Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix in DNSSEC10 #1415

Open
wants to merge 1 commit into
base: release-v2024.2.1
Choose a base branch
from
Open

Fix in DNSSEC10 #1415

wants to merge 1 commit into from

Conversation

tgreenx
Copy link
Contributor

@tgreenx tgreenx commented Dec 11, 2024
edited
Loading

Purpose

This PR proposes a fix in the conditional for DS10_EXPECTED_NSEC_NSEC3_MISSING in DNSSEC10, for cases when any IP protocol is unavailable (or if the IP address has already been processed).

Context

Relates to zonemaster/zonemaster#1341
Fixes #1414

Changes

  • Use a list of queried name servers instead of all name servers
  • Add test scenario BAD-SERVERS-BUT-GOOD-NSEC-1
  • Update unit test data

How to test this PR

Tests are updated and should pass.
Manual testing should show disabled queries for a given IP protocol and no DS10_EXPECTED_NSEC_NSEC3_MISSING message:

$ zonemaster-cli --show-testcase --level debug --no-ipv6 --test dnssec10 --raw afnic.fr | grep -Ev "EXTERNAL_QUERY|DEPENDENCY_VERSION"
   0.00 DEBUG    Unspecified    START_TIME  string=2024-12-11 13:37:10 +0100; time_t=1733920630
   0.01 DEBUG    Unspecified    TEST_TARGET  module=dnssec; testcase=dnssec10; zone=afnic.fr
   0.01 INFO     Unspecified    GLOBAL_VERSION  version=v7.0.0
   0.02 DEBUG    Unspecified    MODULE_VERSION  module=Zonemaster::Engine::Test::DNSSEC; version=v1.1.58
   0.02 DEBUG    DNSSEC10       TEST_CASE_START  testcase=DNSSEC10
  15.46 DEBUG    DNSSEC10       IPV6_DISABLED  ns=g.ext.nic.fr/2001:678:4c::1; rrtype=DNSKEY
  15.47 DEBUG    DNSSEC10       IPV6_DISABLED  ns=g.ext.nic.fr/2001:678:4c::1; rrtype=NSEC
  15.47 DEBUG    DNSSEC10       IPV6_DISABLED  ns=g.ext.nic.fr/2001:678:4c::1; rrtype=NSEC3PARAM
  15.54 DEBUG    DNSSEC10       IPV6_DISABLED  ns=ns1.nic.fr/2001:67c:2218:2::4:1; rrtype=DNSKEY
  15.54 DEBUG    DNSSEC10       IPV6_DISABLED  ns=ns1.nic.fr/2001:67c:2218:2::4:1; rrtype=NSEC
  15.54 DEBUG    DNSSEC10       IPV6_DISABLED  ns=ns1.nic.fr/2001:67c:2218:2::4:1; rrtype=NSEC3PARAM
  15.64 DEBUG    DNSSEC10       IPV6_DISABLED  ns=ns2.nic.fr/2001:660:3005:1::1:2; rrtype=DNSKEY
  15.64 DEBUG    DNSSEC10       IPV6_DISABLED  ns=ns2.nic.fr/2001:660:3005:1::1:2; rrtype=NSEC
  15.64 DEBUG    DNSSEC10       IPV6_DISABLED  ns=ns2.nic.fr/2001:660:3005:1::1:2; rrtype=NSEC3PARAM
  15.74 DEBUG    DNSSEC10       IPV6_DISABLED  ns=ns3.nic.fr/2001:660:3006:1::1:1; rrtype=DNSKEY
  15.74 DEBUG    DNSSEC10       IPV6_DISABLED  ns=ns3.nic.fr/2001:660:3006:1::1:1; rrtype=NSEC
  15.74 DEBUG    DNSSEC10       IPV6_DISABLED  ns=ns3.nic.fr/2001:660:3006:1::1:1; rrtype=NSEC3PARAM
  15.75 INFO     DNSSEC10       DS10_HAS_NSEC3  ns_list=g.ext.nic.fr/194.0.36.1;ns1.nic.fr/192.134.4.1;ns2.nic.fr/192.93.0.4;ns3.nic.fr/192.134.0.49
  15.76 DEBUG    DNSSEC10       TEST_CASE_END  testcase=DNSSEC10
  15.76 DEBUG    Unspecified    MODULE_END  module=DNSSEC

@tgreenx tgreenx added A-TestCase Area: Test case specification or implementation of test case V-Patch Versioning: The change gives an update of patch in version. labels Dec 11, 2024
@tgreenx tgreenx added this to the v2024.2.1 milestone Dec 11, 2024
@tgreenx tgreenx linked an issue Dec 11, 2024 that may be closed by this pull request
Unexpected error in DNSSEC10 when disabling either IP protocol #1414
Open
@matsduf
Copy link
Contributor

matsduf commented Dec 11, 2024 

$ zonemaster-cli --show-testcase --level info --no-ipv6 --test dnssec10 afnic.fr --raw
   0.00 INFO     Unspecified    GLOBAL_VERSION  version=v7.0.0
   8.83 INFO     DNSSEC10       DS10_HAS_NSEC3  ns_list=g.ext.nic.fr/194.0.36.1;ns1.nic.fr/192.134.4.1;ns2.nic.fr/192.93.0.4;ns3.nic.fr/192.134.0.49

I think the test should have --level debug and the output should list at least one excluded IPv6 address but no DS10_EXPECTED_NSEC_NSEC3_MISSING to be complete.

matsduf
matsduf previously approved these changes Dec 11, 2024
View reviewed changes
@matsduf matsduf changed the base branch from develop to release-v2024.2.1 December 17, 2024 09:17
@matsduf matsduf changed the base branch from release-v2024.2.1 to develop December 17, 2024 09:40
@matsduf matsduf dismissed their stale review December 17, 2024 09:40

The base branch was changed.

@matsduf matsduf changed the base branch from develop to release-v2024.2.1 December 17, 2024 09:45
@matsduf matsduf mentioned this pull request Dec 17, 2024
Open
@tgreenx
Fix conditional for DS10_EXPECTED_NSEC_NSEC3_MISSING in DNSSEC10
4a35c55 
- Use a list of queried name servers instead of all name servers, in case any IP protocol is unavailable (or if the IP address has already been processed).
- Add test scenario BAD-SERVERS-BUT-GOOD-NSEC-1
- Update unit test data
@tgreenx tgreenx requested a review from matsduf January 28, 2025 15:07
@matsduf
Copy link
Contributor

matsduf commented Jan 28, 2025

@tgreenx, should I merge zonemaster/zonemaster#1341 now?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matsduf matsduf matsduf approved these changes

@mattias-p mattias-p Awaiting requested review from mattias-p

@tolvmannen tolvmannen Awaiting requested review from tolvmannen

@marc-vanderwal marc-vanderwal Awaiting requested review from marc-vanderwal

@MichaelTimbert MichaelTimbert Awaiting requested review from MichaelTimbert

Assignees
No one assigned
Labels
A-TestCase Area: Test case specification or implementation of test case V-Patch Versioning: The change gives an update of patch in version.
Projects
None yet
Milestone
v2024.2.1
Development

Successfully merging this pull request may close these issues.

Unexpected error in DNSSEC10 when disabling either IP protocol
2 participants
@tgreenx @matsduf