Merge pull request #7 from jonathanio/feature/dnssec-support

Add DNSSEC Support

Author: jonathanio

run-tests

@@ -64,6 +64,19 @@ function busctl {
                 "     Received: '${@}'"
       fi
       ;;
+    SetLinkDNSSEC)
+      shift 2
+      if [[ "${TEST_BUSCTL_DNSSEC}" == "" ]]; then
+        [[ "${ip_ifindex} ${TEST_BUSCTL_DNSSEC}" == "${@}" ]] || \
+          _fail "SetLinkDNSSEC was called and should not be: '${@}'"
+      else
+        [[ "${ip_ifindex} ${TEST_BUSCTL_DNSSEC}" == "${@}" ]] && \
+          _pass "SetLinkDNSSEC was called correctly" || \
+          _fail "SetLinkDNSSEC was not given the correct arguments:\n" \
+                "     Expected: '${ip_ifindex} ${TEST_BUSCTL_DNSSEC}'\n" \
+                "     Received: '${@}'"
+      fi
+      ;;
     *)
       _fail "Unknown command called on busctl: ${1}"
       ;;

tests/20_dnssec_only.sh

@@ -0,0 +1,25 @@
+script_type="up"
+dev="tun20"
+
+TEST_BUSCTL_CALLED=1
+
+declare -A test_options=(
+  ['default']='""'
+  ['Default']='""'
+  ['true']='yes'
+  ['True']='yes'
+  ['yes']='yes'
+  ['Yes']='yes'
+  ['false']='no'
+  ['False']='no'
+  ['no']='no'
+  ['No']='no'
+  ['allow-downgrade']='allow-downgrade'
+)
+
+for test_option in "${!test_options[@]}"; do
+  TEST_TITLE="DNSSEC Set to $test_option"
+  TEST_BUSCTL_DNSSEC="${test_options["$test_option"]}"
+  foreign_option_1="dhcp-option DNSSEC $test_option"
+  runtest
+done

tests/21_dnssec_invalid_options.sh

@@ -0,0 +1,17 @@
+script_type="up"
+dev="tun21"
+
+TEST_BUSCTL_CALLED=0
+EXPECT_FAILURE=1
+
+declare -a test_invalids=(
+  '1'
+  '0'
+  'DOWNGRADE'
+)
+
+for test_option in "${test_invalids[@]}"; do
+  TEST_TITLE="DNSSEC Set to $test_option"
+  foreign_option_1="dhcp-option DNSSEC $test_option"
+  runtest
+done

tests/22_dns_dnssec_domain_and_search.sh

@@ -0,0 +1,14 @@
+script_type="up"
+dev="tun22"
+foreign_option_1="dhcp-option DNS 1.23.4.56"
+foreign_option_2="dhcp-option DNS 1234:567:89::ab:cdef"
+foreign_option_3="dhcp-option DOMAIN example.com"
+foreign_option_4="dhcp-option DOMAIN-SEARCH example.org"
+foreign_option_5="dhcp-option DOMAIN-ROUTE example.net"
+foreign_option_6="dhcp-option DNSSEC yes"
+
+TEST_TITLE="DNS, DNSSEC, Domain, Search, and Route"
+TEST_BUSCTL_CALLED=1
+TEST_BUSCTL_DOMAINS="3 example.com false example.org false example.net true"
+TEST_BUSCTL_DNSSEC="yes"
+TEST_BUSCTL_DNS="2 2 4 1 23 4 56 2 16 18 52 5 103 0 137 0 0 0 0 0 0 0 171 205 239"

update-systemd-resolved

@@ -18,10 +18,10 @@
 
 # This script will parse DHCP options set via OpenVPN (dhcp-option) to update
 # systemd-resolved directly via DBus, instead of updating /etc/resolv.conf. To
-# install, set as the 'up' and 'down' script in your OpenVPN configuration file
+# install, set as the 'up' and 'down-pre' script in your OpenVPN configuration file
 # or command-line argument. For example:
 #   up /etc/openvpn/update-systemd-resolved
-#   down /etc/openvpn/update-systemd-resolved
+#   down-pre /etc/openvpn/update-systemd-resolved
 
 # Define what needs to be called via DBus
 DBUS_DEST="org.freedesktop.resolve1"
@@ -82,6 +82,7 @@ up() {
   # functions.
   local -a dns_servers=() dns_domain=() dns_search=() dns_routed=()
   local -i dns_server_count=0 dns_domain_count=0 dns_search_count=0 dns_routed_count=0
+  local dns_sec=""
 
   while read -r setting; do
     setting_type="${setting%% *}"
@@ -120,6 +121,17 @@ up() {
     info "SetLinkDomains(${busctl_params[*]})"
     busctl_call SetLinkDomains 'ia(sb)' "${busctl_params[@]}" || return $?
   fi
+
+  if [[ -n "${dns_sec}" ]]; then
+    if [[ "${dns_sec}" == "default" ]]; then
+      # We need to provide an empty string to use the default settings
+      busctl_params=("$if_index" '""')
+    else
+      busctl_params=("$if_index" "${dns_sec}")
+    fi
+    info "SetLinkDNSSEC(${busctl_params[*]})"
+    busctl_call SetLinkDNSSEC 'is' "${busctl_params[@]}" || return $?
+  fi
 }
 
 down() {
@@ -340,6 +352,29 @@ process_domain_route() {
   dns_routed+=("${domain}" true)
 }
 
+process_dnssec() {
+  local option="$1" setting=""
+  shift
+
+  case "${option,,}" in
+    yes|true)
+      setting="yes" ;;
+    no|false)
+      setting="no" ;;
+    default)
+      setting="default" ;;
+    allow-downgrade)
+      setting="allow-downgrade" ;;
+    *)
+      local message="\`$option' is not a valid DNSSEC option"
+      emerg "${message}"
+      return 1 ;;
+  esac
+
+  info "Setting DNSSEC to ${setting}"
+  dns_sec="${setting}"
+}
+
 main() {
   local script_type="$1"
   shift
@@ -368,5 +403,5 @@ main() {
 if [[ "${BASH_SOURCE[0]}" == "$0" ]] || [[ "$AUTOMATED_TESTING" == 1 ]]; then
   set -o nounset
 
-  main "$script_type" "$dev" "$@"
+  main "${script_type:-}" "${dev:-}" "$@"
 fi