Skip to content

Update MethodsV2 to match Basic01#1287

Merged
matsduf merged 2 commits into
zonemaster:developfrom
matsduf:update-methodsv2
Jul 18, 2024
Merged

Update MethodsV2 to match Basic01#1287
matsduf merged 2 commits into
zonemaster:developfrom
matsduf:update-methodsv2

Conversation

@matsduf

@matsduf matsduf commented Jul 5, 2024

Copy link
Copy Markdown
Contributor

Purpose

Method Get parent NS IP addresses in MethodsV2 should use the same algorithm as Basic01, which was true before the change introduced by #1257 which modifies the way the tree is traversed to find the parent zone and its name servers. This PR adapts to that modification.

The change should better match the intention of what the parent zone is. And the change should match the test scenarios created in #1254.

Context

How to test this PR

Review the changes.

@matsduf matsduf added the A-TestCase Area: Test case specification or implementation of test case label Jul 5, 2024
@matsduf matsduf added this to the v2024.2 milestone Jul 5, 2024
tgreenx added a commit to tgreenx/zonemaster-engine that referenced this pull request Jul 10, 2024
@tgreenx
Update MethodsV2 get_parent_ns_ips() to match new Basic01 algorithm
5e66b5b 
Based on zonemaster/zonemaster#1287

- Update Zonemaster::Engine::TestMethodsV2->get_parent_ns_ips() code
- Add new message tag 'LOOP_PROTECTION' (used in three places)
- Add loop protection mechanism
- Update unit tests data
@tgreenx tgreenx mentioned this pull request Jul 10, 2024
Merged
tgreenx
tgreenx reviewed Jul 10, 2024
View reviewed changes

@tgreenx tgreenx left a comment
edited
Loading

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Implementation is done in zonemaster/zonemaster-engine#1373. Current implementation details to note:

  • The method returns Zonemaster::Engine::Nameserver objects, not just IP addresses as the specification describes. It is necessary to have such objects in Engine to be able to perform queries. The method could then be renamed as simply get_parent_ns, or a disclaimer can be added (just like with the new test case specifications).
  • The method will return undef if there are more than one parent found (I assume this should not be possible from this new algorithm but still, it is a precaution)
  • A loop protection mechanism (currently set to 1000) is in place for the loop processing at step 5.11.

tgreenx added a commit to tgreenx/zonemaster-engine that referenced this pull request Jul 10, 2024
@tgreenx
Update MethodsV2 get_parent_ns_ips() to match new Basic01 algorithm
7350c4b 
Based on zonemaster/zonemaster#1287

- Update Zonemaster::Engine::TestMethodsV2->get_parent_ns_ips() code
- Add new message tag 'LOOP_PROTECTION' (used in three places)
- Add loop protection mechanism
- Update unit tests data
tgreenx added a commit to tgreenx/zonemaster-engine that referenced this pull request Jul 10, 2024
@tgreenx
Update MethodsV2 get_parent_ns_ips() to match new Basic01 algorithm
6d6a3b4 
Based on zonemaster/zonemaster#1287

- Update Zonemaster::Engine::TestMethodsV2->get_parent_ns_ips() code
- Add new message tag 'LOOP_PROTECTION' (used in three places)
- Add loop protection mechanism
- Update unit tests data
@matsduf

matsduf commented Jul 11, 2024

Copy link
Copy Markdown
Contributor Author

Implementation is done in zonemaster/zonemaster-engine#1373. Current implementation details to note:

* The method returns `Zonemaster::Engine::Nameserver` objects, not just IP addresses as the specification describes. It is necessary to have such objects in Engine to be able to perform queries. The method could then be renamed as simply `get_parent_ns`, or a disclaimer can be added (just like with the new test case specifications).

Currently the test case specifications only use the parent name server IP addresses, not the names, so the method only needs to find the addresses. There is no issue if the implementation must have a name as long as we do not start using the name as such. I see no need of update of the specification.

* The method will return `undef` if there are more than one parent found (I assume this should not be possible from this new algorithm but still, it is a precaution)

There are still situations when there is more than one parent. Let us say that cc.xa has two NS. One has a delegation to bb.cc.xa and the other to aa.bb.cc.xa. And parent.grandparent.xa has two NS and both has a delegation aa.bb.cc.xa. The NS for aa.bb.cc.xa are the same in both delegations. Which is the parent of aa.bb.cc.xa? Except DNSSEC aa.bb.cc.xa will work. The two delegations could be different and it could still work if the zone data is the same, or at least relevant data is the same.

I just saw some errors in the specification, and then I again thought about the NXDOMAIN and NODATA situations. Since they do not give any delegation they could be ignored for the method (but not for Basic01). Now NXDOMAIN and NODATA are handled inconsistently by error. I will do an update where both are ignored (not considered to be a parent).

* A loop protection mechanism (currently set to 1000) is in place for the loop processing at step 5.11.

I am not sure how you count, but if there are many NS (both v4 and v6) and many levels (like IPv6 reverse) do you see a risk of reaching the limit? Will there be a message (DEBUG) if the loop protection breaks?

It would be interesting to see how many loops the code will do in the normal case. Have you checked?

@matsduf

matsduf commented Jul 11, 2024

Copy link
Copy Markdown
Contributor Author

I will adjust the expected parent data from some of the scenarios (remove server outputting NXDOMAIN or NODATA).

@tgreenx

tgreenx commented Jul 11, 2024

Copy link
Copy Markdown
Contributor

I just saw some errors in the specification, and then I again thought about the NXDOMAIN and NODATA situations. Since they do not give any delegation they could be ignored for the method (but not for Basic01). Now NXDOMAIN and NODATA are handled inconsistently by error. I will do an update where both are ignored (not considered to be a parent).

I will adjust the expected parent data from some of the scenarios (remove server outputting NXDOMAIN or NODATA).

Ah great, I was about to write a comment about that, as I'm currently testing zonemaster/zonemaster-engine#1351 with the changes in zonemaster/zonemaster-engine#1373. While troubleshooting scenario CHLD-FOUND-INCONSIST-1, I stumbled upon this issue.

I am not sure how you count, but if there are many NS (both v4 and v6) and many levels (like IPv6 reverse) do you see a risk of reaching the limit? Will there be a message (DEBUG) if the loop protection breaks?
It would be interesting to see how many loops the code will do in the normal case. Have you checked?

I will check now, and adjusts the break counter if needed (1000 seemed reasonable enough at first glance). There is a DEBUG2 message in place when that happens yes.

@tgreenx

tgreenx commented Jul 11, 2024

Copy link
Copy Markdown
Contributor

There are still situations when there is more than one parent. Let us say that cc.xa has two NS. One has a delegation to bb.cc.xa and the other to aa.bb.cc.xa. And parent.grandparent.xa has two NS and both has a delegation aa.bb.cc.xa. The NS for aa.bb.cc.xa are the same in both delegations. Which is the parent of aa.bb.cc.xa? Except DNSSEC aa.bb.cc.xa will work. The two delegations could be different and it could still work if the zone data is the same, or at least relevant data is the same.

Ok, I'll make the necessary changes in the implementation. But maybe the specification needs to be more explicit then? i.e., step 6.

@matsduf

matsduf commented Jul 11, 2024

Copy link
Copy Markdown
Contributor Author

Ok, I'll make the necessary changes in the implementation. But maybe the specification needs to be more explicit then? i.e., step 6.

Is it this step 6 you mean?

6. If the *Parent Found* set is non-empty then do:
   1. Extract the name server IP list.
   2. Return the following from the Method:
      1. The extracted list of name server IP addresses (parent zone name servers).
   3. Exit these procedures.

It just refers to parent name server IP addresses, not parent zone.

tgreenx added a commit to tgreenx/zonemaster-engine that referenced this pull request Jul 11, 2024
@tgreenx
Update MethodsV2 get_parent_ns_ips() to match new Basic01 algorithm
5ca62cc 
Based on zonemaster/zonemaster#1287

- Update Zonemaster::Engine::TestMethodsV2->get_parent_ns_ips() code
- Add new message tag 'LOOP_PROTECTION' (used in three places)
- Add loop protection mechanism
- Update unit tests data
tgreenx added a commit to tgreenx/zonemaster-engine that referenced this pull request Jul 11, 2024
@tgreenx
Update MethodsV2 get_parent_ns_ips() to match new Basic01 algorithm
f53a7fa 
Based on zonemaster/zonemaster#1287

- Update Zonemaster::Engine::TestMethodsV2->get_parent_ns_ips() code
- Add new message tag 'LOOP_PROTECTION' (used in three places)
- Add loop protection mechanism
- Update unit tests data
@matsduf
Updates to the specification:
7b85ac8 
* Removes adding to list of parents if NXDOMAIN.
* Removes adding to list of parents if NODATA and name is
  child zone.
* Renames set of parent IPs. Parent zone is not relevant.
* Some editorial updates.
@matsduf matsduf force-pushed the update-methodsv2 branch from 9fd28a2 to 7b85ac8 Compare July 11, 2024 13:52
@tgreenx

tgreenx commented Jul 11, 2024
edited
Loading

Copy link
Copy Markdown
Contributor

I am not sure how you count, but if there are many NS (both v4 and v6) and many levels (like IPv6 reverse) do you see a risk of reaching the limit? Will there be a message (DEBUG) if the loop protection breaks?
It would be interesting to see how many loops the code will do in the normal case. Have you checked?

I will check now, and adjusts the break counter if needed (1000 seemed reasonable enough at first glance). There is a DEBUG2 message in place when that happens yes.

For Basic01, using the test zones in t/Test-basic01.t (on current develop), the counter is either 0 or 1 (it starts at 0).
For MethodsV2, using the test zones in t/methodsv2.t (on current develop), the counter is always 0 (it starts at 0).

tgreenx added a commit to tgreenx/zonemaster-engine that referenced this pull request Jul 16, 2024
@tgreenx
Update MethodsV2 get_parent_ns_ips() to match new Basic01 algorithm
f5c66b4 
Based on zonemaster/zonemaster#1287

- Update Zonemaster::Engine::TestMethodsV2->get_parent_ns_ips() code
- Add new message tag 'LOOP_PROTECTION' (used in three places)
- Add loop protection mechanism
- Update unit tests data
@matsduf matsduf merged commit f7dcf61 into zonemaster:develop Jul 18, 2024
@matsduf matsduf deleted the update-methodsv2 branch July 18, 2024 13:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tgreenx tgreenx tgreenx approved these changes
@marc-vanderwal marc-vanderwal marc-vanderwal approved these changes
@mattias-p mattias-p Awaiting requested review from mattias-p
@MichaelTimbert MichaelTimbert Awaiting requested review from MichaelTimbert

Assignees

No one assigned

Labels

A-TestCase Area: Test case specification or implementation of test case

Projects

None yet

Milestone

v2024.2

Development

Successfully merging this pull request may close these issues.

3 participants

@matsduf @tgreenx @marc-vanderwal