Consistency05 (consistency05)
Status: Final
Purpose
- Compare delegation glue addresses against child authoritative address data for in-bailiwick nameservers.
- Compare out-of-bailiwick glue addresses against recursive public lookup results.
Preconditions And Inputs
- Preconditions:
- A
zone.Zoneobject is available.
- A
- Required inputs:
- Parent-side NS, A, and AAAA responses via
queryParentAll. - Child-side nameserver names via
methods.Method2and3. - Child-side nameserver servers via
methods.Method4and5. - Recursive lookup results via
recursefor out-of-bailiwick checks and referral fallbacks.
- Parent-side NS, A, and AAAA responses via
- Profile/config knobs that affect behavior:
net.ipv4andnet.ipv6: filter which child nameserver addresses are queried.
Algorithm And Decision Flow
- Emit
TEST_CASE_START. - Query parent for child-zone NS records; collect unique child NS names.
- For each child NS name, query parent for A and AAAA and collect glue items
owner/ip. - Split parent glue into:
- in-bailiwick strict glue (
strictGlue), - out-of-bailiwick extended glue (
extendedGluegrouped by NS name).
- in-bailiwick strict glue (
- Build in-bailiwick NS name set from Method2+Method3, and in-bailiwick child NS servers from Method4+Method5 (respecting enabled IP versions).
- If Method4+Method5 yields no usable in-bailiwick child NS servers:
- Materialize child NS server endpoints from in-bailiwick strict glue, respecting enabled IP versions.
- Query those endpoints for the child-zone NS set and merge any in-bailiwick names into the in-bailiwick NS name set.
- For each in-bailiwick NS name:
- Query every in-bailiwick child NS server for A and AAAA with RD off (
getAddrRRs). getAddrRRsemitsNO_RESPONSEon no response andCHILD_NS_FAILEDon unusable non-referral/non-NXDOMAIN authoritative behavior.- Referral responses trigger recursive fallback lookup and use resulting answer data if available.
- Otherwise accumulate child authoritative
owner/ippairs.
- Query every in-bailiwick child NS server for A and AAAA with RD off (
- If no in-bailiwick address lookup path was usable for any in-bailiwick NS name, emit
CHILD_ZONE_LAME, emitTEST_CASE_END, and return. - Compare in-bailiwick sets:
- Parent-only items -> emit
IN_BAILIWICK_ADDR_MISMATCH. - Child-only items -> emit
EXTRA_ADDRESS_CHILD.
- Parent-only items -> emit
- For each out-of-bailiwick NS name in extended glue:
- Recurse A and AAAA, build child/public
owner/ipset. - If any parent glue item for that name is missing from child/public set, emit
OUT_OF_BAILIWICK_ADDR_MISMATCH.
- If none of the three mismatch tags were emitted, emit
ADDRESSES_MATCH. - Emit
TEST_CASE_END.
Emitted Tags (Possible Set)
| Tag | Emitted when |
|---|---|
ADDRESSES_MATCH | No in-bailiwick mismatch, no extra child address, and no out-of-bailiwick mismatch were found. |
CHILD_NS_FAILED | Child nameserver response for in-bailiwick address lookup was unusable (non-AA/no referral/no accepted RCODE path). |
CHILD_ZONE_LAME | Every in-bailiwick address lookup path failed for all in-bailiwick NS names. |
EXTRA_ADDRESS_CHILD | Child authoritative in-bailiwick address set contains addresses not present in strict glue. |
IN_BAILIWICK_ADDR_MISMATCH | Strict in-bailiwick glue contains addresses not found in child authoritative data. |
NO_RESPONSE | A child nameserver did not return a response for an in-bailiwick A/AAAA lookup. |
OUT_OF_BAILIWICK_ADDR_MISMATCH | Out-of-bailiwick glue contains addresses not found in recursive public A/AAAA results. |
TEST_CASE_END | Testcase completion marker is emitted. |
TEST_CASE_START | Testcase start marker is emitted. |
Tag Arguments
| Tag | Argument key | Type | Meaning |
|---|---|---|---|
ADDRESSES_MATCH | - | - | No arguments. |
CHILD_NS_FAILED | ns | string | Child nameserver identity (ns name only; use address for IP) that failed authoritative child lookup requirements. |
CHILD_NS_FAILED | address | string | Nameserver IP address for the same endpoint. |
CHILD_ZONE_LAME | - | - | No arguments. |
EXTRA_ADDRESS_CHILD | addresses | array<string> | Structured owner/ip entries found only in child authoritative data. |
IN_BAILIWICK_ADDR_MISMATCH | parent_servers | array<object> | Structured parent strict-glue endpoint list; each item is { "ns": "...", "address": "..." }. |
IN_BAILIWICK_ADDR_MISMATCH | zone_servers | array<object> | Structured child authoritative in-bailiwick endpoint list; each item is { "ns": "...", "address": "..." }. |
NO_RESPONSE | ns | string | Child nameserver identity (ns name only; use address for IP) with no response. |
NO_RESPONSE | address | string | Nameserver IP address for the same endpoint. |
OUT_OF_BAILIWICK_ADDR_MISMATCH | parent_servers | array<object> | Structured parent out-of-bailiwick glue endpoint list for one NS name. |
OUT_OF_BAILIWICK_ADDR_MISMATCH | zone_servers | array<object> | Structured recursively resolved endpoint list for the same NS name. |
TEST_CASE_END | testcase | string | Testcase display name (Consistency05). |
TEST_CASE_START | testcase | string | Testcase display name (Consistency05). |
Severity Levels Per Tag
| Tag | Level | Notes |
|---|---|---|
ADDRESSES_MATCH | INFO | Default from share/profile.json (test_levels.CONSISTENCY). |
CHILD_NS_FAILED | DEBUG | Default from share/profile.json (test_levels.CONSISTENCY). |
CHILD_ZONE_LAME | ERROR | Default from share/profile.json (test_levels.CONSISTENCY). |
EXTRA_ADDRESS_CHILD | NOTICE | Default from share/profile.json (test_levels.CONSISTENCY). |
IN_BAILIWICK_ADDR_MISMATCH | ERROR | Default from share/profile.json (test_levels.CONSISTENCY). |
NO_RESPONSE | DEBUG | Default from share/profile.json (test_levels.CONSISTENCY). |
OUT_OF_BAILIWICK_ADDR_MISMATCH | ERROR | Default from share/profile.json (test_levels.CONSISTENCY). |
TEST_CASE_END | DEBUG | Default from share/profile.json (test_levels.CONSISTENCY). |
TEST_CASE_START | DEBUG | Default from share/profile.json (test_levels.CONSISTENCY). |
Differences From Upstream
- Upstream reference:
consistency05.md - Differences (Upstream vs Gonemaster):
- Upstream: does not explicitly define this detail. Gonemaster: In-bailiwick processing queries all discovered in-bailiwick child servers and emits one
NO_RESPONSEorCHILD_NS_FAILEDentry per failing nameserver before final mismatch classification. - Upstream: does not explicitly define this detail. Gonemaster: Referral handling explicitly falls back to recursive lookup for the same qtype and owner.
- Upstream: the short-circuit wording can be read per in-bailiwick NS name. Gonemaster:
CHILD_ZONE_LAMEis emitted only when all in-bailiwick address lookup paths fail, so disjoint parent/child NS sets can still be classified as address mismatches. - Upstream: does not explicitly define this detail. Gonemaster: If Method4+Method5 cannot produce usable in-bailiwick child NS endpoints, strict glue endpoints are used as a fallback for child-side address checks and child NS name discovery.
- Upstream: does not explicitly define this detail. Gonemaster: In-bailiwick processing queries all discovered in-bailiwick child servers and emits one
- Potential upstream report:
no
Edge Cases And Limitations
CHILD_ZONE_LAMEshort-circuits testcase execution and suppresses later mismatch checks when no usable in-bailiwick address lookup path was found.- Out-of-bailiwick mismatch reporting is per NS name group; each emission includes full parent list for that group.
- Disabled IP versions affect child authoritative probes indirectly by filtering queried child servers.