Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CDS/CDNSKEY RRsets comparison in DNSSEC15 #1383

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Fix CDS/CDNSKEY RRsets comparison in DNSSEC15 #1383

wants to merge 1 commit into from

Conversation

tgreenx
Copy link
Contributor

@tgreenx tgreenx commented Aug 27, 2024
edited
Loading

Purpose

This PR proposes a fix to the handling of CDS and CDNSKEY RRsets comparison in DNSSEC15.

PS: The proper fix for the code below https://github.com/zonemaster/zonemaster-engine/pull/1383/files#diff-3c6ad87ddb974fb813839bacdaafd4e212c238d0ff6865a9bf6cf677403343deR3953 requires changes in LDNS. PRs have been made to make it happen, and it should be available in the next release of LDNS (1.8.5). See NLnetLabs/ldns@b398138.

Context

Fixes #1381

Requires zonemaster/zonemaster-ldns#199

Changes

  • Update code logic
  • Refactoring

How to test this PR

This requires zonemaster/zonemaster-ldns#199.

Unit tests should pass.

Manual testing (from #1381):

$ zonemaster-cli 8.1.7.0.1.0.0.2.ip6.arpa --ns decsys.vsb.cz --ns nsa.ces.net --ns nsa.cesnet.cz --show-testcase --test dnssec15
  -
Seconds Level    Testcase       Message
======= ======== ============== =======
Looks OK.

@tgreenx tgreenx added A-TestCase Area: Test case specification or implementation of test case V-Patch Versioning: The change gives an update of patch in version. labels Aug 27, 2024
@tgreenx tgreenx added this to the v2024.2 milestone Aug 27, 2024
@tgreenx tgreenx mentioned this pull request Aug 27, 2024
Open
@tgreenx
Copy link
Contributor Author

tgreenx commented Aug 28, 2024

PS2: A more elegant solution to this PR would require more change in Zonemaster-LDNS. See zonemaster/zonemaster-ldns#196.

I've proposed zonemaster/zonemaster-ldns#203, which would allow for making a more straightforward solution for this PR. So I'm switching it to a draft state for now.

@tgreenx tgreenx marked this pull request as draft August 28, 2024 15:23
@tgreenx tgreenx linked an issue Sep 24, 2024 that may be closed by this pull request
CDS/CDNSKEY inconsistency error #1381
Open
@tgreenx tgreenx marked this pull request as ready for review October 1, 2024 16:24
@tgreenx
Copy link
Contributor Author

tgreenx commented Oct 1, 2024

I've proposed zonemaster/zonemaster-ldns#203, which would allow for making a more straightforward solution for this PR. So I'm switching it to a draft state for now.

@mattias-p @matsduf @MichaelTimbert @marc-vanderwal This PR has been updated and is now ready for review.

matsduf
matsduf approved these changes Oct 2, 2024
View reviewed changes
Copy link
Contributor

@matsduf matsduf left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I find the code quite hard to follow. I would like to see comments that says what sections are meant to do. This is not due to the current PR. That is how the code is already. But that fact makes it harder to review the code.

I have tested the update and I have found no issues.

@matsduf
Copy link
Contributor

matsduf commented Oct 11, 2024

@mattias-p , @marc-vanderwal, @MichaelTimbert - please review.

@marc-vanderwal marc-vanderwal mentioned this pull request Oct 16, 2024
Open
marc-vanderwal
marc-vanderwal reviewed Oct 16, 2024
View reviewed changes
Copy link
Contributor

@marc-vanderwal marc-vanderwal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest that we wait until zonemaster/zonemaster-ldns#209 is merged.

lib/Zonemaster/Engine/Test/DNSSEC.pm

my $rrlist = scalar @{ $cds_rrsets{ $ns_ip } } ? Zonemaster::LDNS::RRList->new( $cds_rrsets{ $ns_ip } ) : undef;

if ( ( $rrlist and not $first_rrlist ) or ( not $rrlist and $first_rrlist ) or ( $rrlist and $first_rrlist and $rrlist ne $first_rrlist ) ) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As soon as zonemaster/zonemaster-ldns#209 is merged, this can be rewritten as:

Suggested change
if ( ( $rrlist and not $first_rrlist ) or ( not $rrlist and $first_rrlist ) or ( $rrlist and $first_rrlist and $rrlist ne $first_rrlist ) ) {
if ( $rrlist ne $first_rrlist ) {

lib/Zonemaster/Engine/Test/DNSSEC.pm

my $rrlist = scalar @{ $cdnskey_rrsets{ $ns_ip } } ? Zonemaster::LDNS::RRList->new( $cdnskey_rrsets{ $ns_ip } ) : undef;

if ( ( $rrlist and not $first_rrlist ) or ( not $rrlist and $first_rrlist ) or ( $rrlist and $first_rrlist and $rrlist ne $first_rrlist ) ) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See comments and suggestions above.

lib/Zonemaster/Engine/Test/DNSSEC.pm
elsif ( $rrset_string ne $first_rrset_string ) {
push @results, _emit_log( DS15_INCONSISTENT_CDS => {} );

my $rrlist = scalar @{ $cds_rrsets{ $ns_ip } } ? Zonemaster::LDNS::RRList->new( $cds_rrsets{ $ns_ip } ) : undef;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As soon as zonemaster/zonemaster-ldns#209 is merged, this can be simplified to:

Suggested change
my $rrlist = scalar @{ $cds_rrsets{ $ns_ip } } ? Zonemaster::LDNS::RRList->new( $cds_rrsets{ $ns_ip } ) : undef;
my $rrlist = Zonemaster::LDNS::RRList->new( $cds_rrsets{ $ns_ip } );

lib/Zonemaster/Engine/Test/DNSSEC.pm
if ( not defined $first_rrset_string ) {
$first_rrset_string = $rrset_string;
if ( $first ) {
$first_rrlist = scalar @{ $cds_rrsets{ $ns_ip } } ? Zonemaster::LDNS::RRList->new( $cds_rrsets{ $ns_ip } ) : undef;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As soon as zonemaster/zonemaster-ldns#209 is merged, this can be simplified to:

Suggested change
$first_rrlist = scalar @{ $cds_rrsets{ $ns_ip } } ? Zonemaster::LDNS::RRList->new( $cds_rrsets{ $ns_ip } ) : undef;
$first_rrlist = Zonemaster::LDNS::RRList->new( $cds_rrsets{ $ns_ip } );

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marc-vanderwal marc-vanderwal marc-vanderwal left review comments

@matsduf matsduf matsduf approved these changes

@mattias-p mattias-p Awaiting requested review from mattias-p

@MichaelTimbert MichaelTimbert Awaiting requested review from MichaelTimbert

Assignees
No one assigned
Labels
A-TestCase Area: Test case specification or implementation of test case V-Patch Versioning: The change gives an update of patch in version.
Projects
None yet
Milestone
v2024.2
Development

Successfully merging this pull request may close these issues.

CDS/CDNSKEY inconsistency error
3 participants
@tgreenx @matsduf @marc-vanderwal