Connectivity01

Status: Final

Purpose

  • Verify that nameservers are reachable over UDP for SOA and NS queries at the child zone name.
  • Detect response-shape failures (missing records, wrong owner name, non-authoritative answers, and unexpected RCODEs).

Preconditions And Inputs

  • Preconditions:
    • A zone.Zone object is available.
  • Required inputs:
  • Profile/config knobs that affect behavior:
    • net.ipv4 and net.ipv6: disabled transports are skipped.
    • resolver.defaults.parallel: per-nameserver query task parallelism.

Algorithm And Decision Flow

  1. Emit TEST_CASE_START.
  2. Resolve nameserver list from ZoneNameservers .
  3. Build disabled-transport summary tags:
    • If any IPv4 nameservers exist while IPv4 is disabled, emit CN01_IPV4_DISABLED with servers.
    • If any IPv6 nameservers exist while IPv6 is disabled, emit CN01_IPV6_DISABLED with servers.
  4. For each nameserver (parallelized):
    • If transport for this nameserver IP version is disabled:
      • Emit IPV4_DISABLED or IPV6_DISABLED for each rrtype (SOA, NS) and skip queries for that nameserver.
    • Else query SOA and NS for child zone over UDP.
    • If both responses are absent, emit CN01_NO_RESPONSE_UDP.
    • Otherwise evaluate SOA and NS responses independently:
      • No response -> CN01_NO_RESPONSE_<QTYPE>_QUERY_UDP.
      • RCODE != NOERROR -> CN01_UNEXPECTED_RCODE_<QTYPE>_QUERY_UDP.
      • No <QTYPE> record in answer -> CN01_MISSING_<QTYPE>_RECORD_UDP.
      • First answer owner name differs from child zone -> CN01_WRONG_<QTYPE>_RECORD_UDP.
      • AA flag unset -> CN01_<QTYPE>_RECORD_NOT_AA_UDP.
    • If all checks passed, record nameserver as ok.
  5. If any nameservers passed all checks, emit one CN01_OK_UDP with servers listing them all.
  6. Emit TEST_CASE_END.

Per-NS UDP Probe (steps 2-5)

resolve NS list with ZoneNameservers
 |
 v
summary tags (per family, once):
  any IPv4 NS exists while Net.IPv4 disabled -> CN01_IPV4_DISABLED (servers)
  any IPv6 NS exists while Net.IPv6 disabled -> CN01_IPV6_DISABLED (servers)

For each nameserver (parallel; fan-out = resolver.defaults.parallel):

   transport check for SOA+NS
    +- IPv6 + Net.IPv6 disabled  -> IPV6_DISABLED per rrtype, skip ns
    +- IPv4 + Net.IPv4 disabled  -> IPV4_DISABLED per rrtype, skip ns
    +- enabled                   -> proceed

   query SOA over UDP, query NS over UDP
    +- both resp.Msg == nil      -> CN01_NO_RESPONSE_UDP, skip ns
    +- otherwise                 -> per-qtype shape checks (see below)

After all tasks:
  any nameserver passed all per-qtype checks -> CN01_OK_UDP (servers)
emit TEST_CASE_END

Per-Query Response Shape Checks (step 4 details)

Per qtype in {SOA, NS}, checks run in this order; first failure wins:

   resp.Msg == nil                       -> CN01_NO_RESPONSE_<QTYPE>_QUERY_UDP   (ok=false)
   RCODE != NOERROR                      -> CN01_UNEXPECTED_RCODE_<QTYPE>_QUERY_UDP (rcode)
   no <QTYPE> record in answer           -> CN01_MISSING_<QTYPE>_RECORD_UDP
   first answer owner != z.Name (FQDN, case-insensitive)
                                         -> CN01_WRONG_<QTYPE>_RECORD_UDP
                                            (domain_found, domain_expected)
   !AA                                   -> CN01_<QTYPE>_RECORD_NOT_AA_UDP
   otherwise                             -> qtype ok

A nameserver counts as "ok" only if both SOA and NS qtypes pass every check.

Emitted Tags (Possible Set)

TagEmitted when
CN01_IPV4_DISABLEDIPv4 is disabled and at least one IPv4 nameserver exists in ZoneNameservers set.
CN01_IPV6_DISABLEDIPv6 is disabled and at least one IPv6 nameserver exists in ZoneNameservers set.
CN01_MISSING_NS_RECORD_UDPNS response exists with NOERROR but has no NS answer record.
CN01_MISSING_SOA_RECORD_UDPSOA response exists with NOERROR but has no SOA answer record.
CN01_NO_RESPONSE_NS_QUERY_UDPNS query has no response message while SOA handling continues.
CN01_NO_RESPONSE_SOA_QUERY_UDPSOA query has no response message while NS handling continues.
CN01_NO_RESPONSE_UDPBoth SOA and NS queries have no response message.
CN01_NS_RECORD_NOT_AA_UDPNS response has expected owner and record but AA flag is unset.
CN01_OK_UDPNameserver responds correctly to both SOA and NS queries over UDP.
CN01_SOA_RECORD_NOT_AA_UDPSOA response has expected owner and record but AA flag is unset.
CN01_UNEXPECTED_RCODE_NS_QUERY_UDPNS response RCODE is not NOERROR.
CN01_UNEXPECTED_RCODE_SOA_QUERY_UDPSOA response RCODE is not NOERROR.
CN01_WRONG_NS_RECORD_UDPFirst NS answer owner name is not the child zone name.
CN01_WRONG_SOA_RECORD_UDPFirst SOA answer owner name is not the child zone name.
CNAME_CHAIN_TOO_LONGA discovered NS hostname’s CNAME chain exceeds CNAMEMaxChainLength while resolving its address.
CNAME_TARGET_UNRESOLVEDA discovered NS hostname’s CNAME chain forms a loop, breaks, or fails to resolve to an address.
CNAME_TOO_MANY_RECORDSA single answer while resolving a discovered NS hostname carries more than CNAMEMaxRecords distinct CNAME RRs.
IPV4_DISABLEDIPv4 transport is disabled for this nameserver/rrtype pair.
IPV6_DISABLEDIPv6 transport is disabled for this nameserver/rrtype pair.
TEST_CASE_ENDTestcase completion marker is emitted.
TEST_CASE_STARTTestcase start marker is emitted.

Tag Arguments

TagArgument keyTypeMeaning
CN01_IPV4_DISABLEDserversarray<object>Structured nameserver identities ({ns,address} object) skipped due to IPv4 disable.
CN01_IPV6_DISABLEDserversarray<object>Structured nameserver identities ({ns,address} object) skipped due to IPv6 disable.
CN01_MISSING_NS_RECORD_UDPnsstringNameserver identity (ns name only; use address for IP) producing the response.
CN01_MISSING_NS_RECORD_UDPaddressstringNameserver IP address for the same endpoint.
CN01_MISSING_SOA_RECORD_UDPnsstringNameserver identity (ns name only; use address for IP) producing the response.
CN01_MISSING_SOA_RECORD_UDPaddressstringNameserver IP address for the same endpoint.
CN01_NO_RESPONSE_NS_QUERY_UDPnsstringNameserver identity (ns name only; use address for IP) with no NS response.
CN01_NO_RESPONSE_NS_QUERY_UDPaddressstringNameserver IP address for the same endpoint.
CN01_NO_RESPONSE_SOA_QUERY_UDPnsstringNameserver identity (ns name only; use address for IP) with no SOA response.
CN01_NO_RESPONSE_SOA_QUERY_UDPaddressstringNameserver IP address for the same endpoint.
CN01_NO_RESPONSE_UDPnsstringNameserver identity (ns name only; use address for IP) with no SOA and NS response.
CN01_NO_RESPONSE_UDPaddressstringNameserver IP address for the same endpoint.
CN01_NS_RECORD_NOT_AA_UDPnsstringNameserver identity (ns name only; use address for IP) with non-AA NS response.
CN01_NS_RECORD_NOT_AA_UDPaddressstringNameserver IP address for the same endpoint.
CN01_OK_UDPserversarray<object>Structured nameserver identities ({ns,address} objects) that responded correctly over UDP.
CN01_SOA_RECORD_NOT_AA_UDPnsstringNameserver identity (ns name only; use address for IP) with non-AA SOA response.
CN01_SOA_RECORD_NOT_AA_UDPaddressstringNameserver IP address for the same endpoint.
CN01_UNEXPECTED_RCODE_NS_QUERY_UDPnsstringNameserver identity (ns name only; use address for IP) producing unexpected NS RCODE.
CN01_UNEXPECTED_RCODE_NS_QUERY_UDPaddressstringNameserver IP address for the same endpoint.
CN01_UNEXPECTED_RCODE_NS_QUERY_UDPrcodestringReturned RCODE mnemonic.
CN01_UNEXPECTED_RCODE_SOA_QUERY_UDPnsstringNameserver identity (ns name only; use address for IP) producing unexpected SOA RCODE.
CN01_UNEXPECTED_RCODE_SOA_QUERY_UDPaddressstringNameserver IP address for the same endpoint.
CN01_UNEXPECTED_RCODE_SOA_QUERY_UDPrcodestringReturned RCODE mnemonic.
CN01_WRONG_NS_RECORD_UDPnsstringNameserver identity (ns name only; use address for IP) returning wrong NS owner name.
CN01_WRONG_NS_RECORD_UDPaddressstringNameserver IP address for the same endpoint.
CN01_WRONG_NS_RECORD_UDPdomain_foundstringLowercased owner name found in first NS answer record.
CN01_WRONG_NS_RECORD_UDPdomain_expectedstringLowercased expected child zone FQDN.
CN01_WRONG_SOA_RECORD_UDPnsstringNameserver identity (ns name only; use address for IP) returning wrong SOA owner name.
CN01_WRONG_SOA_RECORD_UDPaddressstringNameserver IP address for the same endpoint.
CN01_WRONG_SOA_RECORD_UDPdomain_foundstringLowercased owner name found in first SOA answer record.
CN01_WRONG_SOA_RECORD_UDPdomain_expectedstringLowercased expected child zone FQDN.
CNAME_CHAIN_TOO_LONGquery_namestringThe NS hostname whose CNAME chain exceeded the depth bound.
CNAME_TARGET_UNRESOLVEDquery_namestringThe NS hostname whose CNAME target could not be resolved.
CNAME_TARGET_UNRESOLVEDcname_targetstringThe last attempted CNAME target.
CNAME_TOO_MANY_RECORDSquery_namestringThe NS hostname whose answer carried too many CNAME RRs.
IPV4_DISABLEDnsstringNameserver identity (ns name only; use address for IP) skipped on IPv4.
IPV4_DISABLEDaddressstringNameserver IP address for the same endpoint.
IPV4_DISABLEDrrtypestringrrtype skipped (SOA or NS).
IPV6_DISABLEDnsstringNameserver identity (ns name only; use address for IP) skipped on IPv6.
IPV6_DISABLEDaddressstringNameserver IP address for the same endpoint.
IPV6_DISABLEDrrtypestringrrtype skipped (SOA or NS).
TEST_CASE_ENDtestcasestringTestcase display name (Connectivity01).
TEST_CASE_STARTtestcasestringTestcase display name (Connectivity01).

Severity Levels Per Tag

TagLevelNotes
CN01_IPV4_DISABLEDNOTICEDefault from share/profile.json (test_levels.CONNECTIVITY).
CN01_IPV6_DISABLEDNOTICEDefault from share/profile.json (test_levels.CONNECTIVITY).
CN01_MISSING_NS_RECORD_UDPWARNINGDefault from share/profile.json (test_levels.CONNECTIVITY).
CN01_MISSING_SOA_RECORD_UDPWARNINGDefault from share/profile.json (test_levels.CONNECTIVITY).
CN01_NO_RESPONSE_NS_QUERY_UDPWARNINGDefault from share/profile.json (test_levels.CONNECTIVITY).
CN01_NO_RESPONSE_SOA_QUERY_UDPWARNINGDefault from share/profile.json (test_levels.CONNECTIVITY).
CN01_NO_RESPONSE_UDPWARNINGDefault from share/profile.json (test_levels.CONNECTIVITY).
CN01_NS_RECORD_NOT_AA_UDPWARNINGDefault from share/profile.json (test_levels.CONNECTIVITY).
CN01_OK_UDPINFODefault from share/profile.json (test_levels.CONNECTIVITY).
CN01_SOA_RECORD_NOT_AA_UDPWARNINGDefault from share/profile.json (test_levels.CONNECTIVITY).
CN01_UNEXPECTED_RCODE_NS_QUERY_UDPWARNINGDefault from share/profile.json (test_levels.CONNECTIVITY).
CN01_UNEXPECTED_RCODE_SOA_QUERY_UDPWARNINGDefault from share/profile.json (test_levels.CONNECTIVITY).
CN01_WRONG_NS_RECORD_UDPWARNINGDefault from share/profile.json (test_levels.CONNECTIVITY).
CN01_WRONG_SOA_RECORD_UDPWARNINGDefault from share/profile.json (test_levels.CONNECTIVITY).
CNAME_CHAIN_TOO_LONGERRORDefault from share/profile.json (test_levels.CONNECTIVITY).
CNAME_TARGET_UNRESOLVEDERRORDefault from share/profile.json (test_levels.CONNECTIVITY).
CNAME_TOO_MANY_RECORDSERRORDefault from share/profile.json (test_levels.CONNECTIVITY).
IPV4_DISABLEDDEBUGDefault from share/profile.json (test_levels.CONNECTIVITY).
IPV6_DISABLEDDEBUGDefault from share/profile.json (test_levels.CONNECTIVITY).
TEST_CASE_ENDDEBUGDefault from share/profile.json (test_levels.CONNECTIVITY).
TEST_CASE_STARTDEBUGDefault from share/profile.json (test_levels.CONNECTIVITY).

Differences From Upstream

  • Differences (Upstream vs Gonemaster):
    • Upstream: defines summary transport-disabled reporting (CN01_IPV4_DISABLED, CN01_IPV6_DISABLED). Gonemaster: also emits per-query transport debug tags (IPV4_DISABLED, IPV6_DISABLED).
    • Upstream: does not explicitly define first-record owner comparison mechanics. Gonemaster: validates owner name using the first answer record for the queried rrtype.
  • Potential upstream report:
    • no

Edge Cases And Limitations

  • If ZoneNameservers yields no nameservers, only testcase start/end tags are emitted.
  • Query call errors are treated as absent response messages.
  • A single nameserver can emit multiple findings in one run (for example one SOA issue and one NS issue).