Update CNAME resolution#1518
Conversation
|
The I’d suggest a different name for that tag. How about |
It think that is a good suggestion. Should there be another tag, For me |
|
Yes, a In any case, I don’t think the ERROR level is appropriate for these tags because they do not indicate a problem so severe that the zone is unresolvable. |
- `Zonemaster::Engine::Recursor::_resolve_cname()` now returns undef when the CNAME resolution fails, along with a new message tag: `CNAME_UNRESOLVABLE` - Update unit tests: move the content of scenario `TOO-LONG-CNAME-CHAIN` to a new scenario `TOO-MANY-CNAME`, and update scenario `TOO-LONG-CNAME-CHAIN` to check for tag `CNAME_CHAIN_TOO_LONG` instead
Co-authored-by: Marc van der Wal <103426270+marc-vanderwal@users.noreply.github.com>
|
@tgreenx, will you fix the conflict? |
@matsduf @marc-vanderwal done, please re-review. |
Added.
Not needed, NXDOMAIN responses are already handled by the calling method ( |
| # CNAME target is out of zone, so make a new recursive lookup | ||
| unless ( $name->is_in_bailiwick( $target ) ) { |
There was a problem hiding this comment.
Even if name "is_in_bailiwick" it can be out of zone. Name can belong to a child zone (or several delegations down).
|
|
||
| return ( $p, $state ); | ||
| # Catch-all; unforeseen problem in CNAME resolution | ||
| Zonemaster::Engine->logger->add( CNAME_UNRESOLVABLE => { name => $name, type => $type, target => $target } ); |
There was a problem hiding this comment.
I think the tag CNAME_UNRESOLVABLE should be defined or at least described. Probably together with CNAME_TO_NODATA and other tags.
| return ( $p, $state ); | ||
| # Catch-all; unforeseen problem in CNAME resolution | ||
| Zonemaster::Engine->logger->add( CNAME_UNRESOLVABLE => { name => $name, type => $type, target => $target } ); | ||
| return ( undef, $state ); |
There was a problem hiding this comment.
In order to be consistent with the Zonemaster::Engine::Nameserver->query() method, I think we should return undef if and only if we had a timeout. Now we hit this case when the packet isn’t something we expect, e.g. a FORMERR response. We should still return that packet to the caller.
There’s a subtle bug that I missed when reviewing. I’ll propose a change.
|
|
||
| $seen_targets{lc( $rr_target )} = 1; | ||
| $forbidden_targets{lc( $rr_owner )} = 1; | ||
| $cnames{$rr_owner} = $rr_target; |
There was a problem hiding this comment.
If we are following a chain of aliases (CNAMEs) and at some point, the owner name of the next item in the chain is in a different case than the previous item’s CNAME’s RDATA, then we erroneously report a broken chain. There’s an example in the wild of that.
This line should be:
$cnames{lc( $rr_owner )} = $rr_target;There was a problem hiding this comment.
Isn't clearer to write:
$rr_target = lc( $rr_target );
$rr_owner = lc( $rr_owner );
$seen_targets{ $rr_target } = 1;
$forbidden_targets{ $rr_owner } = 1;
$cnames{ $rr_owner } = $rr_target;
Purpose
This PR slightly updates the CNAME resolution of Engine's recursor. See the
Changessection below.Updated test scenarios are defined in zonemaster/zonemaster#1477.
Context
zonemaster/zonemaster#1477
Changes
Zonemaster::Engine::Recursor::_resolve_cname()now returns undef when the CNAME resolution fails, along with new message tags:CNAME_UNRESOLVABLE(ERROR level) andCNAME_TO_NODATA(DEBUG level)TOO-LONG-CNAME-CHAINto a new scenarioTOO-MANY-CNAME,TOO-LONG-CNAME-CHAINto check for tagCNAME_CHAIN_TOO_LONGinsteadUNRESOLVABLE-CNAMEHow to test this PR
Unit tests are updated and should pass.