Nameserver13 (nameserver13)
Status: Final
Purpose
- Check truncated EDNS responses for missing OPT records.
Preconditions And Inputs
- Preconditions:
- A
zone.Zoneobject is available.
- A
- Required inputs:
- Nameserver addresses from
methods.Method4and5. - DNSKEY responses to UDP EDNS query with
DO=1and EDNS size512.
- Nameserver addresses from
- Profile/config knobs that affect behavior:
net.ipv4andnet.ipv6: disabled transports are skipped with transport debug tags.resolver.defaults.parallel: parallel nameserver query fanout.
Algorithm And Decision Flow
- Emit
TEST_CASE_START. - Read nameserver list from
Method4and5. - For each nameserver (parallelized, input-order merged logs):
- If transport is disabled, emit
IPV4_DISABLEDorIPV6_DISABLEDfor rrtypeDNSKEY, then skip. - Send DNSKEY query with options:
- EDNS version
0 - EDNS
DO=true - EDNS size
512 UseVC=falseFallback=false
- EDNS version
- If no response, emit
NO_RESPONSE(ns,domain). - Else if
RCODE=FORMERRand response has no EDNS OPT record, emitNO_EDNS_SUPPORT. - Else if response is truncated (
TC=1) and has no EDNS OPT, emitMISSING_OPT_IN_TRUNCATED. - Else if response shape is (
RCODE=NOERROR,EdnsVersion=0), emit no finding. - Else emit
NS_ERROR.
- If transport is disabled, emit
- Emit
TEST_CASE_END.
Emitted Tags (Possible Set)
| Tag | Emitted when |
|---|---|
IPV4_DISABLED | IPv4 nameserver evaluation is skipped because IPv4 is disabled. |
IPV6_DISABLED | IPv6 nameserver evaluation is skipped because IPv6 is disabled. |
MISSING_OPT_IN_TRUNCATED | Response was truncated but lacked EDNS OPT record. |
NO_EDNS_SUPPORT | Response indicates FORMERR with no EDNS OPT record. |
NO_RESPONSE | Query produced no DNS response. |
NS_ERROR | Response did not fit expected success or explicit failure branches. |
TEST_CASE_END | Testcase completion marker is emitted. |
TEST_CASE_START | Testcase start marker is emitted. |
Tag Arguments
| Tag | Argument key | Type | Meaning |
|---|---|---|---|
IPV4_DISABLED | ns | string | Nameserver identity (ns name only; use address for IP) skipped on IPv4. |
IPV4_DISABLED | address | string | Nameserver IP address for the same endpoint. |
IPV4_DISABLED | rrtype | string | rrtype skipped (DNSKEY). |
IPV6_DISABLED | ns | string | Nameserver identity (ns name only; use address for IP) skipped on IPv6. |
IPV6_DISABLED | address | string | Nameserver IP address for the same endpoint. |
IPV6_DISABLED | rrtype | string | rrtype skipped (DNSKEY). |
MISSING_OPT_IN_TRUNCATED | ns | string | Nameserver identity (ns name only; use address for IP) returning truncated response without OPT. |
MISSING_OPT_IN_TRUNCATED | address | string | Nameserver IP address for the same endpoint. |
NO_EDNS_SUPPORT | ns | string | Nameserver identity (ns name only; use address for IP) treated as no-EDNS support path. |
NO_EDNS_SUPPORT | address | string | Nameserver IP address for the same endpoint. |
NO_RESPONSE | ns | string | Nameserver identity (ns name only; use address for IP) with no response. |
NO_RESPONSE | address | string | Nameserver IP address for the same endpoint. |
NO_RESPONSE | domain | string | Tested zone name. |
NS_ERROR | ns | string | Nameserver identity (ns name only; use address for IP) with unexpected behavior. |
NS_ERROR | address | string | Nameserver IP address for the same endpoint. |
TEST_CASE_END | testcase | string | Testcase display name (Nameserver13). |
TEST_CASE_START | testcase | string | Testcase display name (Nameserver13). |
Severity Levels Per Tag
| Tag | Level | Notes |
|---|---|---|
IPV4_DISABLED | DEBUG | Default from share/profile.json (test_levels.NAMESERVER). |
IPV6_DISABLED | DEBUG | Default from share/profile.json (test_levels.NAMESERVER). |
MISSING_OPT_IN_TRUNCATED | WARNING | Default from share/profile.json (test_levels.NAMESERVER). |
NO_EDNS_SUPPORT | WARNING | Default from share/profile.json (test_levels.NAMESERVER). |
NO_RESPONSE | DEBUG | Default from share/profile.json (test_levels.NAMESERVER). |
NS_ERROR | WARNING | Default from share/profile.json (test_levels.NAMESERVER). |
TEST_CASE_END | DEBUG | Default from share/profile.json (test_levels.NAMESERVER). |
TEST_CASE_START | DEBUG | Default from share/profile.json (test_levels.NAMESERVER). |
Differences From Upstream
- Upstream reference:
nameserver13.md - Differences (Upstream vs Gonemaster):
- Upstream: iterates nameserver IP set. Gonemaster: iterates raw
Method4and5output (no testcase-local deduplication). - Upstream: does not explicitly describe testcase boundary and transport-disabled debug emissions. Gonemaster: emits
TEST_CASE_START,TEST_CASE_END,IPV4_DISABLED, andIPV6_DISABLED.
- Upstream: iterates nameserver IP set. Gonemaster: iterates raw
- Resolved upstream issues:
- Upstream engine bug (zonemaster#1468
): upstream engine queried
SOAinstead ofDNSKEYas specified. Gonemaster now queriesDNSKEYmatching the specification. Upstream has since fixed this in their engine. - Upstream engine bug:
NO_EDNS_SUPPORTwas emitted on anyFORMERR; now requiresFORMERRwith no EDNS OPT record in the response (!HasEdns()). - Upstream engine bug: success branch checked
edns_rcode == 0in addition toNOERRORandEdnsVersion == 0; theedns_rcodecheck is now removed to match the specification.
- Upstream engine bug (zonemaster#1468
): upstream engine queried
Edge Cases And Limitations
- Success branch does not explicitly require DNSKEY answer content.
MISSING_OPT_IN_TRUNCATEDis checked before the generic success-shape branch.- Any behavior outside explicit branches collapses into
NS_ERROR.