Skip to content

Fix DNSSEC10 for name servers sharing the same IPs #1457

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jun 5, 2025
Merged

Fix DNSSEC10 for name servers sharing the same IPs #1457

merged 5 commits into from
Jun 5, 2025

Conversation

tgreenx
Copy link
Contributor

@tgreenx tgreenx commented May 20, 2025
edited
Loading

Purpose

This PR fixes a bug in DNSSEC10 where DS10_EXPECTED_NSEC_NSEC3_MISSING is wrongly outputted for name servers sharing the same IPs. For this type of name servers it should now also output, for all message tags, all name servers name/IP pairs.

Context

Fixes #1454
Updated test scenarios from zonemaster/zonemaster#1383

Changes

  • Update implementation
  • Update unit tests and data files

How to test this PR

Unit tests are updated and should pass.

@tgreenx tgreenx added this to the v2025.1 milestone May 20, 2025
@tgreenx tgreenx added A-TestCase Area: Test case specification or implementation of test case V-Patch Versioning: The change gives an update of patch in version. labels May 20, 2025
@tgreenx tgreenx mentioned this pull request May 20, 2025
Open
@tgreenx tgreenx linked an issue May 20, 2025 that may be closed by this pull request
DNSSEC10 fails when multiple NS share the same IP address #1454
Open
@tgreenx tgreenx mentioned this pull request May 20, 2025
Merged
marc-vanderwal
marc-vanderwal previously approved these changes May 22, 2025
View reviewed changes
matsduf
matsduf requested changes May 22, 2025
View reviewed changes
Copy link
Contributor

@matsduf matsduf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When testing the scenarios with this PR installed, the new scenarios pass, but is it correct?

$ zonemaster-cli --show-testcase --level INFO --test dnssec10 --hints ../../COMMON/hintfile --raw GOOD-NSEC-2.dnssec10.xa 
   0.00 INFO     Unspecified    GLOBAL_VERSION  version=v7.1.0
   0.07 INFO     DNSSEC10       DS10_HAS_NSEC  ns_list=ns1a.good-nsec-2.dnssec10.xa/127.15.10.31;ns1a.good-nsec-2.dnssec10.xa/fda1:b2:c3:0:127:15:10:31

The zone is delegated to three NS, ns1a, ns1b and ns1c, but only the first one is listed under DS10_HAS_NSEC. I expect all three to be listed.

@tgreenx
Copy link
Contributor Author

tgreenx commented May 22, 2025

When testing the scenarios with this PR installed, the new scenarios pass, but is it correct?

$ zonemaster-cli --show-testcase --level INFO --test dnssec10 --hints ../../COMMON/hintfile --raw GOOD-NSEC-2.dnssec10.xa 
   0.00 INFO     Unspecified    GLOBAL_VERSION  version=v7.1.0
   0.07 INFO     DNSSEC10       DS10_HAS_NSEC  ns_list=ns1a.good-nsec-2.dnssec10.xa/127.15.10.31;ns1a.good-nsec-2.dnssec10.xa/fda1:b2:c3:0:127:15:10:31

The zone is delegated to three NS, ns1a, ns1b and ns1c, but only the first one is listed under DS10_HAS_NSEC. I expect all three to be listed.

Hmm I don't think its feasible unless we stop skipping the sending queries already queried IPs, i.e. remove line 3159:
if exists $ip_already_processed{$ns->address->short};
And that's the usual way of sending queries in test cases.

@matsduf
Copy link
Contributor

matsduf commented May 26, 2025

The zone is delegated to three NS, ns1a, ns1b and ns1c, but only the first one is listed under DS10_HAS_NSEC. I expect all three to be listed.

Hmm I don't think its feasible unless we stop skipping the sending queries already queried IPs, i.e. remove line 3159: if exists $ip_already_processed{$ns->address->short}; And that's the usual way of sending queries in test cases.

In the scenario the delegation has three NS with the same IP. As we have seen it can exist, but more likely is that delegation and zone use/refer to the same IP, but with different names. It is less helpful if some names are not mentioned.

Wouldn't the following model work?

  1. Collect all NS as NAME/IP from delegation and zone.
  2. Normalize NAME and IP, respectively.
  3. Create an ARRAY of all unique NAME/IP pairs.
  4. Create a HASH of the elements from ARRAY where IP is the key, and the value is an array of the unique NAMEs for that IP.
  5. Run the test based on the keys of HASH (IP) and save only IP in the sets.
  6. When the messages are created, construct {ns} ({ns_list}) by doing a lookup into HASH and fetch the name. Construct one {ns} for each name for that IP.

matsduf added a commit to matsduf/zonemaster that referenced this pull request May 26, 2025
@matsduf
Updated after installning zonemaster/zonemaster-engine#1457
b926330
@matsduf
Copy link
Contributor

matsduf commented May 28, 2025

Two more scenarios have been added in zonemaster/zonemaster#1383, GOOD-NSEC-3 and GOOD-NSEC3-2. Both should output as e.g. GOOD-NSEC-1. Just as with GOOD-NSEC-2 and GOOD-NSEC3-2 there are extra names with the same IP, one name in delegation and the other in zone.

@matsduf matsduf added the T-Bug Type: Bug in software or error in test case description label Jun 2, 2025
@matsduf
Copy link
Contributor

matsduf commented Jun 2, 2025

When testing the scenarios with this PR installed, the new scenarios pass, but is it correct?

$ zonemaster-cli --show-testcase --level INFO --test dnssec10 --hints ../../COMMON/hintfile --raw GOOD-NSEC-2.dnssec10.xa 
   0.00 INFO     Unspecified    GLOBAL_VERSION  version=v7.1.0
   0.07 INFO     DNSSEC10       DS10_HAS_NSEC  ns_list=ns1a.good-nsec-2.dnssec10.xa/127.15.10.31;ns1a.good-nsec-2.dnssec10.xa/fda1:b2:c3:0:127:15:10:31

The zone is delegated to three NS, ns1a, ns1b and ns1c, but only the first one is listed under DS10_HAS_NSEC. I expect all three to be listed.

This is a different bug compared to what this PR is to resolve. The bug in this comment will be lifted into an issue instead.

matsduf
matsduf previously approved these changes Jun 2, 2025
View reviewed changes
Copy link
Contributor

@matsduf matsduf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is fine.

@tgreenx
Copy link
Contributor Author

tgreenx commented Jun 3, 2025
edited
Loading

When testing the scenarios with this PR installed, the new scenarios pass, but is it correct?

$ zonemaster-cli --show-testcase --level INFO --test dnssec10 --hints ../../COMMON/hintfile --raw GOOD-NSEC-2.dnssec10.xa 
   0.00 INFO     Unspecified    GLOBAL_VERSION  version=v7.1.0
   0.07 INFO     DNSSEC10       DS10_HAS_NSEC  ns_list=ns1a.good-nsec-2.dnssec10.xa/127.15.10.31;ns1a.good-nsec-2.dnssec10.xa/fda1:b2:c3:0:127:15:10:31

The zone is delegated to three NS, ns1a, ns1b and ns1c, but only the first one is listed under DS10_HAS_NSEC. I expect all three to be listed.

This is a different bug compared to what this PR is to resolve. The bug in this comment will be lifted into an issue instead.

This should now be fixed too with commit 7690d4e :

$ zonemaster-cli --show-testcase --level INFO --test dnssec10 --hints ../zonemaster/test-zone-data/COMMON/hintfile --raw GOOD-NSEC-2.dnssec10.xa
   0.00 INFO     Unspecified    GLOBAL_VERSION  version=v7.1.0
   0.06 INFO     DNSSEC10       DS10_HAS_NSEC  ns_list=ns1a.good-nsec-2.dnssec10.xa/127.15.10.31;ns1a.good-nsec-2.dnssec10.xa/fda1:b2:c3:0:127:15:10:31;ns1b.good-nsec-2.dnssec10.xa/127.15.10.31;ns1b.good-nsec-2.dnssec10.xa/fda1:b2:c3:0:127:15:10:31;ns1c.good-nsec-2.dnssec10.xa/127.15.10.31;ns1c.good-nsec-2.dnssec10.xa/fda1:b2:c3:0:127:15:10:31

@tgreenx tgreenx requested review from matsduf and marc-vanderwal June 3, 2025 11:28
mattias-p
mattias-p previously approved these changes Jun 4, 2025
View reviewed changes
Copy link
Member

@mattias-p mattias-p left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks reasonable to me. I believe I found a slightly simplifying refactoring.

@matsduf
Copy link
Contributor

matsduf commented Jun 4, 2025

When testing the scenarios with this PR installed, the new scenarios pass, but is it correct?

$ zonemaster-cli --show-testcase --level INFO --test dnssec10 --hints ../../COMMON/hintfile --raw GOOD-NSEC-2.dnssec10.xa 
   0.00 INFO     Unspecified    GLOBAL_VERSION  version=v7.1.0
   0.07 INFO     DNSSEC10       DS10_HAS_NSEC  ns_list=ns1a.good-nsec-2.dnssec10.xa/127.15.10.31;ns1a.good-nsec-2.dnssec10.xa/fda1:b2:c3:0:127:15:10:31

The zone is delegated to three NS, ns1a, ns1b and ns1c, but only the first one is listed under DS10_HAS_NSEC. I expect all three to be listed.

This is a different bug compared to what this PR is to resolve. The bug in this comment will be lifted into an issue instead.

With 7690d4e I get a correct result with all NS listed.

matsduf
matsduf previously approved these changes Jun 4, 2025
View reviewed changes
@tgreenx @mattias-p
Apply suggestions from code review
8697ca3 
Co-authored-by: Mattias Päivärinta <[email protected]>
@tgreenx tgreenx dismissed stale reviews from matsduf and mattias-p via 8697ca3 June 4, 2025 16:55
@tgreenx tgreenx requested review from mattias-p and matsduf June 4, 2025 16:56
@tgreenx
Copy link
Contributor Author

tgreenx commented Jun 4, 2025

I applied Mattias's suggestions, please re-approve.

@tgreenx tgreenx merged commit 64a143a into zonemaster:develop Jun 5, 2025
3 checks passed
@tgreenx tgreenx deleted the fix-dnssec10 branch June 5, 2025 08:02
@tgreenx tgreenx added the S-ReleaseTested Status: The PR has been successfully tested in release testing label Jun 12, 2025
@tgreenx
Copy link
Contributor Author

tgreenx commented Jun 12, 2025
edited
Loading

v2025.1 Release testing

From #1454 (comment):

Ran test (Ubuntu 22.04) Looks fine.

$ zonemaster-cli --show-testcase --level info --test dnssec10 info-slovenija.si

Seconds Level    Testcase       Message
======= ======== ============== =======
   0.00 INFO     Unspecified    Using version v6.0.0 of the Zonemaster engine.
   1.03 INFO     DNSSEC10       The zone has NSEC records. Fetched from the nameservers with IP addresses "193.9.21.61".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mattias-p mattias-p mattias-p approved these changes

@matsduf matsduf matsduf approved these changes

@tolvmannen tolvmannen Awaiting requested review from tolvmannen

@MichaelTimbert MichaelTimbert Awaiting requested review from MichaelTimbert

@marc-vanderwal marc-vanderwal Awaiting requested review from marc-vanderwal

Assignees
No one assigned
Labels
A-TestCase Area: Test case specification or implementation of test case S-ReleaseTested Status: The PR has been successfully tested in release testing T-Bug Type: Bug in software or error in test case description V-Patch Versioning: The change gives an update of patch in version.
Projects
None yet
Milestone
v2025.1
Development

Successfully merging this pull request may close these issues.

DNSSEC10 fails when multiple NS share the same IP address
4 participants
@tgreenx @matsduf @mattias-p @marc-vanderwal