Support additional systemd-resolved options / org.freedesktop.resolve1 DBUS endpoints

CHANGELOG.md

@@ -4,6 +4,10 @@
 
 ### IMPROVEMENTS
 
+- Support additional DBus calls `ResetServerFeatures`, `ResetStatistics`,
+  `DNSDefaultRoute`, `SetLinkDNSOverTLS`, `SetLinkLLMNR`,
+  `SetLinkMulticastDNS`, and `SetLinkNegativeDNSSECTrustAnchors`
+  ([#110](https://github.com/jonathanio/update-systemd-resolved/pull/110])).
 - Check that the `org.freedesktop.resolve1` endpoint is available and
   short-circuit with an error message if not
   ([#105](https://github.com/jonathanio/update-systemd-resolved/pull/105)).

HACKING.md

@@ -64,8 +64,12 @@ and [linking them to Nix packages](https://nixos.org/manual/nixos/stable/index.h
 This project's NixOS test sets up three machines:
 
 1. An OpenVPN server,
-2. An OpenVPN client, and
-3. A DNS resolver running [Dnsmasq](https://thekelleys.org.uk/dnsmasq/doc.html).
+2. An OpenVPN client,
+3. A DNS resolver running an instance of
+   [dnsmasq](https://thekelleys.org.uk/dnsmasq/doc.html) bound only to the
+   loopback address, plus an instance of
+   [RouteDNS](https://github.com/folbricht/routedns) bound to an address
+   reachable by the other machines.
 
 The OpenVPN server and client run a [point-to-point configuration with a static
 key](https://openvpn.net/community-resources/static-key-mini-howto/).  The
@@ -77,6 +81,12 @@ and then asserts that certain hostnames are resolvable _from the client_ that
 would not be resolvable unless the client were configured to use the DNS
 settings specified in its OpenVPN configuration file.
 
+The resolver machine uses dnsmasq for actual name resolution, plus DNSSEC
+validation.  The RouteDNS instance running on the same machine terminates
+DNS-over-TLS and forwards queries to dnsmasq.  Dnsmasq handles DNSSEC (though
+we exempt the VPN domain from DNSSEC validation, as a test of the
+`SetLinkDNSSECNegativeTrustAnchors` feature).
+
 #### Extending the NixOS test
 
 If you are implementing a new feature or correcting a bug in
@@ -113,6 +123,20 @@ $ nix build -L '.#checks.x86_64-linux.update-systemd-resolved'
 [^supported-systems]: Run `nix flake show` to view flake outputs namespaced by
                       all supported systems.
 
+#### Maintaining NixOS test assets
+
+##### Regenerating the DNS-over-TLS keypair
+
+To regenerate the keypair used for testing DNS-over-TLS, [enter the
+devshell](#entering-the-nix-development-shell) and [run
+`mkdotcert`](#summary-of-available-commands).
+
+##### Regenerating the DNSSEC root anchors
+
+To regenerate the dnsmasq root anchor specification used for testing DNSSEC,
+[enter the devshell](#entering-the-nix-development-shell) and [run
+`mkanchor`](#summary-of-available-commands).
+
 ### Entering the Nix development shell
 
 To enter the Nix development shell, run the following command:
@@ -127,3 +151,7 @@ shell.
 #### Summary of available commands
 
 - `fmt`: format all Nix code in this project using [`alejandra`](https://github.com/kamadorueda/alejandra).
+- `mkdotcert`: regenerate the keypair used for encrypting DNS-over-TLS in the
+  NixOS system test.
+- `mkanchor`: regenerate the DNSSEC trust anchors configuration used with
+  dnsmasq in the NixOS system test.