Zone11: different handling of root zone, TLD zones and zones in .arpa

[marc-vanderwal]

Purpose

This PR amends the specification for Zone11 so that different message tags of different severity levels are output if Zonemaster is run on the root zone, a TLD zone or a zone inside .arpa. It also cleans up some rough edges and migrates to MethodsV2.

Context

See #1256.

Changes

• Root zones, TLD zones and zones inside .arpa are tested differently: an INFO is output if no SPF or a null SPF is found, and a message tag of higher level is output if a non-null SPF is found.
• Use MethodsV2 instead of legacy Methods.
• Miscellaneous small rewordings

Breaking message tag changes

This PR changes the arguments to the following existing message tags:

Tag	Old arguments	New arguments
Z11_DIFFERENT_SPF_POLICIES_FOUND	ns_ip_list	ns_list

This PR replaces the following message tags with new tags:

Old tag	Old tag arguments	New tag	New tag arguments
Z11_SPF1_MULTIPLE_RECORDS	ns_ip_list	Z11_SPF_MULTIPLE_RECORDS	ns_list
Z11_SPF1_SYNTAX_ERROR	ns_ip_list	Z11_SPF_SYNTAX_ERROR	ns_list
Z11_SPF1_SYNTAX_OK	ns_ip_list	Z11_SPF_SYNTAX_OK	ns_list

How to test this PR

Review.

[matsduf]

* Replace all mentions of “SPF version 1” with plain “SPF”, in text and message tags.

What is the motivation not to mention that is should be version 1? I think it should be kept even though it does not have to be mentioned more than once and not in the tags.

* Add a step stating that the test be skipped if running on the root zone, TLD zone or a zone inside .arpa.

I think it is more reasonable to check for a policy, and expect that it says "no mail" if present. If absent, an info message is reasonable for those kind of zones.

* Replace mentions of legacy Methods with the equivalent methods in MethodsV2.

"Replace legacy Methods with the equivalent methods in MethodsV2." It is not just a mentioning, but an update of the test case that requires an updated implementation.

How to test this PR

N/A. However, reviewers are advised to review this PR commit by commit.

It should be reviewed, isn't that what we mean by testing an update of a document?

[matsduf]

In Objective is says "Sender Policy Framework (SPF), described in [RFC 7208], is a mechanism". I think it should say "defined in".

[marc-vanderwal]

I have changed the approach and addressed your review comments. Please re-review.

[matsduf]

This PR has chosen a different approach than #1409 for DNSSEC05. In the implementation the name server IP what counts. In the messages name/IP should be included. I think we should find a wording that we consistently use in all updates where name/IP are expected in the messages.

[marc-vanderwal]

Okay, I’ll reword as “For each name server IP address in Name Server IP do:”

[matsduf]

Well, there are some aspects of the approach in #1409. First there is the text in

zonemaster/docs/public/specifications/tests/DNSSEC-TP/dnssec05.md

Lines 115 to 118 in e8b95a6

	The name server names are assumed to be available at the time when the msgid
	is created, if the argument name is "ns" or "ns_list" even when in the
	"[Test procedure]" below it is only referred to the IP address of the name
	servers.

and then

zonemaster/docs/public/specifications/tests/DNSSEC-TP/dnssec05.md

Lines 175 to 178 in e8b95a6

	5. For all messages outputted below, if an IP address in *NS IP* is connected to
	more than one name server name, then all names should be included with the
	message tag if it is specified that name server name and IP address should
	be outputted with the message tag.

I am not sure if the approach in #1409 is the best one. In the implementation you probably want to go by IP address, and should that be reflected in the specification?

[marc-vanderwal]

Oh, I didn’t notice those bits in the DNSSEC05 proposal.

Yes, it is a recurring pattern that we iterate on name server IPs under the hood but that we report name server name and IP pairs in user-visible messages. And we need to be careful with the edge case where a zone has more than one name server name pointing to the same IP address.

So I think the approach makes sense. Maybe we should keep it somewhere in a template?

[matsduf]

It is not only the edge case when a zone has serveral names to the same IP address, it is also the case when the name in the delegation does not match the name in the zone, but the IP is the same. The latter is probably more common.

We have a template in https://github.com/zonemaster/zonemaster/blob/master/docs/internal/templates/specifications/tests/Template01.md which probably needs some updates.

Looks fine now. Maybe there should be clarification on "ns_list" to catch the situation when more than one NS name has the same IP address.

[matsduf]

Looks fine. Do you plan to create a scenario PR too?

[marc-vanderwal]

Looks fine. Do you plan to create a scenario PR too?

Yes, I was working on that in parallel but I was waiting for the outline of Zone11’s new test case specification to be stabilized before creating the PR. I’ve just created #1417. Then I’ll follow up with the implementation when the outline of that specification is stabilized.

[tgreenx]

LGTM. Just one comment.

[matsduf]

The test case has "ns_list" arguments for some tags, and then there is a chance that the same IP address is used by multiple name server names. It should be stated explicitly that "ns_list" includes all such name/IP pairs.

[marc-vanderwal]

Step 7 in the test procedure already states:

For all messages outputted below, if an IP address in Name Servers is connected to more than one name server name, then all names should be included with the message tag.

But I found a paragraph in the “Summary” section that was no longer true. I’ve updated it with a similar text. Does this make step 7 in the test procedure redundant?

[tgreenx]

LGTM.

Implementation in zonemaster/zonemaster-engine#1477.

[matsduf]

@marc-vanderwal, please merge.