Nameserver10 (nameserver10)

Status: Final

Purpose

  • Validate authoritative nameserver behavior for unsupported EDNS version queries (version 1).

Preconditions And Inputs

  • Preconditions:
    • A zone.Zone object is available.
  • Required inputs:
    • Nameserver addresses from methods.Method4and5.
    • SOA responses to EDNS version 0 and EDNS version 1 queries.
  • Profile/config knobs that affect behavior:
    • net.ipv4 and net.ipv6: disabled transports are skipped with transport debug tags.
    • resolver.defaults.parallel: parallel nameserver query fanout.

Algorithm And Decision Flow

  1. Emit TEST_CASE_START.
  2. Initialize outcome collectors:
    • No Response EDNS1 Query (IP list)
    • Unexpected RCODE (rcode -> IP list)
    • EDNS Response Error (IP list)
  3. Read nameserver list from Method4and5.
  4. For each nameserver (parallelized, input-order merged logs):
    • If transport is disabled, emit IPV4_DISABLED or IPV6_DISABLED for rrtype SOA, then skip this nameserver.
    • Send SOA query with EDNS version 0.
    • Continue only when version-0 response exists and has RCODE=NOERROR.
    • Send SOA query with EDNS version 1.
    • If version-1 response is missing, mark nameserver IP for N10_NO_RESPONSE_EDNS1_QUERY.
    • Else determine whether response is BADVERS by either:
      • DNS header RCODE BADVERS, or
      • header low 4 bits NOERROR and EDNS extended rcode 1.
    • If not BADVERS, mark nameserver IP under response rcode for N10_UNEXPECTED_RCODE.
    • Else if response has EDNS version 0 and empty answer section, treat as expected and do not mark issues.
    • Else mark nameserver IP for N10_EDNS_RESPONSE_ERROR.
  5. Emit aggregate tags for non-empty collectors:
    • N10_NO_RESPONSE_EDNS1_QUERY with sorted unique addresses.
    • For each sorted rcode, N10_UNEXPECTED_RCODE with sorted unique addresses.
    • N10_EDNS_RESPONSE_ERROR with sorted unique addresses.
  6. Emit TEST_CASE_END.

Emitted Tags (Possible Set)

TagEmitted when
IPV4_DISABLEDIPv4 nameserver evaluation is skipped because IPv4 is disabled.
IPV6_DISABLEDIPv6 nameserver evaluation is skipped because IPv6 is disabled.
N10_EDNS_RESPONSE_ERRORBADVERS condition is met but response does not match expected EDNSv1 error-shape check.
N10_NO_RESPONSE_EDNS1_QUERYNameserver responded to EDNSv0 probe but not to EDNSv1 probe.
N10_UNEXPECTED_RCODEEDNSv1 probe returned response with RCODE not interpreted as BADVERS.
TEST_CASE_ENDTestcase completion marker is emitted.
TEST_CASE_STARTTestcase start marker is emitted.

Tag Arguments

TagArgument keyTypeMeaning
IPV4_DISABLEDnsstringNameserver identity (ns name only; use address for IP) skipped on IPv4.
IPV4_DISABLEDaddressstringNameserver IP address for the same endpoint.
IPV4_DISABLEDrrtypestringrrtype skipped (SOA).
IPV6_DISABLEDnsstringNameserver identity (ns name only; use address for IP) skipped on IPv6.
IPV6_DISABLEDaddressstringNameserver IP address for the same endpoint.
IPV6_DISABLEDrrtypestringrrtype skipped (SOA).
N10_EDNS_RESPONSE_ERRORaddressesarray<string>Structured sorted unique nameserver IPs.
N10_NO_RESPONSE_EDNS1_QUERYaddressesarray<string>Structured sorted unique nameserver IPs.
N10_UNEXPECTED_RCODErcodestringUnexpected response code for EDNSv1 query.
N10_UNEXPECTED_RCODEaddressesarray<string>Structured sorted unique nameserver IPs for that rcode.
TEST_CASE_ENDtestcasestringTestcase display name (Nameserver10).
TEST_CASE_STARTtestcasestringTestcase display name (Nameserver10).

Severity Levels Per Tag

TagLevelNotes
IPV4_DISABLEDDEBUGDefault from share/profile.json (test_levels.NAMESERVER).
IPV6_DISABLEDDEBUGDefault from share/profile.json (test_levels.NAMESERVER).
N10_EDNS_RESPONSE_ERRORWARNINGDefault from share/profile.json (test_levels.NAMESERVER).
N10_NO_RESPONSE_EDNS1_QUERYWARNINGDefault from share/profile.json (test_levels.NAMESERVER).
N10_UNEXPECTED_RCODEWARNINGDefault from share/profile.json (test_levels.NAMESERVER).
TEST_CASE_ENDDEBUGDefault from share/profile.json (test_levels.NAMESERVER).
TEST_CASE_STARTDEBUGDefault from share/profile.json (test_levels.NAMESERVER).

Differences From Upstream

  • Upstream reference: nameserver10.md
  • Differences (Upstream vs Gonemaster):
    • Upstream: says input is nameserver IP set. Gonemaster: iterates raw Method4and5 output, but aggregate addresses values are sorted and deduplicated by IP.
    • Upstream: summary assumes this testcase is relevant only after EDNSv0 success. Gonemaster: implements that gating explicitly by only evaluating EDNSv1 when EDNSv0 response exists and has NOERROR.
    • Upstream: does not explicitly describe testcase boundary and transport-disabled debug emissions. Gonemaster: emits TEST_CASE_START, TEST_CASE_END, IPV4_DISABLED, and IPV6_DISABLED.
  • Potential upstream report:
    • no

Edge Cases And Limitations

  • Nameservers failing the EDNSv0 gating query produce no N10 finding tags.
  • BADVERS detection accepts two encodings (header BADVERS or extended-rcode form).
  • Aggregate tags are emitted once per collector category, not once per nameserver.