Nameserver11 (nameserver11)

Status: Final

Purpose

  • Verify handling of an unknown EDNS option code in authoritative SOA responses.

Preconditions And Inputs

  • Preconditions:
    • A zone.Zone object is available.
  • Required inputs:
    • Nameserver addresses from methods.Method4and5.
    • Baseline EDNSv0 SOA responses.
    • SOA responses to EDNS query with unknown option code (137).
  • Profile/config knobs that affect behavior:
    • net.ipv4 and net.ipv6: disabled transports are skipped with transport debug tags.
    • resolver.defaults.parallel: parallel nameserver query fanout.

Algorithm And Decision Flow

  1. Emit TEST_CASE_START.
  2. Read nameserver list from Method4and5.
  3. For each nameserver (parallelized, input-order merged logs):
    • If transport is disabled, emit IPV4_DISABLED or IPV6_DISABLED for rrtype SOA, then skip.
    • Send baseline SOA query with EDNS version 0 and no unknown option.
    • Continue to unknown-option test only if baseline response satisfies all:
      • response exists,
      • EDNS present,
      • RCODE=NOERROR,
      • AA=true,
      • answer contains SOA for zone name.
    • Send SOA query with EDNS version 0 and unknown option code 137.
    • Classify outcome into one collector:
      • N11_NO_RESPONSE when no response.
      • N11_UNEXPECTED_RCODE when RCODE!=NOERROR (bucketed by rcode).
      • N11_NO_EDNS when EDNS is absent.
      • N11_UNEXPECTED_ANSWER_SECTION when SOA answer for zone name is absent.
      • N11_UNSET_AA when AA=false.
      • N11_RETURNS_UNKNOWN_OPTION_CODE when response EDNS data still includes option code 137.
      • no finding when none of the above applies.
  4. Emit aggregate tags for non-empty collectors (sorted unique addresses values; N11_UNEXPECTED_RCODE emitted per sorted rcode).
  5. Emit TEST_CASE_END.

Emitted Tags (Possible Set)

TagEmitted when
IPV4_DISABLEDIPv4 nameserver evaluation is skipped because IPv4 is disabled.
IPV6_DISABLEDIPv6 nameserver evaluation is skipped because IPv6 is disabled.
N11_NO_EDNSUnknown-option query response lacked EDNS.
N11_NO_RESPONSEUnknown-option query produced no DNS response.
N11_RETURNS_UNKNOWN_OPTION_CODEUnknown EDNS option code 137 was echoed back in response EDNS options.
N11_UNEXPECTED_ANSWER_SECTIONUnknown-option query response did not include expected zone SOA answer.
N11_UNEXPECTED_RCODEUnknown-option query response had non-NOERROR RCODE.
N11_UNSET_AAUnknown-option query response was not authoritative.
TEST_CASE_ENDTestcase completion marker is emitted.
TEST_CASE_STARTTestcase start marker is emitted.

Tag Arguments

TagArgument keyTypeMeaning
IPV4_DISABLEDnsstringNameserver identity (ns name only; use address for IP) skipped on IPv4.
IPV4_DISABLEDaddressstringNameserver IP address for the same endpoint.
IPV4_DISABLEDrrtypestringrrtype skipped (SOA).
IPV6_DISABLEDnsstringNameserver identity (ns name only; use address for IP) skipped on IPv6.
IPV6_DISABLEDaddressstringNameserver IP address for the same endpoint.
IPV6_DISABLEDrrtypestringrrtype skipped (SOA).
N11_NO_EDNSaddressesarray<string>Structured sorted unique nameserver IPs.
N11_NO_RESPONSEaddressesarray<string>Structured sorted unique nameserver IPs.
N11_RETURNS_UNKNOWN_OPTION_CODEaddressesarray<string>Structured sorted unique nameserver IPs.
N11_UNEXPECTED_ANSWER_SECTIONaddressesarray<string>Structured sorted unique nameserver IPs.
N11_UNEXPECTED_RCODErcodestringUnexpected response code name.
N11_UNEXPECTED_RCODEaddressesarray<string>Structured sorted unique nameserver IPs for that rcode.
N11_UNSET_AAaddressesarray<string>Structured sorted unique nameserver IPs.
TEST_CASE_ENDtestcasestringTestcase display name (Nameserver11).
TEST_CASE_STARTtestcasestringTestcase display name (Nameserver11).

Severity Levels Per Tag

TagLevelNotes
IPV4_DISABLEDDEBUGDefault from share/profile.json (test_levels.NAMESERVER).
IPV6_DISABLEDDEBUGDefault from share/profile.json (test_levels.NAMESERVER).
N11_NO_EDNSWARNINGDefault from share/profile.json (test_levels.NAMESERVER).
N11_NO_RESPONSEWARNINGDefault from share/profile.json (test_levels.NAMESERVER).
N11_RETURNS_UNKNOWN_OPTION_CODEWARNINGDefault from share/profile.json (test_levels.NAMESERVER).
N11_UNEXPECTED_ANSWER_SECTIONWARNINGDefault from share/profile.json (test_levels.NAMESERVER).
N11_UNEXPECTED_RCODEWARNINGDefault from share/profile.json (test_levels.NAMESERVER).
N11_UNSET_AAWARNINGDefault from share/profile.json (test_levels.NAMESERVER).
TEST_CASE_ENDDEBUGDefault from share/profile.json (test_levels.NAMESERVER).
TEST_CASE_STARTDEBUGDefault from share/profile.json (test_levels.NAMESERVER).

Differences From Upstream

  • Upstream reference: nameserver11.md
  • Differences (Upstream vs Gonemaster):
    • Upstream: assumes nameserver IP evaluation set. Gonemaster: iterates raw Method4and5 output, then emits deduplicated/sorted addresses aggregates.
    • Upstream: defines baseline gate before unknown-option probe. Gonemaster: implements this gate exactly and silently skips nameservers failing baseline checks.
    • Upstream: does not explicitly describe testcase boundary and transport-disabled debug emissions. Gonemaster: emits TEST_CASE_START, TEST_CASE_END, IPV4_DISABLED, and IPV6_DISABLED.
  • Potential upstream report:
    • no

Edge Cases And Limitations

  • Nameservers that fail baseline validation emit no N11_* findings.
  • Multiple failures for one nameserver cannot be reported simultaneously; classification is first-match by branch order.
  • Unknown option detection only checks for option code 137 in response EDNS options.