CONNECTIVITY04 - IP prefix diversity requirement

[d4nys3k]

Hello,
current implementation of CONNECTIVITY04 has strict requirement not to have two nameservers within single subnet. The idea of diversity, in my opinion, is primarily about having at least one nameserver in another network and there is nothing wrong with having two nameservers in single network, as long as I have at least one in another network (so, you can have two nameservers in single subnet and third in different network, for example). if it doesn't matter that the zone has only two servers, if each is in a different subnet, 2+1 configuration should not be a problem.

I tried to modify lib/Zonemaster/Engine/Test/Connectivity.pm in this way by patch below to not issue warning in such case. I'm using version 4.7.0 of Engine at this time. It does what I expect based on the thoughts above.

Could you please consider modifying your CONNECTIVITY04 test approach?

--- Connectivity.pm.orig        2023-06-01 10:39:55.000000000 +0200
+++ Connectivity.pm     2023-06-30 23:44:41.247946421 +0200
@@ -615,2 +615,3 @@
     my %prefixes;
+    my %nscount=(4=>0,6=>0);
 
@@ -645,2 +646,3 @@
                 if ( $prefix->version == 4 ) {
+                    $nscount{4}++;
                     $prefix_str = $prefix->prefix;
@@ -648,2 +650,3 @@
                 elsif ( $prefix->version == 6 ) {
+                    $nscount{6}++;
                     $prefix_str = $prefix->short . '/' . $prefix->prefixlen;
@@ -671,6 +674,6 @@
         foreach my $prefix ( keys %{ $prefixes{$ip_version} } ) {
-            if ( scalar @{ $prefixes{$ip_version}{$prefix} } == 1 ) {
+            if ( scalar @{ $prefixes{$ip_version}{$prefix} } <= $nscount{$ip_version}-1 ) {
                 push @combined_ns, @{ $prefixes{$ip_version}{$prefix} };
             }
-            elsif ( scalar @{ $prefixes{$ip_version}{$prefix} } >= 2 ) {
+            elsif ( scalar @{ $prefixes{$ip_version}{$prefix} } == $nscount{$ip_version} ) {
                 push @results,

[matsduf]

@d4nys3k, thank you for taking your time to make suggestions! Comments and feed-back from the users are valuable.

The implementation that you have commented follows (or at least should follow) the specification in CONNECTIVITY04. Changes to the implementation, if any, must start with a change in specification. The specification starts by stating "The objective in this Test Case is to verify that all IP addresses of the domain's authoritative name servers are announced from different IP prefixes" and it refers to RFC2182.

Please look at the specification, and based on that please suggest changes to that text, starting with the "Objective" section. I can agree with you that if you have a setting with three name servers in three networks, which is fine, and then add a forth name server in the same network as one of the other, it could feel hard to get a WARNING.

A second place to consider is the "Summary" section where the messages and their default severity levels are defined. Should the message and severity level be the same if two of four name servers share the same network as if all name servers do that?

I will move this issue to the repository where the specification is found, and you continue commenting in this. Or create a new issue.

[d4nys3k]

RFC 2182 in paragraph 5 states:

It is recommended that three servers be provided for most organisation level zones, with at least one which must be well removed from the others.

So if you have two of three nameservers in single subnet and last one in different network, it's conforming with RFC 2182.

[matsduf]

Thanks for pointing that out. It does not seem that RFC 2182 is fully consistent in its recommendations (it is a BCP). Please write you suggestion for the "algorithm" for the test case. If you have any suggestions for the messages (section "Summary") please include those.

[d4nys3k]

I agree, texting, especially in older RFCs, can be confusing sometimes.

In CONNECTIVITY04 specification, under Test procedure, paragraphs 5 and 6 I suggest following change:

i: For each IP prefix in the set that has two or more members

replace by: If all addresses share same IP prefix

ii: For all IP prefixes in the set that have exactly one member,

replace by: If there's at least one address in different IP prefix

Or in some other way in the spirit of RFC 2182 paragraph, I admit that specifying it appropriately is not completely easy even for me. But the goal is probably simple - zonemaster should not report an error where the configuration does not contradict RFC. Above is my proposal to Connectivity.pm code change, I think code describes my thoughts in the best way. Of course, change can be more complex, but probably it isn't necessary.

[matsduf]

Thank you. We will look your issue and the test case specification (and then implementation).

[LeffeG]

I tried the patch above and it looks ok so far in my tests.

[matsduf]

This issue has also been raised in #1221.

[rosjat]

I saw zonemaster released a new version but this issue persist if I run a test.

Will this be addressed at all in the near future?

Cheers