Cargo.lock

@@ -1107,9 +1107,9 @@ dependencies = [
 
 [[package]]
 name = "unicode-ident"
-version = "1.0.16"
+version = "1.0.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a210d160f08b701c8721ba1c726c11662f877ea6b7094007e1ca9a1041945034"
+checksum = "11cd88e12b17c6494200a9c1b683a04fcac9573ed74cd1b62aeb2727c5592243"
 
 [[package]]
 name = "unicode-linebreak"

flake-modules/tests.nix

@@ -131,160 +131,320 @@
             config.services.webnsupdate.allowedIPVersion = "ipv6-only";
           };
 
-          # "A" for IPv4, "AAAA" for IPv6, "ANY" for any
+          testScript = ''
-          testTemplate =
+            machine.start(allow_reboot=True)
-            {
+            machine.wait_for_unit("bind.service")
-              ipv4 ? false,
+            machine.wait_for_unit("webnsupdate.service")
-              ipv6 ? false,
-              nginx ? false,
-              exclusive ? false,
-            }:
-            if exclusive && (ipv4 == ipv6) then
-              builtins.throw "exclusive means one of ipv4 or ipv6 must be set, but not both"
-            else
-              ''
-                IPV4: bool = ${if ipv4 then "True" else "False"}
-                IPV6: bool = ${if ipv6 then "True" else "False"}
-                NGINX: bool = ${if nginx then "True" else "False"}
-                EXCLUSIVE: bool = ${if exclusive then "True" else "False"}
-                print(f"{IPV4=} {IPV6=} {EXCLUSIVE=}")
 
-                CURL: str = "curl --fail --no-progress-meter --show-error"
+            # ensure base DNS records area available
+            with subtest("query base DNS records"):
+                machine.succeed("dig @127.0.0.1 ${testDomain}          | grep ^${testDomain}")
+                machine.succeed("dig @127.0.0.1 ns1.${testDomain}      | grep ^ns1.${testDomain}")
+                machine.succeed("dig @127.0.0.1 nsupdate.${testDomain} | grep ^nsupdate.${testDomain}")
 
-                machine.start(allow_reboot=True)
+            # ensure webnsupdate managed records are missing
-                machine.wait_for_unit("bind.service")
+            with subtest("query webnsupdate DNS records (fail)"):
-                machine.wait_for_unit("webnsupdate.service")
+                machine.fail("dig @127.0.0.1 test1.${testDomain} A test1.${testDomain} AAAA | grep ^test1.${testDomain}")
+                machine.fail("dig @127.0.0.1 test2.${testDomain} A test2.${testDomain} AAAA | grep ^test2.${testDomain}")
+                machine.fail("dig @127.0.0.1 test3.${testDomain} A test3.${testDomain} AAAA | grep ^test3.${testDomain}")
 
-                STATIC_DOMAINS: list[str] = ["${testDomain}", "ns1.${testDomain}", "nsupdate.${testDomain}"]
+            with subtest("update webnsupdate DNS records (invalid auth)"):
-                DYNAMIC_DOMAINS: list[str] = ["test1.${testDomain}", "test2.${testDomain}", "test3.${testDomain}"]
+                machine.fail("curl --fail --silent -u test1:test1 -X GET http://localhost:5353/update")
+                machine.fail("cat ${lastIPPath}") # no last-ip set yet
 
-                def domain_available(domain: str, record: str):
+            # ensure webnsupdate managed records are missing
-                    machine.succeed(f"dig @localhost {record} {domain} | grep ^{domain}")
+            with subtest("query webnsupdate DNS records (fail)"):
+                machine.fail("dig @127.0.0.1 test1.${testDomain} A test1.${testDomain} AAAA | grep ^test1.${testDomain}")
+                machine.fail("dig @127.0.0.1 test2.${testDomain} A test2.${testDomain} AAAA | grep ^test2.${testDomain}")
+                machine.fail("dig @127.0.0.1 test3.${testDomain} A test3.${testDomain} AAAA | grep ^test3.${testDomain}")
 
-                def domain_missing(domain: str, record: str):
+            with subtest("update webnsupdate DNS records (valid auth)"):
-                    machine.fail(f"dig @localhost {record} {domain} +noall +noanswer | grep ^{domain}")
+                machine.succeed("curl --fail --silent -u test:test -X GET http://localhost:5353/update")
-
-                def update_records(domain: str="localhost", path: str="update"):
-                    machine.succeed(f"{CURL} -u test:test -X GET http://{domain}{"" if NGINX else ":5353"}/{path}")
-                    machine.succeed("cat ${lastIPPath}")
-
-                def update_records_fail(domain: str="localhost", identity: str="test:test", path: str="update"):
-                    machine.fail(f"{CURL} -u {identity} -X GET http://{domain}{"" if NGINX else ":5353"}/{path}")
-                    machine.fail("cat ${lastIPPath}")
-
-                def invalid_update(domain: str="localhost"):
-                    update_records_fail(domain, identity="bad_user:test")
-                    update_records_fail(domain, identity="test:bad_pass")
-
-                # Tests
-
-                with subtest("static DNS records are available"):
-                    print(f"{IPV4=} {IPV6=} {EXCLUSIVE=}")
-                    for domain in STATIC_DOMAINS:
-                        domain_available(domain, "A")    # IPv4
-                        domain_available(domain, "AAAA") # IPv6
-
-                with subtest("dynamic DNS records are missing"):
-                    print(f"{IPV4=} {IPV6=} {EXCLUSIVE=}")
-                    for domain in DYNAMIC_DOMAINS:
-                        domain_missing(domain, "A")    # IPv4
-                        domain_missing(domain, "AAAA") # IPv6
-
-                with subtest("invalid auth fails to update records"):
-                    print(f"{IPV4=} {IPV6=} {EXCLUSIVE=}")
-                    invalid_update()
-                    for domain in DYNAMIC_DOMAINS:
-                        domain_missing(domain, "A")    # IPv4
-                        domain_missing(domain, "AAAA") # IPv6
-
-                if EXCLUSIVE:
-                    with subtest("exclusive IP version fails to update with invalid version"):
-                        print(f"{IPV4=} {IPV6=} {EXCLUSIVE=}")
-                        if IPV6:
-                            update_records_fail("127.0.0.1")
-                        if IPV4:
-                            update_records_fail("[::1]")
-
-                with subtest("valid auth updates records"):
-                    print(f"{IPV4=} {IPV6=} {EXCLUSIVE=}")
-                    if IPV4:
-                        update_records("127.0.0.1")
-                    if IPV6:
-                        update_records("[::1]")
-
-                    for domain in DYNAMIC_DOMAINS:
-                        if IPV4:
-                            domain_available(domain, "A")
-                        elif IPV6 and EXCLUSIVE:
-                            domain_missing(domain, "A")
-
-                        if IPV6:
-                            domain_available(domain, "AAAA")
-                        elif IPV4 and EXCLUSIVE:
-                            domain_missing(domain, "AAAA")
-
-                machine.reboot()
-                machine.succeed("cat ${lastIPPath}")
-                machine.wait_for_unit("webnsupdate.service")
                 machine.succeed("cat ${lastIPPath}")
 
-                with subtest("static DNS records are available after reboot"):
+            # ensure webnsupdate managed records are available
-                    print(f"{IPV4=} {IPV6=} {EXCLUSIVE=}")
+            with subtest("query webnsupdate DNS records (succeed)"):
-                    for domain in STATIC_DOMAINS:
+                machine.succeed("dig @127.0.0.1 test1.${testDomain} A test1.${testDomain} AAAA | grep ^test1.${testDomain}")
-                        domain_available(domain, "A")    # IPv4
+                machine.succeed("dig @127.0.0.1 test2.${testDomain} A test2.${testDomain} AAAA | grep ^test2.${testDomain}")
-                        domain_available(domain, "AAAA") # IPv6
+                machine.succeed("dig @127.0.0.1 test3.${testDomain} A test3.${testDomain} AAAA | grep ^test3.${testDomain}")
 
-                with subtest("dynamic DNS records are available after reboot"):
+            machine.reboot()
-                    print(f"{IPV4=} {IPV6=} {EXCLUSIVE=}")
+            machine.succeed("cat ${lastIPPath}")
-                    for domain in DYNAMIC_DOMAINS:
+            machine.wait_for_unit("webnsupdate.service")
-                        if IPV4:
+            machine.succeed("cat ${lastIPPath}")
-                            domain_available(domain, "A")
-                        elif IPV6 and EXCLUSIVE:
-                            domain_missing(domain, "A")
 
-                        if IPV6:
+            # ensure base DNS records area available after a reboot
-                            domain_available(domain, "AAAA")
+            with subtest("query base DNS records"):
-                        elif IPV4 and EXCLUSIVE:
+                machine.succeed("dig @127.0.0.1 ${testDomain} | grep ^${testDomain}")
-                            domain_missing(domain, "AAAA")
+                machine.succeed("dig @127.0.0.1 ns1.${testDomain} | grep ^ns1.${testDomain}")
-              '';
+                machine.succeed("dig @127.0.0.1 nsupdate.${testDomain} | grep ^nsupdate.${testDomain}")
+
+            # ensure webnsupdate managed records are available after a reboot
+            with subtest("query webnsupdate DNS records (succeed)"):
+                machine.succeed("dig @127.0.0.1 test1.${testDomain} A test1.${testDomain} AAAA | grep ^test1.${testDomain}")
+                machine.succeed("dig @127.0.0.1 test2.${testDomain} A test2.${testDomain} AAAA | grep ^test2.${testDomain}")
+                machine.succeed("dig @127.0.0.1 test3.${testDomain} A test3.${testDomain} AAAA | grep ^test3.${testDomain}")
+          '';
         in
         {
-          module-ipv4-test = pkgs.testers.nixosTest {
+          module-ipv4-test = pkgs.testers.runNixOSTest {
             name = "webnsupdate-ipv4-module";
             nodes.machine = webnsupdate-ipv4-machine;
-            testScript = testTemplate { ipv4 = true; };
+            inherit testScript;
           };
-          module-ipv6-test = pkgs.testers.nixosTest {
+          module-ipv6-test = pkgs.testers.runNixOSTest {
             name = "webnsupdate-ipv6-module";
             nodes.machine = webnsupdate-ipv6-machine;
-            testScript = testTemplate { ipv6 = true; };
+            inherit testScript;
           };
-          module-nginx-test = pkgs.testers.nixosTest {
+          module-nginx-test = pkgs.testers.runNixOSTest {
             name = "webnsupdate-nginx-module";
             nodes.machine = webnsupdate-nginx-machine;
-            testScript = testTemplate {
+            testScript = ''
-              ipv4 = true;
+              machine.start(allow_reboot=True)
-              ipv6 = true;
+              machine.wait_for_unit("bind.service")
-              nginx = true;
+              machine.wait_for_unit("webnsupdate.service")
-            };
+
+              # ensure base DNS records area available
+              with subtest("query base DNS records"):
+                  machine.succeed("dig @127.0.0.1 ${testDomain}          | grep ^${testDomain}")
+                  machine.succeed("dig @127.0.0.1 ns1.${testDomain}      | grep ^ns1.${testDomain}")
+                  machine.succeed("dig @127.0.0.1 nsupdate.${testDomain} | grep ^nsupdate.${testDomain}")
+
+              # ensure webnsupdate managed records are missing
+              with subtest("query webnsupdate DNS records (fail)"):
+                  machine.fail("dig @127.0.0.1 test1.${testDomain} A    | grep ^test1.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test2.${testDomain} A    | grep ^test2.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test3.${testDomain} A    | grep ^test3.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test1.${testDomain} AAAA | grep ^test1.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test2.${testDomain} AAAA | grep ^test2.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test3.${testDomain} AAAA | grep ^test3.${testDomain}")
+
+              with subtest("update webnsupdate DNS records (invalid auth)"):
+                  machine.fail("curl --fail --silent -u test1:test1 -X GET http://127.0.0.1/update")
+                  machine.fail("cat ${lastIPPath}") # no last-ip set yet
+
+              # ensure webnsupdate managed records are missing
+              with subtest("query webnsupdate DNS records (fail)"):
+                  machine.fail("dig @127.0.0.1 test1.${testDomain} A    | grep ^test1.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test2.${testDomain} A    | grep ^test2.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test3.${testDomain} A    | grep ^test3.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test1.${testDomain} AAAA | grep ^test1.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test2.${testDomain} AAAA | grep ^test2.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test3.${testDomain} AAAA | grep ^test3.${testDomain}")
+
+              with subtest("update webnsupdate IPv4 DNS records (valid auth)"):
+                  machine.succeed("curl --fail --silent -u test:test -X GET http://127.0.0.1/update")
+                  machine.succeed("cat ${lastIPPath}")
+
+              # ensure webnsupdate managed IPv4 records are available
+              with subtest("query webnsupdate IPv4 DNS records (succeed)"):
+                  machine.succeed("dig @127.0.0.1 test1.${testDomain} A | grep ^test1.${testDomain}")
+                  machine.succeed("dig @127.0.0.1 test2.${testDomain} A | grep ^test2.${testDomain}")
+                  machine.succeed("dig @127.0.0.1 test3.${testDomain} A | grep ^test3.${testDomain}")
+
+              # ensure webnsupdate managed IPv6 records are missing
+              with subtest("query webnsupdate IPv6 DNS records (fail)"):
+                  machine.fail("dig @127.0.0.1 test1.${testDomain} AAAA | grep ^test1.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test2.${testDomain} AAAA | grep ^test2.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test3.${testDomain} AAAA | grep ^test3.${testDomain}")
+
+              with subtest("update webnsupdate IPv6 DNS records (valid auth)"):
+                  machine.succeed("curl --fail --silent -u test:test -X GET http://[::1]/update")
+                  machine.succeed("cat ${lastIPPath}")
+
+              # ensure webnsupdate managed IPv6 records are missing
+              with subtest("query webnsupdate IPv6 DNS records (fail)"):
+                  machine.succeed("dig @127.0.0.1 test1.${testDomain} AAAA | grep ^test1.${testDomain}")
+                  machine.succeed("dig @127.0.0.1 test2.${testDomain} AAAA | grep ^test2.${testDomain}")
+                  machine.succeed("dig @127.0.0.1 test3.${testDomain} AAAA | grep ^test3.${testDomain}")
+
+              machine.reboot()
+              machine.succeed("cat ${lastIPPath}")
+              machine.wait_for_unit("webnsupdate.service")
+              machine.succeed("cat ${lastIPPath}")
+
+              # ensure base DNS records area available after a reboot
+              with subtest("query base DNS records"):
+                  machine.succeed("dig @127.0.0.1 ${testDomain} | grep ^${testDomain}")
+                  machine.succeed("dig @127.0.0.1 ns1.${testDomain} | grep ^ns1.${testDomain}")
+                  machine.succeed("dig @127.0.0.1 nsupdate.${testDomain} | grep ^nsupdate.${testDomain}")
+
+              # ensure webnsupdate managed records are available after a reboot
+              with subtest("query webnsupdate DNS records (succeed)"):
+                  machine.succeed("dig @127.0.0.1 test1.${testDomain} A    | grep ^test1.${testDomain}")
+                  machine.succeed("dig @127.0.0.1 test2.${testDomain} A    | grep ^test2.${testDomain}")
+                  machine.succeed("dig @127.0.0.1 test3.${testDomain} A    | grep ^test3.${testDomain}")
+                  machine.succeed("dig @127.0.0.1 test1.${testDomain} AAAA | grep ^test1.${testDomain}")
+                  machine.succeed("dig @127.0.0.1 test2.${testDomain} AAAA | grep ^test2.${testDomain}")
+                  machine.succeed("dig @127.0.0.1 test3.${testDomain} AAAA | grep ^test3.${testDomain}")
+            '';
           };
-          module-ipv4-only-test = pkgs.testers.nixosTest {
+          module-ipv4-only-test = pkgs.testers.runNixOSTest {
             name = "webnsupdate-ipv4-only-module";
             nodes.machine = webnsupdate-ipv4-only-machine;
-            testScript = testTemplate {
+            testScript = ''
-              ipv4 = true;
+              machine.start(allow_reboot=True)
-              nginx = true;
+              machine.wait_for_unit("bind.service")
-              exclusive = true;
+              machine.wait_for_unit("webnsupdate.service")
-            };
+
+              # ensure base DNS records area available
+              with subtest("query base DNS records"):
+                  machine.succeed("dig @127.0.0.1 ${testDomain}          | grep ^${testDomain}")
+                  machine.succeed("dig @127.0.0.1 ns1.${testDomain}      | grep ^ns1.${testDomain}")
+                  machine.succeed("dig @127.0.0.1 nsupdate.${testDomain} | grep ^nsupdate.${testDomain}")
+
+              # ensure webnsupdate managed records are missing
+              with subtest("query webnsupdate DNS records (fail)"):
+                  machine.fail("dig @127.0.0.1 test1.${testDomain} A    | grep ^test1.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test2.${testDomain} A    | grep ^test2.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test3.${testDomain} A    | grep ^test3.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test1.${testDomain} AAAA | grep ^test1.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test2.${testDomain} AAAA | grep ^test2.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test3.${testDomain} AAAA | grep ^test3.${testDomain}")
+
+              with subtest("update webnsupdate DNS records (invalid auth)"):
+                  machine.fail("curl --fail --silent -u test1:test1 -X GET http://127.0.0.1/update")
+                  machine.fail("cat ${lastIPPath}") # no last-ip set yet
+
+              # ensure webnsupdate managed records are missing
+              with subtest("query webnsupdate DNS records (fail)"):
+                  machine.fail("dig @127.0.0.1 test1.${testDomain} A    | grep ^test1.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test2.${testDomain} A    | grep ^test2.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test3.${testDomain} A    | grep ^test3.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test1.${testDomain} AAAA | grep ^test1.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test2.${testDomain} AAAA | grep ^test2.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test3.${testDomain} AAAA | grep ^test3.${testDomain}")
+
+              with subtest("update webnsupdate IPv6 DNS records (valid auth)"):
+                  machine.fail("curl --fail --silent -u test:test -X GET http://[::1]/update")
+                  machine.fail("cat ${lastIPPath}")
+
+              # ensure webnsupdate managed IPv6 records are missing
+              with subtest("query webnsupdate IPv6 DNS records (fail)"):
+                  machine.fail("dig @127.0.0.1 test1.${testDomain} AAAA | grep ^test1.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test2.${testDomain} AAAA | grep ^test2.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test3.${testDomain} AAAA | grep ^test3.${testDomain}")
+
+              with subtest("update webnsupdate IPv4 DNS records (valid auth)"):
+                  machine.succeed("curl --fail --silent -u test:test -X GET http://127.0.0.1/update")
+                  machine.succeed("cat ${lastIPPath}")
+
+              # ensure webnsupdate managed IPv4 records are available
+              with subtest("query webnsupdate IPv4 DNS records (succeed)"):
+                  machine.succeed("dig @127.0.0.1 test1.${testDomain} A | grep ^test1.${testDomain}")
+                  machine.succeed("dig @127.0.0.1 test2.${testDomain} A | grep ^test2.${testDomain}")
+                  machine.succeed("dig @127.0.0.1 test3.${testDomain} A | grep ^test3.${testDomain}")
+
+              # ensure webnsupdate managed IPv6 records are missing
+              with subtest("query webnsupdate IPv6 DNS records (fail)"):
+                  machine.fail("dig @127.0.0.1 test1.${testDomain} AAAA | grep ^test1.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test2.${testDomain} AAAA | grep ^test2.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test3.${testDomain} AAAA | grep ^test3.${testDomain}")
+
+              machine.reboot()
+              machine.succeed("cat ${lastIPPath}")
+              machine.wait_for_unit("webnsupdate.service")
+              machine.succeed("cat ${lastIPPath}")
+
+              # ensure base DNS records area available after a reboot
+              with subtest("query base DNS records"):
+                  machine.succeed("dig @127.0.0.1 ${testDomain} | grep ^${testDomain}")
+                  machine.succeed("dig @127.0.0.1 ns1.${testDomain} | grep ^ns1.${testDomain}")
+                  machine.succeed("dig @127.0.0.1 nsupdate.${testDomain} | grep ^nsupdate.${testDomain}")
+
+              # ensure webnsupdate managed records are available after a reboot
+              with subtest("query webnsupdate DNS records (succeed)"):
+                  machine.succeed("dig @127.0.0.1 test1.${testDomain} A | grep ^test1.${testDomain}")
+                  machine.succeed("dig @127.0.0.1 test2.${testDomain} A | grep ^test2.${testDomain}")
+                  machine.succeed("dig @127.0.0.1 test3.${testDomain} A | grep ^test3.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test1.${testDomain} AAAA | grep ^test1.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test2.${testDomain} AAAA | grep ^test2.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test3.${testDomain} AAAA | grep ^test3.${testDomain}")
+            '';
           };
-          module-ipv6-only-test = pkgs.testers.nixosTest {
+          module-ipv6-only-test = pkgs.testers.runNixOSTest {
             name = "webnsupdate-ipv6-only-module";
             nodes.machine = webnsupdate-ipv6-only-machine;
-            testScript = testTemplate {
+            testScript = ''
-              ipv6 = true;
+              machine.start(allow_reboot=True)
-              nginx = true;
+              machine.wait_for_unit("bind.service")
-              exclusive = true;
+              machine.wait_for_unit("webnsupdate.service")
-            };
+
+              # ensure base DNS records area available
+              with subtest("query base DNS records"):
+                  machine.succeed("dig @127.0.0.1 ${testDomain}          | grep ^${testDomain}")
+                  machine.succeed("dig @127.0.0.1 ns1.${testDomain}      | grep ^ns1.${testDomain}")
+                  machine.succeed("dig @127.0.0.1 nsupdate.${testDomain} | grep ^nsupdate.${testDomain}")
+
+              # ensure webnsupdate managed records are missing
+              with subtest("query webnsupdate DNS records (fail)"):
+                  machine.fail("dig @127.0.0.1 test1.${testDomain} A    | grep ^test1.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test2.${testDomain} A    | grep ^test2.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test3.${testDomain} A    | grep ^test3.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test1.${testDomain} AAAA | grep ^test1.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test2.${testDomain} AAAA | grep ^test2.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test3.${testDomain} AAAA | grep ^test3.${testDomain}")
+
+              with subtest("update webnsupdate DNS records (invalid auth)"):
+                  machine.fail("curl --fail --silent -u test1:test1 -X GET http://127.0.0.1/update")
+                  machine.fail("cat ${lastIPPath}") # no last-ip set yet
+
+              # ensure webnsupdate managed records are missing
+              with subtest("query webnsupdate DNS records (fail)"):
+                  machine.fail("dig @127.0.0.1 test1.${testDomain} A    | grep ^test1.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test2.${testDomain} A    | grep ^test2.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test3.${testDomain} A    | grep ^test3.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test1.${testDomain} AAAA | grep ^test1.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test2.${testDomain} AAAA | grep ^test2.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test3.${testDomain} AAAA | grep ^test3.${testDomain}")
+
+              with subtest("update webnsupdate IPv4 DNS records (valid auth)"):
+                  machine.fail("curl --fail --silent -u test:test -X GET http://127.0.0.1/update")
+                  machine.fail("cat ${lastIPPath}")
+
+              # ensure webnsupdate managed IPv4 records are missing
+              with subtest("query webnsupdate IPv4 DNS records (fail)"):
+                  machine.fail("dig @127.0.0.1 test1.${testDomain} A | grep ^test1.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test2.${testDomain} A | grep ^test2.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test3.${testDomain} A | grep ^test3.${testDomain}")
+
+              with subtest("update webnsupdate IPv6 DNS records (valid auth)"):
+                  machine.succeed("curl --fail --silent -u test:test -X GET http://[::1]/update")
+                  machine.succeed("cat ${lastIPPath}")
+
+              # ensure webnsupdate managed IPv6 records are available
+              with subtest("query webnsupdate IPv6 DNS records (succeed)"):
+                  machine.succeed("dig @127.0.0.1 test1.${testDomain} AAAA | grep ^test1.${testDomain}")
+                  machine.succeed("dig @127.0.0.1 test2.${testDomain} AAAA | grep ^test2.${testDomain}")
+                  machine.succeed("dig @127.0.0.1 test3.${testDomain} AAAA | grep ^test3.${testDomain}")
+
+              # ensure webnsupdate managed IPv4 records are missing
+              with subtest("query webnsupdate IPv4 DNS records (fail)"):
+                  machine.fail("dig @127.0.0.1 test1.${testDomain} A | grep ^test1.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test2.${testDomain} A | grep ^test2.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test3.${testDomain} A | grep ^test3.${testDomain}")
+
+              machine.reboot()
+              machine.succeed("cat ${lastIPPath}")
+              machine.wait_for_unit("webnsupdate.service")
+              machine.succeed("cat ${lastIPPath}")
+
+              # ensure base DNS records area available after a reboot
+              with subtest("query base DNS records"):
+                  machine.succeed("dig @127.0.0.1 ${testDomain} | grep ^${testDomain}")
+                  machine.succeed("dig @127.0.0.1 ns1.${testDomain} | grep ^ns1.${testDomain}")
+                  machine.succeed("dig @127.0.0.1 nsupdate.${testDomain} | grep ^nsupdate.${testDomain}")
+
+              # ensure webnsupdate managed records are available after a reboot
+              with subtest("query webnsupdate DNS records (succeed)"):
+                  machine.succeed("dig @127.0.0.1 test1.${testDomain} AAAA | grep ^test1.${testDomain}")
+                  machine.succeed("dig @127.0.0.1 test2.${testDomain} AAAA | grep ^test2.${testDomain}")
+                  machine.succeed("dig @127.0.0.1 test3.${testDomain} AAAA | grep ^test3.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test1.${testDomain} A       | grep ^test1.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test2.${testDomain} A       | grep ^test2.${testDomain}")
+                  machine.fail("dig @127.0.0.1 test3.${testDomain} A       | grep ^test3.${testDomain}")
+            '';
           };
         };
     };