Skip to content

Fix in DNSSEC10#1415

Merged
tgreenx merged 1 commit into
zonemaster:release-v2024.2.1from
tgreenx:fix-dnssec10
Feb 6, 2025
Merged

Fix in DNSSEC10#1415
tgreenx merged 1 commit into
zonemaster:release-v2024.2.1from
tgreenx:fix-dnssec10

Conversation

@tgreenx

@tgreenx tgreenx commented Dec 11, 2024
edited
Loading

Copy link
Copy Markdown
Contributor

Purpose

This PR proposes a fix in the conditional for DS10_EXPECTED_NSEC_NSEC3_MISSING in DNSSEC10, for cases when any IP protocol is unavailable (or if the IP address has already been processed).

Context

Relates to zonemaster/zonemaster#1341
Fixes #1414

Changes

  • Use a list of queried name servers instead of all name servers
  • Add test scenario BAD-SERVERS-BUT-GOOD-NSEC-1
  • Update unit test data

How to test this PR

Tests are updated and should pass.
Manual testing should show disabled queries for a given IP protocol and no DS10_EXPECTED_NSEC_NSEC3_MISSING message:

$ zonemaster-cli --show-testcase --level debug --no-ipv6 --test dnssec10 --raw afnic.fr | grep -Ev "EXTERNAL_QUERY|DEPENDENCY_VERSION"
   0.00 DEBUG    Unspecified    START_TIME  string=2024-12-11 13:37:10 +0100; time_t=1733920630
   0.01 DEBUG    Unspecified    TEST_TARGET  module=dnssec; testcase=dnssec10; zone=afnic.fr
   0.01 INFO     Unspecified    GLOBAL_VERSION  version=v7.0.0
   0.02 DEBUG    Unspecified    MODULE_VERSION  module=Zonemaster::Engine::Test::DNSSEC; version=v1.1.58
   0.02 DEBUG    DNSSEC10       TEST_CASE_START  testcase=DNSSEC10
  15.46 DEBUG    DNSSEC10       IPV6_DISABLED  ns=g.ext.nic.fr/2001:678:4c::1; rrtype=DNSKEY
  15.47 DEBUG    DNSSEC10       IPV6_DISABLED  ns=g.ext.nic.fr/2001:678:4c::1; rrtype=NSEC
  15.47 DEBUG    DNSSEC10       IPV6_DISABLED  ns=g.ext.nic.fr/2001:678:4c::1; rrtype=NSEC3PARAM
  15.54 DEBUG    DNSSEC10       IPV6_DISABLED  ns=ns1.nic.fr/2001:67c:2218:2::4:1; rrtype=DNSKEY
  15.54 DEBUG    DNSSEC10       IPV6_DISABLED  ns=ns1.nic.fr/2001:67c:2218:2::4:1; rrtype=NSEC
  15.54 DEBUG    DNSSEC10       IPV6_DISABLED  ns=ns1.nic.fr/2001:67c:2218:2::4:1; rrtype=NSEC3PARAM
  15.64 DEBUG    DNSSEC10       IPV6_DISABLED  ns=ns2.nic.fr/2001:660:3005:1::1:2; rrtype=DNSKEY
  15.64 DEBUG    DNSSEC10       IPV6_DISABLED  ns=ns2.nic.fr/2001:660:3005:1::1:2; rrtype=NSEC
  15.64 DEBUG    DNSSEC10       IPV6_DISABLED  ns=ns2.nic.fr/2001:660:3005:1::1:2; rrtype=NSEC3PARAM
  15.74 DEBUG    DNSSEC10       IPV6_DISABLED  ns=ns3.nic.fr/2001:660:3006:1::1:1; rrtype=DNSKEY
  15.74 DEBUG    DNSSEC10       IPV6_DISABLED  ns=ns3.nic.fr/2001:660:3006:1::1:1; rrtype=NSEC
  15.74 DEBUG    DNSSEC10       IPV6_DISABLED  ns=ns3.nic.fr/2001:660:3006:1::1:1; rrtype=NSEC3PARAM
  15.75 INFO     DNSSEC10       DS10_HAS_NSEC3  ns_list=g.ext.nic.fr/194.0.36.1;ns1.nic.fr/192.134.4.1;ns2.nic.fr/192.93.0.4;ns3.nic.fr/192.134.0.49
  15.76 DEBUG    DNSSEC10       TEST_CASE_END  testcase=DNSSEC10
  15.76 DEBUG    Unspecified    MODULE_END  module=DNSSEC

@tgreenx tgreenx added A-TestCase Area: Test case specification or implementation of test case V-Patch Versioning: The change gives an update of patch in version. labels Dec 11, 2024
@tgreenx tgreenx added this to the v2024.2.1 milestone Dec 11, 2024
@tgreenx tgreenx linked an issue Dec 11, 2024 that may be closed by this pull request
Unexpected error in DNSSEC10 when disabling either IP protocol #1414
Closed
@matsduf

matsduf commented Dec 11, 2024

Copy link
Copy Markdown
Contributor 
$ zonemaster-cli --show-testcase --level info --no-ipv6 --test dnssec10 afnic.fr --raw
   0.00 INFO     Unspecified    GLOBAL_VERSION  version=v7.0.0
   8.83 INFO     DNSSEC10       DS10_HAS_NSEC3  ns_list=g.ext.nic.fr/194.0.36.1;ns1.nic.fr/192.134.4.1;ns2.nic.fr/192.93.0.4;ns3.nic.fr/192.134.0.49

I think the test should have --level debug and the output should list at least one excluded IPv6 address but no DS10_EXPECTED_NSEC_NSEC3_MISSING to be complete.

matsduf
matsduf previously approved these changes Dec 11, 2024
View reviewed changes
@matsduf matsduf changed the base branch from develop to release-v2024.2.1 December 17, 2024 09:17
@matsduf matsduf changed the base branch from release-v2024.2.1 to develop December 17, 2024 09:40
@matsduf matsduf dismissed their stale review December 17, 2024 09:40

The base branch was changed.

@matsduf matsduf changed the base branch from develop to release-v2024.2.1 December 17, 2024 09:45
@matsduf matsduf mentioned this pull request Dec 17, 2024
Merged
@tgreenx
Fix conditional for DS10_EXPECTED_NSEC_NSEC3_MISSING in DNSSEC10
4a35c55 
- Use a list of queried name servers instead of all name servers, in case any IP protocol is unavailable (or if the IP address has already been processed).
- Add test scenario BAD-SERVERS-BUT-GOOD-NSEC-1
- Update unit test data
@tgreenx tgreenx requested a review from matsduf January 28, 2025 15:07
@matsduf

matsduf commented Jan 28, 2025

Copy link
Copy Markdown
Contributor

@tgreenx, should I merge zonemaster/zonemaster#1341 now?

@tgreenx

tgreenx commented Feb 6, 2025

Copy link
Copy Markdown
Contributor Author

@tgreenx, should I merge zonemaster/zonemaster#1341 now?

Yes, and I'm merging this one too.

@tgreenx tgreenx merged commit fc83715 into zonemaster:release-v2024.2.1 Feb 6, 2025
@tgreenx tgreenx deleted the fix-dnssec10 branch February 6, 2025 09:15
@tgreenx tgreenx mentioned this pull request Feb 6, 2025
Closed
@matsduf matsduf mentioned this pull request May 19, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mattias-p mattias-p mattias-p approved these changes
@matsduf matsduf matsduf approved these changes
@marc-vanderwal marc-vanderwal marc-vanderwal approved these changes
@tolvmannen tolvmannen Awaiting requested review from tolvmannen
@MichaelTimbert MichaelTimbert Awaiting requested review from MichaelTimbert

Assignees

No one assigned

Labels

A-TestCase Area: Test case specification or implementation of test case V-Patch Versioning: The change gives an update of patch in version.

Projects

None yet

Milestone

v2024.2.1

Development

Successfully merging this pull request may close these issues.

Unexpected error in DNSSEC10 when disabling either IP protocol

4 participants

@tgreenx @matsduf @mattias-p @marc-vanderwal