
 testcase_14_refuse_record_types() {
    # shellcheck disable=SC2317
    cleanup() {
-        rm -f /run/systemd/resolved.conf.d/refuserecords.conf
+        rm -f /run/systemd/resolved.conf.d/90-refuserecords.conf
        restart_resolved
    }
    trap cleanup RETURN ERR
@ -1136,7 +1187,7 @@ testcase_14_refuse_record_types() {
    {
        echo "[Resolve]"
        echo "RefuseRecordTypes=AAAA SRV TXT"
-    } >/run/systemd/resolved.conf.d/refuserecords.conf
+    } >/run/systemd/resolved.conf.d/90-refuserecords.conf
    systemctl reload systemd-resolved.service

    run dig localhost -t AAAA
@ -1185,7 +1236,7 @@ testcase_14_refuse_record_types() {
    {
        echo "[Resolve]"
        echo "RefuseRecordTypes=AAAA"
-    } >/run/systemd/resolved.conf.d/refuserecords.conf
+    } >/run/systemd/resolved.conf.d/90-refuserecords.conf
    systemctl reload systemd-resolved.service

    run dig localhost -t SRV
@ -1234,7 +1285,7 @@ testcase_14_refuse_record_types() {
    {
        echo "[Resolve]"
        echo "RefuseRecordTypes=A AAAA"
-    } >/run/systemd/resolved.conf.d/refuserecords.conf
+    } >/run/systemd/resolved.conf.d/90-refuserecords.conf
    systemctl reload systemd-resolved.service

    run resolvectl service _mysvc._tcp signed.test
@ -1256,7 +1307,7 @@ testcase_14_refuse_record_types() {
    {
        echo "[Resolve]"
        echo "RefuseRecordTypes=AAAA TXT"
-    } >/run/systemd/resolved.conf.d/refuserecords.conf
+    } >/run/systemd/resolved.conf.d/90-refuserecords.conf
    systemctl reload systemd-resolved.service

    run resolvectl service _mysvc._tcp signed.test
@ -1277,7 +1328,7 @@ testcase_14_refuse_record_types() {
    {
        echo "[Resolve]"
        echo "RefuseRecordTypes=SRV"
-    } >/run/systemd/resolved.conf.d/refuserecords.conf
+    } >/run/systemd/resolved.conf.d/90-refuserecords.conf
    systemctl reload systemd-resolved.service

    (! run resolvectl service _mysvc._tcp signed.test)
Author	SHA1	Message	Date
Nick Rosbrook	1be088c299	test: ensure that reload updates DNSSEC and DNSOverTLS on link scopes	2025-08-27 22:33:38 +09:00
Nick Rosbrook	f818c3d6b6	test: use numeric prefixes in resolved.conf.d overrides There are a lot of resolved.conf.d drop-ins used in these tests. Use proper numeric prefixes, especially to avoid confusion with sorting relative to test.conf. Make the test base config 10-test.conf, and use 90-*.conf elsewhere.	2025-08-27 22:33:38 +09:00
Nick Rosbrook	6d22472089	resolve: re-create link unicast scopes on reload On reload, resolved does not apply new DNSSEC= (or DNSOverTLS=) settings on links, because the link unicast scopes are not re-created. However, the servers and link states are updated correctly, so resolvectl and link state files do show the new setting, leading users to believe the change took effect immediately, the same way `resolvectl dnssec` does. Fix this by freeing all of the link unicast scopes during reload, so that they are re-created with the new settings in link_allocate_scopes().	2025-08-27 22:33:38 +09:00
Nick Rosbrook	71da422058	resolve: include DNSSEC and DNSOverTLS modes in dumps This is useful for testing and debugging. E.g., one can examine the active DNSSEC mode of the scope using: $ resolvectl show-cache	2025-08-27 22:33:38 +09:00