New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issue zonemaster engine 295 #63

Merged
merged 4 commits into from Dec 20, 2017

Conversation

Projects
None yet
4 participants
@vlevigneron
Contributor

vlevigneron commented Dec 7, 2017

No description provided.

mattias-p and others added some commits Nov 2, 2017

Merge pull request #60 from dotse/develop
Merge 1.1.1 to master

@vlevigneron vlevigneron requested review from mattias-p and matsduf Dec 7, 2017

@matsduf

matsduf requested changes Dec 7, 2017 edited

When I test the patched (updated) CLI.pm it does not work well. All messages are gone. What is really tested? That applies for "fake delegation", but not for normal testing.

Testing with the latest release:

$ zonemaster-cli 200.193.193.in-addr.arpa --ns ns.lucky.net --ns ns.gu.kiev.ua/192.168.1.1
Seconds Level     Message
======= ========= =======
  18.23 WARNING   All nameservers in the delegation have IPv4 addresses in the same AS (3254).
  18.23 WARNING   All nameservers in the delegation are in the same AS (3254).
  18.31 NOTICE    There are neither DS nor DNSKEY records for the zone.
  18.31 NOTICE    The zone is not signed with DNSSEC.
  18.83 NOTICE    Nameserver ns.lucky.net/193.193.193.100 allow zone transfer using AXFR.
  18.90 WARNING   The following nameservers failed to resolve to an IP address : ns.gu.kiev.ua.
  19.31 NOTICE    SOA 'refresh' value (3600) is less than the recommended minimum (14400).
  19.32 NOTICE    SOA 'retry' value (900) is less than the recommended minimum (3600).
  19.45 NOTICE    No target (MX, A or AAAA record) to deliver e-mail for the domain name.

$ zonemaster-cli 200.193.193.in-addr.arpa --ns ns.lucky.net --ns ns.gu.kiev.ua
Seconds Level     Message
======= ========= =======
   0.26 ERROR     The fake delegation of domain 200.193.193.in-addr.arpa includes a name server ns.gu.kiev.ua that cannot be resolved to any IP address.
  14.14 WARNING   All nameservers in the delegation have IPv4 addresses in the same AS (3254).
  14.14 WARNING   All nameservers in the delegation are in the same AS (3254).
  14.23 NOTICE    There are neither DS nor DNSKEY records for the zone.
  14.23 NOTICE    The zone is not signed with DNSSEC.
  14.78 NOTICE    Nameserver ns.lucky.net/193.193.193.100 allow zone transfer using AXFR.
  14.85 WARNING   The following nameservers failed to resolve to an IP address : ns.gu.kiev.ua.
  15.26 NOTICE    SOA 'refresh' value (3600) is less than the recommended minimum (14400).
  15.26 NOTICE    SOA 'retry' value (900) is less than the recommended minimum (3600).
  15.40 NOTICE    No target (MX, A or AAAA record) to deliver e-mail for the domain name.

Testing with the patched (updated) CLI from the PR:

$ zonemaster-cli 200.193.193.in-addr.arpa --ns ns.lucky.net --ns ns.gu.kiev.ua/192.168.1.1
Seconds Level     Message
======= ========= =======

$ zonemaster-cli 200.193.193.in-addr.arpa --ns ns.lucky.net --ns ns.gu.kiev.ua
Seconds Level     Message
======= ========= =======
   0.25 ERROR     The fake delegation of domain 200.193.193.in-addr.arpa includes a name server ns.gu.kiev.ua that cannot be resolved to any IP address.

$ zonemaster-cli 200.193.193.in-addr.arpa
Seconds Level     Message
======= ========= =======
  18.19 WARNING   All nameservers in the delegation have IPv4 addresses in the same AS (3254).
  18.19 WARNING   All nameservers in the delegation are in the same AS (3254).
  18.31 NOTICE    There are neither DS nor DNSKEY records for the zone.
  18.31 NOTICE    The zone is not signed with DNSSEC.
  18.84 NOTICE    Nameserver ns.lucky.net/193.193.193.100 allow zone transfer using AXFR.
  18.91 WARNING   The following nameservers failed to resolve to an IP address : ns.gu.kiev.ua.
  19.33 NOTICE    SOA 'refresh' value (3600) is less than the recommended minimum (14400).
  19.34 NOTICE    SOA 'retry' value (900) is less than the recommended minimum (3600).
  19.50 NOTICE    No target (MX, A or AAAA record) to deliver e-mail for the domain name.
@vlevigneron

This comment has been minimized.

Show comment
Hide comment
@vlevigneron

vlevigneron Dec 7, 2017

Contributor

@matsduf it (should) works only with the corresponding zonemaster-engine PR applied. I can add a test to change behaviour depending on the version of Engine modules if you think it could be needed.

Contributor

vlevigneron commented Dec 7, 2017

@matsduf it (should) works only with the corresponding zonemaster-engine PR applied. I can add a test to change behaviour depending on the version of Engine modules if you think it could be needed.

@vlevigneron

This comment has been minimized.

Show comment
Hide comment
@vlevigneron

vlevigneron Dec 7, 2017

Contributor

It "works" now even with an Engine that doe not include the fix.

Contributor

vlevigneron commented Dec 7, 2017

It "works" now even with an Engine that doe not include the fix.

@matsduf

This comment has been minimized.

Show comment
Hide comment
@matsduf

matsduf Dec 7, 2017

Contributor

@vlevigneron, I was not aware that this PR depended on the other PR (zonemaster/zonemaster-engine#355). I think it is better if the change of CLI.pm also requires the change in Engine, because then we have less complex code. I will test them together. You may add more comments in the code to make it easier to follow.

Contributor

matsduf commented Dec 7, 2017

@vlevigneron, I was not aware that this PR depended on the other PR (zonemaster/zonemaster-engine#355). I think it is better if the change of CLI.pm also requires the change in Engine, because then we have less complex code. I will test them together. You may add more comments in the code to make it easier to follow.

@matsduf

This comment has been minimized.

Show comment
Hide comment
@matsduf

matsduf Dec 7, 2017

Contributor

I have redone my tests. This time I have patched Engine (from PR zonemaster/zonemaster-engine#355) and used patched CLI.pm (but I have not included commit 072b4c1, which I do not think should be included). Now it looks better, but there are still issues. I am not sure if they should point at the PR in Engine instead. All examples below are with patched Engine/CLI.

Here it looks fine:

$ zonemaster-cli 200.193.193.in-addr.arpa --ns ns.lucky.net --ns ns.gu.kiev.ua/192.168.1.1
Seconds Level     Message
======= ========= =======
  10.61 NOTICE    Nameserver ns.gu.kiev.ua/192.168.1.1 did not respond to NS query.
  10.68 ERROR     Nameserver ns.gu.kiev.ua has an IP address (192.168.1.1) with prefix 192.168/16 referenced in [RFC1918] as a 'Private-Use'.
  34.40 WARNING   No response from nameserver(s) on PTR query (1.1.168.192.in-addr.arpa.).
  41.92 ERROR     Nameserver ns.gu.kiev.ua/192.168.1.1 not accessible over UDP on port 53.
  51.94 ERROR     Nameserver ns.gu.kiev.ua/192.168.1.1 not accessible over TCP on port 53.
  55.76 WARNING   Nameserver ns.gu.kiev.ua/192.168.1.1 did not respond.
  55.77 WARNING   Nameserver ns.gu.kiev.ua/192.168.1.1 did not respond.
  55.77 WARNING   Nameserver ns.gu.kiev.ua/192.168.1.1 did not respond.
  55.77 WARNING   Nameserver ns.gu.kiev.ua/192.168.1.1 did not respond.
  55.78 WARNING   Nameserver ns.gu.kiev.ua/192.168.1.1 did not respond.
  55.78 WARNING   Nameserver ns.gu.kiev.ua/192.168.1.1 did not respond.
  55.78 WARNING   Nameserver ns.gu.kiev.ua/192.168.1.1 did not respond.
  55.79 WARNING   Nameserver ns.gu.kiev.ua/192.168.1.1 did not respond.
  55.86 NOTICE    There are neither DS nor DNSKEY records for the zone.
  55.86 NOTICE    The zone is not signed with DNSSEC.
  61.42 NOTICE    Nameserver ns.lucky.net/193.193.193.100 allow zone transfer using AXFR.
  61.43 NOTICE    Nameserver ns.gu.kiev.ua/192.168.1.1 dropped AAAA query.
  61.86 NOTICE    SOA 'refresh' value (3600) is less than the recommended minimum (14400).
  61.87 NOTICE    SOA 'retry' value (900) is less than the recommended minimum (3600).
  62.28 NOTICE    No target (MX, A or AAAA record) to deliver e-mail for the domain name.

Here Zonemaster should do a lookup of ns.lucky.net and test against that. Why doesn't it?

$ zonemaster-cli 200.193.193.in-addr.arpa --ns ns.lucky.net --ns ns.gu.kiev.ua
Seconds Level     Message
======= ========= =======
   0.28 ERROR     The fake delegation of domain 200.193.193.in-addr.arpa includes a name server ns.gu.kiev.ua that cannot be resolved to any IP address.
  15.44 CRITICAL  Not enough data about 200.193.193.in-addr.arpa was found to be able to run tests.

Here I explicitly gives the correct address of lucky, but it does not use it?

$ zonemaster-cli 200.193.193.in-addr.arpa --ns ns.lucky.net/193.193.193.100 --ns ns.gu.kiev.ua
Seconds Level     Message
======= ========= =======
   0.26 ERROR     The fake delegation of domain 200.193.193.in-addr.arpa includes a name server ns.gu.kiev.ua that cannot be resolved to any IP address.
  10.48 CRITICAL  Not enough data about 200.193.193.in-addr.arpa was found to be able to run tests.

The two last queries look good:

$ zonemaster-cli 200.193.193.in-addr.arpa --ns ns.lucky.net
Seconds Level     Message
======= ========= =======
  13.58 WARNING   All nameservers in the delegation have IPv4 addresses in the same AS (3254).
  13.58 WARNING   All nameservers in the delegation are in the same AS (3254).
  13.66 NOTICE    There are neither DS nor DNSKEY records for the zone.
  13.66 NOTICE    The zone is not signed with DNSSEC.
  13.66 ERROR     Parent does not list enough (1) nameservers (ns.lucky.net). Lower limit set to 2.
  13.93 NOTICE    Child has nameserver(s) not listed at parent (ns.gu.kiev.ua).
  14.19 NOTICE    Nameserver ns.lucky.net/193.193.193.100 allow zone transfer using AXFR.
  14.26 WARNING   The following nameservers failed to resolve to an IP address : ns.gu.kiev.ua.
  14.61 NOTICE    SOA 'refresh' value (3600) is less than the recommended minimum (14400).
  14.61 NOTICE    SOA 'retry' value (900) is less than the recommended minimum (3600).
  15.04 NOTICE    No target (MX, A or AAAA record) to deliver e-mail for the domain name.

$ zonemaster-cli 200.193.193.in-addr.arpa
Seconds Level     Message
======= ========= =======
  18.71 WARNING   All nameservers in the delegation have IPv4 addresses in the same AS (3254).
  18.72 WARNING   All nameservers in the delegation are in the same AS (3254).
  18.84 NOTICE    There are neither DS nor DNSKEY records for the zone.
  18.84 NOTICE    The zone is not signed with DNSSEC.
  19.38 NOTICE    Nameserver ns.lucky.net/193.193.193.100 allow zone transfer using AXFR.
  19.45 WARNING   The following nameservers failed to resolve to an IP address : ns.gu.kiev.ua.
  19.87 NOTICE    SOA 'refresh' value (3600) is less than the recommended minimum (14400).
  19.87 NOTICE    SOA 'retry' value (900) is less than the recommended minimum (3600).
  20.01 NOTICE    No target (MX, A or AAAA record) to deliver e-mail for the domain name.

Shouldn't "The following nameservers failed to resolve to an IP address" be an ERROR?

Contributor

matsduf commented Dec 7, 2017

I have redone my tests. This time I have patched Engine (from PR zonemaster/zonemaster-engine#355) and used patched CLI.pm (but I have not included commit 072b4c1, which I do not think should be included). Now it looks better, but there are still issues. I am not sure if they should point at the PR in Engine instead. All examples below are with patched Engine/CLI.

Here it looks fine:

$ zonemaster-cli 200.193.193.in-addr.arpa --ns ns.lucky.net --ns ns.gu.kiev.ua/192.168.1.1
Seconds Level     Message
======= ========= =======
  10.61 NOTICE    Nameserver ns.gu.kiev.ua/192.168.1.1 did not respond to NS query.
  10.68 ERROR     Nameserver ns.gu.kiev.ua has an IP address (192.168.1.1) with prefix 192.168/16 referenced in [RFC1918] as a 'Private-Use'.
  34.40 WARNING   No response from nameserver(s) on PTR query (1.1.168.192.in-addr.arpa.).
  41.92 ERROR     Nameserver ns.gu.kiev.ua/192.168.1.1 not accessible over UDP on port 53.
  51.94 ERROR     Nameserver ns.gu.kiev.ua/192.168.1.1 not accessible over TCP on port 53.
  55.76 WARNING   Nameserver ns.gu.kiev.ua/192.168.1.1 did not respond.
  55.77 WARNING   Nameserver ns.gu.kiev.ua/192.168.1.1 did not respond.
  55.77 WARNING   Nameserver ns.gu.kiev.ua/192.168.1.1 did not respond.
  55.77 WARNING   Nameserver ns.gu.kiev.ua/192.168.1.1 did not respond.
  55.78 WARNING   Nameserver ns.gu.kiev.ua/192.168.1.1 did not respond.
  55.78 WARNING   Nameserver ns.gu.kiev.ua/192.168.1.1 did not respond.
  55.78 WARNING   Nameserver ns.gu.kiev.ua/192.168.1.1 did not respond.
  55.79 WARNING   Nameserver ns.gu.kiev.ua/192.168.1.1 did not respond.
  55.86 NOTICE    There are neither DS nor DNSKEY records for the zone.
  55.86 NOTICE    The zone is not signed with DNSSEC.
  61.42 NOTICE    Nameserver ns.lucky.net/193.193.193.100 allow zone transfer using AXFR.
  61.43 NOTICE    Nameserver ns.gu.kiev.ua/192.168.1.1 dropped AAAA query.
  61.86 NOTICE    SOA 'refresh' value (3600) is less than the recommended minimum (14400).
  61.87 NOTICE    SOA 'retry' value (900) is less than the recommended minimum (3600).
  62.28 NOTICE    No target (MX, A or AAAA record) to deliver e-mail for the domain name.

Here Zonemaster should do a lookup of ns.lucky.net and test against that. Why doesn't it?

$ zonemaster-cli 200.193.193.in-addr.arpa --ns ns.lucky.net --ns ns.gu.kiev.ua
Seconds Level     Message
======= ========= =======
   0.28 ERROR     The fake delegation of domain 200.193.193.in-addr.arpa includes a name server ns.gu.kiev.ua that cannot be resolved to any IP address.
  15.44 CRITICAL  Not enough data about 200.193.193.in-addr.arpa was found to be able to run tests.

Here I explicitly gives the correct address of lucky, but it does not use it?

$ zonemaster-cli 200.193.193.in-addr.arpa --ns ns.lucky.net/193.193.193.100 --ns ns.gu.kiev.ua
Seconds Level     Message
======= ========= =======
   0.26 ERROR     The fake delegation of domain 200.193.193.in-addr.arpa includes a name server ns.gu.kiev.ua that cannot be resolved to any IP address.
  10.48 CRITICAL  Not enough data about 200.193.193.in-addr.arpa was found to be able to run tests.

The two last queries look good:

$ zonemaster-cli 200.193.193.in-addr.arpa --ns ns.lucky.net
Seconds Level     Message
======= ========= =======
  13.58 WARNING   All nameservers in the delegation have IPv4 addresses in the same AS (3254).
  13.58 WARNING   All nameservers in the delegation are in the same AS (3254).
  13.66 NOTICE    There are neither DS nor DNSKEY records for the zone.
  13.66 NOTICE    The zone is not signed with DNSSEC.
  13.66 ERROR     Parent does not list enough (1) nameservers (ns.lucky.net). Lower limit set to 2.
  13.93 NOTICE    Child has nameserver(s) not listed at parent (ns.gu.kiev.ua).
  14.19 NOTICE    Nameserver ns.lucky.net/193.193.193.100 allow zone transfer using AXFR.
  14.26 WARNING   The following nameservers failed to resolve to an IP address : ns.gu.kiev.ua.
  14.61 NOTICE    SOA 'refresh' value (3600) is less than the recommended minimum (14400).
  14.61 NOTICE    SOA 'retry' value (900) is less than the recommended minimum (3600).
  15.04 NOTICE    No target (MX, A or AAAA record) to deliver e-mail for the domain name.

$ zonemaster-cli 200.193.193.in-addr.arpa
Seconds Level     Message
======= ========= =======
  18.71 WARNING   All nameservers in the delegation have IPv4 addresses in the same AS (3254).
  18.72 WARNING   All nameservers in the delegation are in the same AS (3254).
  18.84 NOTICE    There are neither DS nor DNSKEY records for the zone.
  18.84 NOTICE    The zone is not signed with DNSSEC.
  19.38 NOTICE    Nameserver ns.lucky.net/193.193.193.100 allow zone transfer using AXFR.
  19.45 WARNING   The following nameservers failed to resolve to an IP address : ns.gu.kiev.ua.
  19.87 NOTICE    SOA 'refresh' value (3600) is less than the recommended minimum (14400).
  19.87 NOTICE    SOA 'retry' value (900) is less than the recommended minimum (3600).
  20.01 NOTICE    No target (MX, A or AAAA record) to deliver e-mail for the domain name.

Shouldn't "The following nameservers failed to resolve to an IP address" be an ERROR?

@vlevigneron

This comment has been minimized.

Show comment
Hide comment
@vlevigneron

vlevigneron Dec 7, 2017

Contributor

I guess this is the same "issue". In Zonemaster Engine, a nameserver is, first of all, an address.
If there is a nameserver with no address provided or that can not be resolved, it ends. In this case, the probleme is with ns.gu.kiev.ua (no address provided and no result with DNS queries).

I agree WARNING should be an ERROR. It's a policy choice.
In the 2 cases that works, ns.gu.kiev.ua is not part of the fake delegation, that's why there are more tests executed.

Contributor

vlevigneron commented Dec 7, 2017

I guess this is the same "issue". In Zonemaster Engine, a nameserver is, first of all, an address.
If there is a nameserver with no address provided or that can not be resolved, it ends. In this case, the probleme is with ns.gu.kiev.ua (no address provided and no result with DNS queries).

I agree WARNING should be an ERROR. It's a policy choice.
In the 2 cases that works, ns.gu.kiev.ua is not part of the fake delegation, that's why there are more tests executed.

@matsduf

This comment has been minimized.

Show comment
Hide comment
@matsduf

matsduf Dec 7, 2017

Contributor

I guess this is the same "issue". In Zonemaster Engine, a nameserver is, first of all, an address. If there is a nameserver with no address provided or that can not be resolved, it ends. In this case, the probleme is with ns.gu.kiev.ua (no address provided and no result with DNS queries).

It does not stop unless ns.gu.kiev.ua is provided as input in a "fake delegation". Zonemaster should continue with the other nameservers even if one nameserver name cannot be resolved. Cannot be resolved is comparable to do not respond to any query.

In the 2 cases that works, ns.gu.kiev.ua is not part of the fake delegation, that's why there are more tests executed.

There should not be any difference. As I tried to express in https://github.com/dotse/zonemaster/blob/develop/docs/specifications/test-types/undelegated-test.md the provided information (nameserver names and IP addresses) is in all respect comparable to what is found in the delegation from the parent zone.

200.193.193.in-addr.arpa is delegated to ns.lucky.net and ns.gu.kiev.ua without DS. The following two tests should be equal:

$ zonemaster-cli 200.193.193.in-addr.arpa --ns ns.lucky.net --ns  ns.gu.kiev.ua

$ zonemaster-cli 200.193.193.in-addr.arpa
Contributor

matsduf commented Dec 7, 2017

I guess this is the same "issue". In Zonemaster Engine, a nameserver is, first of all, an address. If there is a nameserver with no address provided or that can not be resolved, it ends. In this case, the probleme is with ns.gu.kiev.ua (no address provided and no result with DNS queries).

It does not stop unless ns.gu.kiev.ua is provided as input in a "fake delegation". Zonemaster should continue with the other nameservers even if one nameserver name cannot be resolved. Cannot be resolved is comparable to do not respond to any query.

In the 2 cases that works, ns.gu.kiev.ua is not part of the fake delegation, that's why there are more tests executed.

There should not be any difference. As I tried to express in https://github.com/dotse/zonemaster/blob/develop/docs/specifications/test-types/undelegated-test.md the provided information (nameserver names and IP addresses) is in all respect comparable to what is found in the delegation from the parent zone.

200.193.193.in-addr.arpa is delegated to ns.lucky.net and ns.gu.kiev.ua without DS. The following two tests should be equal:

$ zonemaster-cli 200.193.193.in-addr.arpa --ns ns.lucky.net --ns  ns.gu.kiev.ua

$ zonemaster-cli 200.193.193.in-addr.arpa
@vlevigneron

This comment has been minimized.

Show comment
Hide comment
@vlevigneron

vlevigneron Dec 7, 2017

Contributor

In the case we provide a "fake delegation", don't you think we should have, anyway, the following message The fake delegation of domain 200.193.193.in-addr.arpa includes a name server ns.gu.kiev.ua that cannot be resolved to any IP address. It could be changed from ERRORto WARNING.

In the same time, we could modify The following nameservers failed to resolve to an IP address : ns.gu.kiev.ua. from WARNING to ERROR

Seconds Level     Message
======= ========= =======
   0.92 ERROR     The fake delegation of domain 200.193.193.in-addr.arpa includes a name server ns.gu.kiev.ua that cannot be resolved to any IP address.
  28.51 WARNING   All nameservers in the delegation have IPv4 addresses in the same AS (3254).
  28.51 WARNING   All nameservers in the delegation are in the same AS (3254).
  28.70 NOTICE    There are neither DS nor DNSKEY records for the zone.
  28.70 NOTICE    The zone is not signed with DNSSEC.
  29.65 NOTICE    Nameserver ns.lucky.net/193.193.193.100 allow zone transfer using AXFR.
  29.76 WARNING   The following nameservers failed to resolve to an IP address : ns.gu.kiev.ua.
  30.41 NOTICE    SOA 'refresh' value (3600) is less than the recommended minimum (14400).
  30.41 NOTICE    SOA 'retry' value (900) is less than the recommended minimum (3600).
  30.59 NOTICE    No target (MX, A or AAAA record) to deliver e-mail for the domain name.
Contributor

vlevigneron commented Dec 7, 2017

In the case we provide a "fake delegation", don't you think we should have, anyway, the following message The fake delegation of domain 200.193.193.in-addr.arpa includes a name server ns.gu.kiev.ua that cannot be resolved to any IP address. It could be changed from ERRORto WARNING.

In the same time, we could modify The following nameservers failed to resolve to an IP address : ns.gu.kiev.ua. from WARNING to ERROR

Seconds Level     Message
======= ========= =======
   0.92 ERROR     The fake delegation of domain 200.193.193.in-addr.arpa includes a name server ns.gu.kiev.ua that cannot be resolved to any IP address.
  28.51 WARNING   All nameservers in the delegation have IPv4 addresses in the same AS (3254).
  28.51 WARNING   All nameservers in the delegation are in the same AS (3254).
  28.70 NOTICE    There are neither DS nor DNSKEY records for the zone.
  28.70 NOTICE    The zone is not signed with DNSSEC.
  29.65 NOTICE    Nameserver ns.lucky.net/193.193.193.100 allow zone transfer using AXFR.
  29.76 WARNING   The following nameservers failed to resolve to an IP address : ns.gu.kiev.ua.
  30.41 NOTICE    SOA 'refresh' value (3600) is less than the recommended minimum (14400).
  30.41 NOTICE    SOA 'retry' value (900) is less than the recommended minimum (3600).
  30.59 NOTICE    No target (MX, A or AAAA record) to deliver e-mail for the domain name.
@matsduf

This comment has been minimized.

Show comment
Hide comment
@matsduf

matsduf Dec 8, 2017

Contributor

@vlevigneron!

In the case we provide a "fake delegation", don't you think we should have, anyway, the following message The fake delegation of domain 200.193.193.in-addr.arpa includes a name server ns.gu.kiev.ua that cannot be resolved to any IP address. It could be changed from ERRORto WARNING.

I think the message is fine, and I think it should be an ERROR.

In the test cases (specifications) for DELEGATION there is no explicit requirement that all nameserver names in the delegation must resolve to at least one IP address. I will write that, and I think when we run zonemaster-cli 200.193.193.in-addr.arpa (delegated) there should be an ERROR that ns.gu.kiev.ua cannot be resolved to any IP address:

$ zonemaster-cli 200.193.193.in-addr.arpa --test DELEGATION
Seconds Level     Message
======= ========= =======
Looks OK.

The following is also a strange difference:

$ zonemaster-cli 200.193.193.in-addr.arpa --test xyz
Seconds Level     Message
======= ========= =======
   0.01 CRITICAL  Request to run all in unknown module {module}. Known modules: Address:Connectivity:Consistency:DNSSEC:Delegation:Example:Nameserver:Syntax:Zone.

$ zonemaster-cli 200.193.193.in-addr.arpa --ns ns.lucky.net --ns  ns.gu.kiev.ua --test xyz
Seconds Level     Message
======= ========= =======
   0.27 ERROR     The fake delegation of domain 200.193.193.in-addr.arpa includes a name server ns.gu.kiev.ua that cannot be resolved to any IP address.
  11.40 CRITICAL  Not enough data about 200.193.193.in-addr.arpa was found to be able to run tests.
Contributor

matsduf commented Dec 8, 2017

@vlevigneron!

In the case we provide a "fake delegation", don't you think we should have, anyway, the following message The fake delegation of domain 200.193.193.in-addr.arpa includes a name server ns.gu.kiev.ua that cannot be resolved to any IP address. It could be changed from ERRORto WARNING.

I think the message is fine, and I think it should be an ERROR.

In the test cases (specifications) for DELEGATION there is no explicit requirement that all nameserver names in the delegation must resolve to at least one IP address. I will write that, and I think when we run zonemaster-cli 200.193.193.in-addr.arpa (delegated) there should be an ERROR that ns.gu.kiev.ua cannot be resolved to any IP address:

$ zonemaster-cli 200.193.193.in-addr.arpa --test DELEGATION
Seconds Level     Message
======= ========= =======
Looks OK.

The following is also a strange difference:

$ zonemaster-cli 200.193.193.in-addr.arpa --test xyz
Seconds Level     Message
======= ========= =======
   0.01 CRITICAL  Request to run all in unknown module {module}. Known modules: Address:Connectivity:Consistency:DNSSEC:Delegation:Example:Nameserver:Syntax:Zone.

$ zonemaster-cli 200.193.193.in-addr.arpa --ns ns.lucky.net --ns  ns.gu.kiev.ua --test xyz
Seconds Level     Message
======= ========= =======
   0.27 ERROR     The fake delegation of domain 200.193.193.in-addr.arpa includes a name server ns.gu.kiev.ua that cannot be resolved to any IP address.
  11.40 CRITICAL  Not enough data about 200.193.193.in-addr.arpa was found to be able to run tests.
@vlevigneron

This comment has been minimized.

Show comment
Hide comment
@vlevigneron

vlevigneron Dec 8, 2017

Contributor

@matsduf
It should be close to your expectations now (you must update both PR CLI+Engine). The following examples give same results

$ zonemaster-cli 200.193.193.in-addr.arpa --test xyz --locale en_US
Seconds Level     Message
======= ========= =======
   0.00 CRITICAL  Request to run all in unknown module {module}. Known modules: Address:Connectivity:Consistency:DNSSEC:Delegation:Example:Nameserver:Syntax:Zone.

$ zonemaster-cli 200.193.193.in-addr.arpa --ns ns.lucky.net --ns  ns.gu.kiev.ua --test xyz --locale en_US
Seconds Level     Message
======= ========= =======
   0.54 ERROR     The fake delegation of domain 200.193.193.in-addr.arpa includes a name server ns.gu.kiev.ua that cannot be resolved to any IP address.
   0.00 CRITICAL  Request to run all in unknown module {module}. Known modules: Address:Connectivity:Consistency:DNSSEC:Delegation:Example:Nameserver:Syntax:Zone.
$ zonemaster-cli 200.193.193.in-addr.arpa --ns ns.lucky.net --ns  ns.gu.kiev.ua

$ zonemaster-cli 200.193.193.in-addr.arpa
Contributor

vlevigneron commented Dec 8, 2017

@matsduf
It should be close to your expectations now (you must update both PR CLI+Engine). The following examples give same results

$ zonemaster-cli 200.193.193.in-addr.arpa --test xyz --locale en_US
Seconds Level     Message
======= ========= =======
   0.00 CRITICAL  Request to run all in unknown module {module}. Known modules: Address:Connectivity:Consistency:DNSSEC:Delegation:Example:Nameserver:Syntax:Zone.

$ zonemaster-cli 200.193.193.in-addr.arpa --ns ns.lucky.net --ns  ns.gu.kiev.ua --test xyz --locale en_US
Seconds Level     Message
======= ========= =======
   0.54 ERROR     The fake delegation of domain 200.193.193.in-addr.arpa includes a name server ns.gu.kiev.ua that cannot be resolved to any IP address.
   0.00 CRITICAL  Request to run all in unknown module {module}. Known modules: Address:Connectivity:Consistency:DNSSEC:Delegation:Example:Nameserver:Syntax:Zone.
$ zonemaster-cli 200.193.193.in-addr.arpa --ns ns.lucky.net --ns  ns.gu.kiev.ua

$ zonemaster-cli 200.193.193.in-addr.arpa
@matsduf

This comment has been minimized.

Show comment
Hide comment
@matsduf

matsduf Dec 8, 2017

Contributor

I have found one issue that I have reported in zonemaster/zonemaster-engine#356. That issue is not part of "fake delegation" so I do not think it should or must be corrected within this PR and PR zonemaster/zonemaster-engine#355.

I can approve the two PRs, but I want @mattias-p to take a look at them before merging.

Contributor

matsduf commented Dec 8, 2017

I have found one issue that I have reported in zonemaster/zonemaster-engine#356. That issue is not part of "fake delegation" so I do not think it should or must be corrected within this PR and PR zonemaster/zonemaster-engine#355.

I can approve the two PRs, but I want @mattias-p to take a look at them before merging.

@matsduf

This comment has been minimized.

Show comment
Hide comment
@matsduf

matsduf Dec 12, 2017

Contributor

@vlevigneron, one more possible issue with "fake delegation".

The domain telia.com has the following delegation:

telia.com.		NS	ns02.savvis.net.
telia.com.		NS	dns2.telia.com.
telia.com.		NS	dns1.telia.com.
telia.com.		NS	dns49.de.telia.net.
dns2.telia.com.		A	81.228.10.67
dns1.telia.com.		A	81.228.11.67

Both dns1.telia.com and dns2.telia.com are correctly defined in the zone.

$ zonemaster-cli telia.com --ns dns2.telia.com --ns dns1.telia.com --ns dns49.de.telia.net --show_module
Seconds Level     Module       Message
======= ========= ============ =======
   1.68 ERROR     SYSTEM       The fake delegation of domain telia.com includes an in-zone name server dns1.telia.com without mandatory glue (without IP address).
   2.18 ERROR     SYSTEM       The fake delegation of domain telia.com includes an in-zone name server dns2.telia.com without mandatory glue (without IP address).
   6.82 WARNING   CONNECTIVITY All nameservers in the delegation have IPv6 addresses in the same AS (1299).
   6.99 NOTICE    CONSISTENCY  Child has extra nameserver IP address(es) not listed at parent (204.70.57.242).
   7.00 NOTICE    DNSSEC       There are neither DS nor DNSKEY records for the zone.
   7.00 NOTICE    DNSSEC       The zone is not signed with DNSSEC.
   7.10 NOTICE    DELEGATION   Child has nameserver(s) not listed at parent (ns02.savvis.net).
   9.31 NOTICE    ZONE         SOA 'refresh' value (10800) is less than the recommended minimum (14400).

The glue for dns1.telia.com and dns2.telia.com is not included in the test above, but the IP address should be found in the zone. The following message Child has extra nameserver IP address(es) not listed at parent (204.70.57.242) indicate that Zonemaster does not include the IP addresses for dns1.telia.com (81.228.11.67) and dns2.telia.com (81.228.10.67) when testing, which is not correct.

Contributor

matsduf commented Dec 12, 2017

@vlevigneron, one more possible issue with "fake delegation".

The domain telia.com has the following delegation:

telia.com.		NS	ns02.savvis.net.
telia.com.		NS	dns2.telia.com.
telia.com.		NS	dns1.telia.com.
telia.com.		NS	dns49.de.telia.net.
dns2.telia.com.		A	81.228.10.67
dns1.telia.com.		A	81.228.11.67

Both dns1.telia.com and dns2.telia.com are correctly defined in the zone.

$ zonemaster-cli telia.com --ns dns2.telia.com --ns dns1.telia.com --ns dns49.de.telia.net --show_module
Seconds Level     Module       Message
======= ========= ============ =======
   1.68 ERROR     SYSTEM       The fake delegation of domain telia.com includes an in-zone name server dns1.telia.com without mandatory glue (without IP address).
   2.18 ERROR     SYSTEM       The fake delegation of domain telia.com includes an in-zone name server dns2.telia.com without mandatory glue (without IP address).
   6.82 WARNING   CONNECTIVITY All nameservers in the delegation have IPv6 addresses in the same AS (1299).
   6.99 NOTICE    CONSISTENCY  Child has extra nameserver IP address(es) not listed at parent (204.70.57.242).
   7.00 NOTICE    DNSSEC       There are neither DS nor DNSKEY records for the zone.
   7.00 NOTICE    DNSSEC       The zone is not signed with DNSSEC.
   7.10 NOTICE    DELEGATION   Child has nameserver(s) not listed at parent (ns02.savvis.net).
   9.31 NOTICE    ZONE         SOA 'refresh' value (10800) is less than the recommended minimum (14400).

The glue for dns1.telia.com and dns2.telia.com is not included in the test above, but the IP address should be found in the zone. The following message Child has extra nameserver IP address(es) not listed at parent (204.70.57.242) indicate that Zonemaster does not include the IP addresses for dns1.telia.com (81.228.11.67) and dns2.telia.com (81.228.10.67) when testing, which is not correct.

@vlevigneron

This comment has been minimized.

Show comment
Hide comment
@vlevigneron

vlevigneron Dec 13, 2017

Contributor

@matsduf OK, I got the point. I tried to modify the engine as few as possible to fix this issue. It seems I have to modify Zonemaster::Engine::TestMethods::method3 and Zonemaster::Engine::TestMethods::method5 also to return expected fake delegation infos (IP and names)...

Contributor

vlevigneron commented Dec 13, 2017

@matsduf OK, I got the point. I tried to modify the engine as few as possible to fix this issue. It seems I have to modify Zonemaster::Engine::TestMethods::method3 and Zonemaster::Engine::TestMethods::method5 also to return expected fake delegation infos (IP and names)...

@vlevigneron

This comment has been minimized.

Show comment
Hide comment
@vlevigneron

vlevigneron Dec 13, 2017

Contributor

@matsduf Not finished yet but I have the following result which is closer of what we expect:

$ zonemaster-cli telia.com --ns dns2.telia.com --ns dns1.telia.com --ns dns49.de.telia.net --show_module --locale en_US --test=Consistency
Seconds Level     Module       Message
======= ========= ============ =======
   2.02 ERROR     SYSTEM       The fake delegation of domain telia.com includes an in-zone name server dns2.telia.com without mandatory glue (without IP address).
   2.40 ERROR     SYSTEM       The fake delegation of domain telia.com includes an in-zone name server dns1.telia.com without mandatory glue (without IP address).
   1.77 NOTICE    CONSISTENCY  Parent has extra nameserver IP address(es) not listed at child (81.228.10.67;81.228.11.67).
Contributor

vlevigneron commented Dec 13, 2017

@matsduf Not finished yet but I have the following result which is closer of what we expect:

$ zonemaster-cli telia.com --ns dns2.telia.com --ns dns1.telia.com --ns dns49.de.telia.net --show_module --locale en_US --test=Consistency
Seconds Level     Module       Message
======= ========= ============ =======
   2.02 ERROR     SYSTEM       The fake delegation of domain telia.com includes an in-zone name server dns2.telia.com without mandatory glue (without IP address).
   2.40 ERROR     SYSTEM       The fake delegation of domain telia.com includes an in-zone name server dns1.telia.com without mandatory glue (without IP address).
   1.77 NOTICE    CONSISTENCY  Parent has extra nameserver IP address(es) not listed at child (81.228.10.67;81.228.11.67).
@matsduf

This comment has been minimized.

Show comment
Hide comment
@matsduf

matsduf Dec 13, 2017

Contributor

I actually expect something like

CONSISTENCY  Child has extra nameserver IP address(es) not listed at parent (204.70.57.242;81.228.10.67;81.228.11.67).
Contributor

matsduf commented Dec 13, 2017

I actually expect something like

CONSISTENCY  Child has extra nameserver IP address(es) not listed at parent (204.70.57.242;81.228.10.67;81.228.11.67).
@vlevigneron

This comment has been minimized.

Show comment
Hide comment
@vlevigneron

vlevigneron Dec 13, 2017

Contributor

@matsduf Here is the result I obtain with a new fix (not pushed yet). Sounds reasonable.

$ zonemaster-cli telia.com --ns dns2.telia.com --ns dns1.telia.com --ns dns49.de.telia.net --show_module --locale en_US
Seconds Level     Module       Message
======= ========= ============ =======
   2.36 ERROR     SYSTEM       The fake delegation of domain telia.com includes an in-zone name server dns1.telia.com without mandatory glue (without IP address).
   2.79 ERROR     SYSTEM       The fake delegation of domain telia.com includes an in-zone name server dns2.telia.com without mandatory glue (without IP address).
  11.83 WARNING   CONNECTIVITY All nameservers in the delegation have IPv4 addresses in the same AS (1299).
  11.83 WARNING   CONNECTIVITY All nameservers in the delegation have IPv6 addresses in the same AS (1299).
  11.83 WARNING   CONNECTIVITY All nameservers in the delegation are in the same AS (1299).
  12.15 NOTICE    CONSISTENCY  Child has extra nameserver IP address(es) not listed at parent (204.70.57.242;81.228.10.67;81.228.11.67).
  12.28 NOTICE    DNSSEC       There are neither DS nor DNSKEY records for the zone.
  12.28 NOTICE    DNSSEC       The zone is not signed with DNSSEC.
  12.28 ERROR     DELEGATION   Parent does not list enough (1) nameservers (dns49.de.telia.net). Lower limit set to 2.
  13.06 NOTICE    DELEGATION   Child has nameserver(s) not listed at parent (dns1.telia.com;dns2.telia.com;ns02.savvis.net).
  18.98 NOTICE    ZONE         SOA 'mname' nameserver (dns1.telia.com) is not listed in "parent" NS records for tested zone (dns49.de.telia.net).
  18.98 NOTICE    ZONE         SOA 'refresh' value (10800) is less than the recommended minimum (14400).
Contributor

vlevigneron commented Dec 13, 2017

@matsduf Here is the result I obtain with a new fix (not pushed yet). Sounds reasonable.

$ zonemaster-cli telia.com --ns dns2.telia.com --ns dns1.telia.com --ns dns49.de.telia.net --show_module --locale en_US
Seconds Level     Module       Message
======= ========= ============ =======
   2.36 ERROR     SYSTEM       The fake delegation of domain telia.com includes an in-zone name server dns1.telia.com without mandatory glue (without IP address).
   2.79 ERROR     SYSTEM       The fake delegation of domain telia.com includes an in-zone name server dns2.telia.com without mandatory glue (without IP address).
  11.83 WARNING   CONNECTIVITY All nameservers in the delegation have IPv4 addresses in the same AS (1299).
  11.83 WARNING   CONNECTIVITY All nameservers in the delegation have IPv6 addresses in the same AS (1299).
  11.83 WARNING   CONNECTIVITY All nameservers in the delegation are in the same AS (1299).
  12.15 NOTICE    CONSISTENCY  Child has extra nameserver IP address(es) not listed at parent (204.70.57.242;81.228.10.67;81.228.11.67).
  12.28 NOTICE    DNSSEC       There are neither DS nor DNSKEY records for the zone.
  12.28 NOTICE    DNSSEC       The zone is not signed with DNSSEC.
  12.28 ERROR     DELEGATION   Parent does not list enough (1) nameservers (dns49.de.telia.net). Lower limit set to 2.
  13.06 NOTICE    DELEGATION   Child has nameserver(s) not listed at parent (dns1.telia.com;dns2.telia.com;ns02.savvis.net).
  18.98 NOTICE    ZONE         SOA 'mname' nameserver (dns1.telia.com) is not listed in "parent" NS records for tested zone (dns49.de.telia.net).
  18.98 NOTICE    ZONE         SOA 'refresh' value (10800) is less than the recommended minimum (14400).
@@ -529,9 +529,8 @@ sub add_fake_delegation {
}
}
Zonemaster::Engine->add_fake_delegation( $domain => \%data );
return Zonemaster::Engine->add_fake_delegation( $domain => \%data );

This comment has been minimized.

@mattias-p

mattias-p Dec 14, 2017

Contributor

Does this actually change anything? Nobody's picking up the new return value.

Also, could you add method documentation for add_fake_delegation that describes the possible set of return values and what they mean?

@mattias-p

mattias-p Dec 14, 2017

Contributor

Does this actually change anything? Nobody's picking up the new return value.

Also, could you add method documentation for add_fake_delegation that describes the possible set of return values and what they mean?

This comment has been minimized.

@vlevigneron

vlevigneron Dec 14, 2017

Contributor

You are right, this modification is a residue of a different way to fix the issue. I guess we only need to update the Engine for this issue. I guess we can reject this PR.

@vlevigneron

vlevigneron Dec 14, 2017

Contributor

You are right, this modification is a residue of a different way to fix the issue. I guess we only need to update the Engine for this issue. I guess we can reject this PR.

@matsduf

This comment has been minimized.

Show comment
Hide comment
@matsduf

matsduf Dec 15, 2017

Contributor

The following three commands should give the same results/output:

  1. zonemaster-cli 200.193.193.in-addr.arpa
  2. zonemaster-cli 200.193.193.in-addr.arpa --ns ns.lucky.net --ns ns.gu.kiev.ua
  3. zonemaster-cli 200.193.193.in-addr.arpa --ns ns.lucky.net/193.193.193.100 --ns ns.gu.kiev.ua

2 and 3 (fake delegation) give the same result, but 1 (delegated) gives a different result. The result from 1 is probably the best.

Delegated:

Seconds Level     Message
======= ========= =======
  20.43 WARNING   All nameservers in the delegation have IPv4 addresses in the same AS (3254).
  20.43 WARNING   All nameservers in the delegation are in the same AS (3254).
  20.54 NOTICE    There are neither DS nor DNSKEY records for the zone.
  20.54 NOTICE    The zone is not signed with DNSSEC.
  21.04 NOTICE    Nameserver ns.lucky.net/193.193.193.100 allow zone transfer using AXFR.
  21.12 WARNING   The following nameservers failed to resolve to an IP address : ns.gu.kiev.ua.
  21.51 NOTICE    SOA 'refresh' value (3600) is less than the recommended minimum (14400).
  21.51 NOTICE    SOA 'retry' value (900) is less than the recommended minimum (3600).
  21.66 NOTICE    No target (MX, A or AAAA record) to deliver e-mail for the domain name.

Fake delegated:

Seconds Level     Message
======= ========= =======
   0.22 ERROR     The fake delegation of domain 200.193.193.in-addr.arpa includes a name server ns.gu.kiev.ua that cannot be resolved to any IP address.
  17.86 WARNING   All nameservers in the delegation have IPv4 addresses in the same AS (3254).
  17.86 WARNING   All nameservers in the delegation are in the same AS (3254).
  17.95 NOTICE    There are neither DS nor DNSKEY records for the zone.
  17.95 NOTICE    The zone is not signed with DNSSEC.
  17.95 ERROR     Parent does not list enough (1) nameservers (ns.lucky.net). Lower limit set to 2.
  18.22 NOTICE    Child has nameserver(s) not listed at parent (ns.gu.kiev.ua).
  18.47 NOTICE    Nameserver ns.lucky.net/193.193.193.100 allow zone transfer using AXFR.
  18.54 WARNING   The following nameservers failed to resolve to an IP address : ns.gu.kiev.ua.
  18.87 NOTICE    SOA 'refresh' value (3600) is less than the recommended minimum (14400).
  18.88 NOTICE    SOA 'retry' value (900) is less than the recommended minimum (3600).
  19.13 NOTICE    No target (MX, A or AAAA record) to deliver e-mail for the domain name.

It says Parent does not list enough (1) nameservers (ns.lucky.net). Lower limit set to 2 but actually two nameservers are listed in the (fake) delegation. It says Child has nameserver(s) not listed at parent (ns.gu.kiev.ua) but that is listed in the (fake) delegation.

Contributor

matsduf commented Dec 15, 2017

The following three commands should give the same results/output:

  1. zonemaster-cli 200.193.193.in-addr.arpa
  2. zonemaster-cli 200.193.193.in-addr.arpa --ns ns.lucky.net --ns ns.gu.kiev.ua
  3. zonemaster-cli 200.193.193.in-addr.arpa --ns ns.lucky.net/193.193.193.100 --ns ns.gu.kiev.ua

2 and 3 (fake delegation) give the same result, but 1 (delegated) gives a different result. The result from 1 is probably the best.

Delegated:

Seconds Level     Message
======= ========= =======
  20.43 WARNING   All nameservers in the delegation have IPv4 addresses in the same AS (3254).
  20.43 WARNING   All nameservers in the delegation are in the same AS (3254).
  20.54 NOTICE    There are neither DS nor DNSKEY records for the zone.
  20.54 NOTICE    The zone is not signed with DNSSEC.
  21.04 NOTICE    Nameserver ns.lucky.net/193.193.193.100 allow zone transfer using AXFR.
  21.12 WARNING   The following nameservers failed to resolve to an IP address : ns.gu.kiev.ua.
  21.51 NOTICE    SOA 'refresh' value (3600) is less than the recommended minimum (14400).
  21.51 NOTICE    SOA 'retry' value (900) is less than the recommended minimum (3600).
  21.66 NOTICE    No target (MX, A or AAAA record) to deliver e-mail for the domain name.

Fake delegated:

Seconds Level     Message
======= ========= =======
   0.22 ERROR     The fake delegation of domain 200.193.193.in-addr.arpa includes a name server ns.gu.kiev.ua that cannot be resolved to any IP address.
  17.86 WARNING   All nameservers in the delegation have IPv4 addresses in the same AS (3254).
  17.86 WARNING   All nameservers in the delegation are in the same AS (3254).
  17.95 NOTICE    There are neither DS nor DNSKEY records for the zone.
  17.95 NOTICE    The zone is not signed with DNSSEC.
  17.95 ERROR     Parent does not list enough (1) nameservers (ns.lucky.net). Lower limit set to 2.
  18.22 NOTICE    Child has nameserver(s) not listed at parent (ns.gu.kiev.ua).
  18.47 NOTICE    Nameserver ns.lucky.net/193.193.193.100 allow zone transfer using AXFR.
  18.54 WARNING   The following nameservers failed to resolve to an IP address : ns.gu.kiev.ua.
  18.87 NOTICE    SOA 'refresh' value (3600) is less than the recommended minimum (14400).
  18.88 NOTICE    SOA 'retry' value (900) is less than the recommended minimum (3600).
  19.13 NOTICE    No target (MX, A or AAAA record) to deliver e-mail for the domain name.

It says Parent does not list enough (1) nameservers (ns.lucky.net). Lower limit set to 2 but actually two nameservers are listed in the (fake) delegation. It says Child has nameserver(s) not listed at parent (ns.gu.kiev.ua) but that is listed in the (fake) delegation.

@matsduf

This comment has been minimized.

Show comment
Hide comment
@matsduf

matsduf Dec 15, 2017

Contributor

In this scenario I have removed necessary glue from dns2.telia.com and added incorrect glue to dns1.telia.com.

The correct IP addresses (IPv4 only) are:

dns1.telia.com.		A	81.228.11.67
dns2.telia.com.		A	81.228.10.67

Zonemaster finds dns2.telia.com in the zone and does a lookup of that (hopefully directly to the zone). Zonemaster should do the same thing with dns1.telia.com. There should be an error message that the glue does not match the definition in the zone.

$ zonemaster-cli telia.com --ns dns2.telia.com --ns ns02.savvis.net --ns dns1.telia.com/192.168.1.1 --ns dns49.de.telia.net --show_module
Seconds Level     Module       Message
======= ========= ============ =======
   1.68 ERROR     SYSTEM       The fake delegation of domain telia.com includes an in-zone name server dns2.telia.com without mandatory glue (without IP address).
  10.46 NOTICE    BASIC        Nameserver dns1.telia.com/192.168.1.1 did not respond to NS query.
  11.21 ERROR     ADDRESS      Nameserver dns1.telia.com has an IP address (192.168.1.1) with prefix 192.168/16 referenced in [RFC1918] as a 'Private-Use'.
  22.96 WARNING   ADDRESS      Nameserver dns1.telia.com has an IP address (192.168.1.1) without PTR configured.
  24.58 ERROR     CONNECTIVITY Nameserver dns1.telia.com/192.168.1.1 not accessible over UDP on port 53.
  34.67 ERROR     CONNECTIVITY Nameserver dns1.telia.com/192.168.1.1 not accessible over TCP on port 53.
  36.78 WARNING   CONNECTIVITY All nameservers in the delegation have IPv6 addresses in the same AS (1299).
  36.79 WARNING   CONSISTENCY  Nameserver dns1.telia.com/192.168.1.1 did not respond.
  36.80 WARNING   CONSISTENCY  Nameserver dns1.telia.com/192.168.1.1 did not respond.
  36.80 WARNING   CONSISTENCY  Nameserver dns1.telia.com/192.168.1.1 did not respond.
  36.81 WARNING   CONSISTENCY  Nameserver dns1.telia.com/192.168.1.1 did not respond.
  36.82 WARNING   CONSISTENCY  Nameserver dns1.telia.com/192.168.1.1 did not respond.
  36.82 WARNING   CONSISTENCY  Nameserver dns1.telia.com/192.168.1.1 did not respond.
  36.83 WARNING   CONSISTENCY  Nameserver dns1.telia.com/192.168.1.1 did not respond.
  36.84 WARNING   CONSISTENCY  Nameserver dns1.telia.com/192.168.1.1 did not respond.
  36.85 NOTICE    CONSISTENCY  Child has extra nameserver IP address(es) not listed at parent (81.228.10.67).
  36.87 NOTICE    DNSSEC       There are neither DS nor DNSKEY records for the zone.
  36.87 NOTICE    DNSSEC       The zone is not signed with DNSSEC.
  37.10 NOTICE    DELEGATION   Child has nameserver(s) not listed at parent (dns2.telia.com).
  42.96 NOTICE    NAMESERVER   Nameserver dns1.telia.com/192.168.1.1 dropped AAAA query.
  44.08 NOTICE    ZONE         SOA 'mname' nameserver dns1.telia.com/192.168.1.1 does not respond.
  44.08 NOTICE    ZONE         SOA 'refresh' value (10800) is less than the recommended minimum (14400).
Contributor

matsduf commented Dec 15, 2017

In this scenario I have removed necessary glue from dns2.telia.com and added incorrect glue to dns1.telia.com.

The correct IP addresses (IPv4 only) are:

dns1.telia.com.		A	81.228.11.67
dns2.telia.com.		A	81.228.10.67

Zonemaster finds dns2.telia.com in the zone and does a lookup of that (hopefully directly to the zone). Zonemaster should do the same thing with dns1.telia.com. There should be an error message that the glue does not match the definition in the zone.

$ zonemaster-cli telia.com --ns dns2.telia.com --ns ns02.savvis.net --ns dns1.telia.com/192.168.1.1 --ns dns49.de.telia.net --show_module
Seconds Level     Module       Message
======= ========= ============ =======
   1.68 ERROR     SYSTEM       The fake delegation of domain telia.com includes an in-zone name server dns2.telia.com without mandatory glue (without IP address).
  10.46 NOTICE    BASIC        Nameserver dns1.telia.com/192.168.1.1 did not respond to NS query.
  11.21 ERROR     ADDRESS      Nameserver dns1.telia.com has an IP address (192.168.1.1) with prefix 192.168/16 referenced in [RFC1918] as a 'Private-Use'.
  22.96 WARNING   ADDRESS      Nameserver dns1.telia.com has an IP address (192.168.1.1) without PTR configured.
  24.58 ERROR     CONNECTIVITY Nameserver dns1.telia.com/192.168.1.1 not accessible over UDP on port 53.
  34.67 ERROR     CONNECTIVITY Nameserver dns1.telia.com/192.168.1.1 not accessible over TCP on port 53.
  36.78 WARNING   CONNECTIVITY All nameservers in the delegation have IPv6 addresses in the same AS (1299).
  36.79 WARNING   CONSISTENCY  Nameserver dns1.telia.com/192.168.1.1 did not respond.
  36.80 WARNING   CONSISTENCY  Nameserver dns1.telia.com/192.168.1.1 did not respond.
  36.80 WARNING   CONSISTENCY  Nameserver dns1.telia.com/192.168.1.1 did not respond.
  36.81 WARNING   CONSISTENCY  Nameserver dns1.telia.com/192.168.1.1 did not respond.
  36.82 WARNING   CONSISTENCY  Nameserver dns1.telia.com/192.168.1.1 did not respond.
  36.82 WARNING   CONSISTENCY  Nameserver dns1.telia.com/192.168.1.1 did not respond.
  36.83 WARNING   CONSISTENCY  Nameserver dns1.telia.com/192.168.1.1 did not respond.
  36.84 WARNING   CONSISTENCY  Nameserver dns1.telia.com/192.168.1.1 did not respond.
  36.85 NOTICE    CONSISTENCY  Child has extra nameserver IP address(es) not listed at parent (81.228.10.67).
  36.87 NOTICE    DNSSEC       There are neither DS nor DNSKEY records for the zone.
  36.87 NOTICE    DNSSEC       The zone is not signed with DNSSEC.
  37.10 NOTICE    DELEGATION   Child has nameserver(s) not listed at parent (dns2.telia.com).
  42.96 NOTICE    NAMESERVER   Nameserver dns1.telia.com/192.168.1.1 dropped AAAA query.
  44.08 NOTICE    ZONE         SOA 'mname' nameserver dns1.telia.com/192.168.1.1 does not respond.
  44.08 NOTICE    ZONE         SOA 'refresh' value (10800) is less than the recommended minimum (14400).
@vlevigneron

This comment has been minimized.

Show comment
Hide comment
@vlevigneron

vlevigneron Dec 15, 2017

Contributor

With last version of engine which have been just pushed, I obtain what you expect for

  1. zonemaster-cli 200.193.193.in-addr.arpa
  2. zonemaster-cli 200.193.193.in-addr.arpa --ns ns.lucky.net --ns ns.gu.kiev.ua
  3. zonemaster-cli 200.193.193.in-addr.arpa --ns ns.lucky.net/193.193.193.100 --ns ns.gu.kiev.ua

I'm still working on telia.com case.

Contributor

vlevigneron commented Dec 15, 2017

With last version of engine which have been just pushed, I obtain what you expect for

  1. zonemaster-cli 200.193.193.in-addr.arpa
  2. zonemaster-cli 200.193.193.in-addr.arpa --ns ns.lucky.net --ns ns.gu.kiev.ua
  3. zonemaster-cli 200.193.193.in-addr.arpa --ns ns.lucky.net/193.193.193.100 --ns ns.gu.kiev.ua

I'm still working on telia.com case.

@matsduf

This comment has been minimized.

Show comment
Hide comment
@matsduf

matsduf Dec 18, 2017

Contributor

Now things much better when I test. I see one issue (see below) but my guess is that it is an error in DELEGATION rather than in "fake delegation" (I do not have servers to test it for a delegated test). If so I could approve this and zonemaster/zonemaster-engine#355 when documentation is completed.

The issue is the following. @vlevigneron, I think it sists in DELEGATION or not. If so, I will create an issue for next release.

I ran a "fake delegation" test where I swapped the IP addresses for two in-bailiwick nameservers. This means that the glue mismatched the address definition in the zone itself, something which CONSISTENCY05 should discover.

dns1.telia.com.		A	81.228.11.67
dns2.telia.com.		A	81.228.10.67
$ zonemaster-cli telia.com --ns dns2.telia.com/81.228.11.67 --ns ns02.savvis.net --ns dns1.telia.com/81.228.10.67 --ns dns49.de.telia.net --show_module
Seconds Level     Module       Message
======= ========= ============ =======
   6.70 WARNING   CONNECTIVITY All nameservers in the delegation have IPv6 addresses in the same AS (1299).
   6.76 NOTICE    DNSSEC       There are neither DS nor DNSKEY records for the zone.
   6.76 NOTICE    DNSSEC       The zone is not signed with DNSSEC.
   6.78 NOTICE    DELEGATION   IP 81.228.10.67 refers to multiple nameservers (dns1.telia.com;dns2.telia.com).
   6.78 NOTICE    DELEGATION   IP 81.228.11.67 refers to multiple nameservers (dns2.telia.com;dns1.telia.com).
   9.05 NOTICE    ZONE         SOA 'refresh' value (10800) is less than the recommended minimum (14400).
Contributor

matsduf commented Dec 18, 2017

Now things much better when I test. I see one issue (see below) but my guess is that it is an error in DELEGATION rather than in "fake delegation" (I do not have servers to test it for a delegated test). If so I could approve this and zonemaster/zonemaster-engine#355 when documentation is completed.

The issue is the following. @vlevigneron, I think it sists in DELEGATION or not. If so, I will create an issue for next release.

I ran a "fake delegation" test where I swapped the IP addresses for two in-bailiwick nameservers. This means that the glue mismatched the address definition in the zone itself, something which CONSISTENCY05 should discover.

dns1.telia.com.		A	81.228.11.67
dns2.telia.com.		A	81.228.10.67
$ zonemaster-cli telia.com --ns dns2.telia.com/81.228.11.67 --ns ns02.savvis.net --ns dns1.telia.com/81.228.10.67 --ns dns49.de.telia.net --show_module
Seconds Level     Module       Message
======= ========= ============ =======
   6.70 WARNING   CONNECTIVITY All nameservers in the delegation have IPv6 addresses in the same AS (1299).
   6.76 NOTICE    DNSSEC       There are neither DS nor DNSKEY records for the zone.
   6.76 NOTICE    DNSSEC       The zone is not signed with DNSSEC.
   6.78 NOTICE    DELEGATION   IP 81.228.10.67 refers to multiple nameservers (dns1.telia.com;dns2.telia.com).
   6.78 NOTICE    DELEGATION   IP 81.228.11.67 refers to multiple nameservers (dns2.telia.com;dns1.telia.com).
   9.05 NOTICE    ZONE         SOA 'refresh' value (10800) is less than the recommended minimum (14400).
@vlevigneron

This comment has been minimized.

Show comment
Hide comment
@vlevigneron

vlevigneron Dec 18, 2017

Contributor

@matsduf I just read the specs and DELEGATION02 seems implemented as expected and the result is what I expected.
In DELEGATION02, IP addresses obtained with Method4 will be the one provided (--ns dns2.telia.com/81.228.11.67 --ns dns1.telia.com/81.228.10.67) while for IP addresses obtain with Method5 are (--ns dns2.telia.com/81.228.10.67 --ns dns1.telia.com/81.228.11.67). The messages seems correct.

If we want test parent THEN child instead parent AND child as described in specs we should change them.

From my point of view CONSISTENCY05 is where there is an issue. I guess uit was implemented to check "addresses recorded" instead of "address records". You should create an issue for that.

Contributor

vlevigneron commented Dec 18, 2017

@matsduf I just read the specs and DELEGATION02 seems implemented as expected and the result is what I expected.
In DELEGATION02, IP addresses obtained with Method4 will be the one provided (--ns dns2.telia.com/81.228.11.67 --ns dns1.telia.com/81.228.10.67) while for IP addresses obtain with Method5 are (--ns dns2.telia.com/81.228.10.67 --ns dns1.telia.com/81.228.11.67). The messages seems correct.

If we want test parent THEN child instead parent AND child as described in specs we should change them.

From my point of view CONSISTENCY05 is where there is an issue. I guess uit was implemented to check "addresses recorded" instead of "address records". You should create an issue for that.

@matsduf

This comment has been minimized.

Show comment
Hide comment
@matsduf
Contributor

matsduf commented Dec 19, 2017

@vlevigneron

This comment has been minimized.

Show comment
Hide comment
@vlevigneron

vlevigneron Dec 19, 2017

Contributor

@matsduf I won't have time to work on zonemaster/zonemaster-engine#363 for this release. I guess that, unless we find bugs in the current issue, we can merge this PR and plan zonemaster/zonemaster-engine#363 for first release of 2018. Do you agree ?

Contributor

vlevigneron commented Dec 19, 2017

@matsduf I won't have time to work on zonemaster/zonemaster-engine#363 for this release. I guess that, unless we find bugs in the current issue, we can merge this PR and plan zonemaster/zonemaster-engine#363 for first release of 2018. Do you agree ?

@matsduf

This comment has been minimized.

Show comment
Hide comment
@matsduf

matsduf Dec 19, 2017

Contributor

@vlevigneron! Yes, zonemaster/zonemaster-engine#363 is not for this release. I have now tagged it for 2018.1.

If @mattias-p's are handled, then we can merge. I am satisfied with the behavior.

Contributor

matsduf commented Dec 19, 2017

@vlevigneron! Yes, zonemaster/zonemaster-engine#363 is not for this release. I have now tagged it for 2018.1.

If @mattias-p's are handled, then we can merge. I am satisfied with the behavior.

@sandoche2k sandoche2k added this to the 2017.4 milestone Dec 19, 2017

@sandoche2k

This comment has been minimized.

Show comment
Hide comment
@sandoche2k

sandoche2k Dec 20, 2017

Contributor

@vlevigneron if you can merge this and the related issue in the engine, we could start testing.

Contributor

sandoche2k commented Dec 20, 2017

@vlevigneron if you can merge this and the related issue in the engine, we could start testing.

@vlevigneron vlevigneron merged commit 9512fb2 into zonemaster:develop Dec 20, 2017

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment