Engine fails to verify NS in zone

[matsduf]

NAMESERVER06 says that "All name servers names listed for a delegation must be resolvable in DNS", which I think should be interpreted as including all NS listed in the apex of the zone.

This issue shows that there is a problem with the tests of the NS in the zone. That must be corrected.

200.193.193.in-addr.arpa is delegated to ns.gu.kiev.ua and ns.lucky.net. We find the same to NS in the zone:

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @ns.lucky.net 200.193.193.in-addr.arpa ns +noedns +noadd +noquest +nottl +nocl
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37299
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; ANSWER SECTION:
200.193.193.in-addr.arpa. NS	ns.gu.kiev.ua.
200.193.193.in-addr.arpa. NS	ns.lucky.net.

NS ns.gu.kiev.ua cannot be resolved to IP address:

; <<>> DiG 9.10.3-P4-Ubuntu <<>> ns.gu.kiev.ua +noedns +noadd +noquest +nottl +nocl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42078
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

; <<>> DiG 9.10.3-P4-Ubuntu <<>> ns.gu.kiev.ua +noedns +noadd +noquest +nottl +nocl aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60774
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

I would expect that Zonemaster sees that as an error, but it does not:

$ zonemaster-cli 200.193.193.in-addr.arpa --ns ns.lucky.net --ns nsss0.gu.kiev.ua
Seconds Level     Message
======= ========= =======
   0.23 ERROR     The fake delegation of domain 200.193.193.in-addr.arpa includes a name server nsss0.gu.kiev.ua that cannot be resolved to any IP address.
   7.74 WARNING   All nameservers in the delegation have IPv4 addresses in the same AS (3254).
   7.74 WARNING   All nameservers in the delegation are in the same AS (3254).
   7.82 NOTICE    There are neither DS nor DNSKEY records for the zone.
   7.82 NOTICE    The zone is not signed with DNSSEC.
   8.22 ERROR     Parent has nameserver(s) not listed at the child (nsss0.gu.kiev.ua).
   8.22 NOTICE    Child has nameserver(s) not listed at parent (ns.gu.kiev.ua).
   8.48 NOTICE    Nameserver ns.lucky.net/193.193.193.100 allow zone transfer using AXFR.
   8.54 WARNING   The following nameservers failed to resolve to an IP address : ns.gu.kiev.ua,nsss0.gu.kiev.ua.
   8.88 NOTICE    SOA 'refresh' value (3600) is less than the recommended minimum (14400).
   8.88 NOTICE    SOA 'retry' value (900) is less than the recommended minimum (3600).
   9.13 NOTICE    No target (MX, A or AAAA record) to deliver e-mail for the domain name.

[matsduf]

@vlevigneron, can you look at this issue?

[vlevigneron]

Is it OK with what we discussed earlier, I mean change status of The following nameservers failed to resolve to an IP address : ns.gu.kiev.ua,nsss0.gu.kiev.ua. from WARNINGto ERROR ?

[matsduf]

Yes, it is.

At least for now. I actually misread the message. Both are actually listed. Can you change from The following nameservers failed to resolve to an IP address : ns.gu.kiev.ua,nsss0.gu.kiev.uato The following nameservers failed to resolve to an IP address : ns.gu.kiev.ua, nsss0.gu.kiev.ua, i.e. having a space character between the elements in the list of servers?

[vlevigneron]

OK, I'll make a branch and new PR for that fix in the minutes.

For the request to add a space. Yes I could do that, but, we have many cases of lists of item and there is never a space. I guess that if we want to change that, we should decide, then change all of them to be homogeneous. That's why I would not change that in this fix.

[pawal]

I'll put this here again: #60 (but this is primarily for the JSON logs)

[matsduf]

Resolved by #357.