New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Engine fails to verify NS in zone #356

Closed
matsduf opened this Issue Dec 8, 2017 · 6 comments

Comments

Projects
None yet
3 participants
@matsduf
Contributor

matsduf commented Dec 8, 2017

NAMESERVER06 says that "All name servers names listed for a delegation must be resolvable in DNS", which I think should be interpreted as including all NS listed in the apex of the zone.

This issue shows that there is a problem with the tests of the NS in the zone. That must be corrected.

200.193.193.in-addr.arpa is delegated to ns.gu.kiev.ua and ns.lucky.net. We find the same to NS in the zone:

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @ns.lucky.net 200.193.193.in-addr.arpa ns +noedns +noadd +noquest +nottl +nocl
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37299
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; ANSWER SECTION:
200.193.193.in-addr.arpa. NS	ns.gu.kiev.ua.
200.193.193.in-addr.arpa. NS	ns.lucky.net.

NS ns.gu.kiev.ua cannot be resolved to IP address:

; <<>> DiG 9.10.3-P4-Ubuntu <<>> ns.gu.kiev.ua +noedns +noadd +noquest +nottl +nocl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42078
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
; <<>> DiG 9.10.3-P4-Ubuntu <<>> ns.gu.kiev.ua +noedns +noadd +noquest +nottl +nocl aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60774
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

I would expect that Zonemaster sees that as an error, but it does not:

$ zonemaster-cli 200.193.193.in-addr.arpa --ns ns.lucky.net --ns nsss0.gu.kiev.ua
Seconds Level     Message
======= ========= =======
   0.23 ERROR     The fake delegation of domain 200.193.193.in-addr.arpa includes a name server nsss0.gu.kiev.ua that cannot be resolved to any IP address.
   7.74 WARNING   All nameservers in the delegation have IPv4 addresses in the same AS (3254).
   7.74 WARNING   All nameservers in the delegation are in the same AS (3254).
   7.82 NOTICE    There are neither DS nor DNSKEY records for the zone.
   7.82 NOTICE    The zone is not signed with DNSSEC.
   8.22 ERROR     Parent has nameserver(s) not listed at the child (nsss0.gu.kiev.ua).
   8.22 NOTICE    Child has nameserver(s) not listed at parent (ns.gu.kiev.ua).
   8.48 NOTICE    Nameserver ns.lucky.net/193.193.193.100 allow zone transfer using AXFR.
   8.54 WARNING   The following nameservers failed to resolve to an IP address : ns.gu.kiev.ua,nsss0.gu.kiev.ua.
   8.88 NOTICE    SOA 'refresh' value (3600) is less than the recommended minimum (14400).
   8.88 NOTICE    SOA 'retry' value (900) is less than the recommended minimum (3600).
   9.13 NOTICE    No target (MX, A or AAAA record) to deliver e-mail for the domain name.
@matsduf

This comment has been minimized.

Show comment
Hide comment
@matsduf

matsduf Dec 8, 2017

Contributor

@vlevigneron, can you look at this issue?

Contributor

matsduf commented Dec 8, 2017

@vlevigneron, can you look at this issue?

@vlevigneron

This comment has been minimized.

Show comment
Hide comment
@vlevigneron

vlevigneron Dec 8, 2017

Contributor

Is it OK with what we discussed earlier, I mean change status of The following nameservers failed to resolve to an IP address : ns.gu.kiev.ua,nsss0.gu.kiev.ua. from WARNINGto ERROR ?

Contributor

vlevigneron commented Dec 8, 2017

Is it OK with what we discussed earlier, I mean change status of The following nameservers failed to resolve to an IP address : ns.gu.kiev.ua,nsss0.gu.kiev.ua. from WARNINGto ERROR ?

@vlevigneron vlevigneron self-assigned this Dec 8, 2017

@matsduf

This comment has been minimized.

Show comment
Hide comment
@matsduf

matsduf Dec 8, 2017

Contributor

Yes, it is.

At least for now. I actually misread the message. Both are actually listed. Can you change from The following nameservers failed to resolve to an IP address : ns.gu.kiev.ua,nsss0.gu.kiev.uato The following nameservers failed to resolve to an IP address : ns.gu.kiev.ua, nsss0.gu.kiev.ua, i.e. having a space character between the elements in the list of servers?

Contributor

matsduf commented Dec 8, 2017

Yes, it is.

At least for now. I actually misread the message. Both are actually listed. Can you change from The following nameservers failed to resolve to an IP address : ns.gu.kiev.ua,nsss0.gu.kiev.uato The following nameservers failed to resolve to an IP address : ns.gu.kiev.ua, nsss0.gu.kiev.ua, i.e. having a space character between the elements in the list of servers?

@vlevigneron

This comment has been minimized.

Show comment
Hide comment
@vlevigneron

vlevigneron Dec 8, 2017

Contributor

OK, I'll make a branch and new PR for that fix in the minutes.

For the request to add a space. Yes I could do that, but, we have many cases of lists of item and there is never a space. I guess that if we want to change that, we should decide, then change all of them to be homogeneous. That's why I would not change that in this fix.

Contributor

vlevigneron commented Dec 8, 2017

OK, I'll make a branch and new PR for that fix in the minutes.

For the request to add a space. Yes I could do that, but, we have many cases of lists of item and there is never a space. I guess that if we want to change that, we should decide, then change all of them to be homogeneous. That's why I would not change that in this fix.

vlevigneron added a commit to vlevigneron/zonemaster-engine that referenced this issue Dec 8, 2017

@pawal

This comment has been minimized.

Show comment
Hide comment
@pawal

pawal Dec 8, 2017

Contributor

I'll put this here again: #60 (but this is primarily for the JSON logs)

Contributor

pawal commented Dec 8, 2017

I'll put this here again: #60 (but this is primarily for the JSON logs)

vlevigneron added a commit that referenced this issue Dec 12, 2017

@matsduf matsduf added this to the 2017.4 milestone Jan 11, 2018

@matsduf

This comment has been minimized.

Show comment
Hide comment
@matsduf

matsduf Jan 11, 2018

Contributor

Resolved by #357.

Contributor

matsduf commented Jan 11, 2018

Resolved by #357.

@matsduf matsduf closed this Jan 11, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment