Zone12 (zone12)
Status: Final
Purpose
- Check existence and RFC 7477 compliance of the CSYNC RR at the zone apex.
Preconditions And Inputs
- Preconditions:
- A
zone.Zoneobject is available.
- A
- Required inputs:
- Nameserver addresses from
methods.Method4and5. - CSYNC and SOA responses from authoritative nameservers at the zone apex.
- Nameserver addresses from
- Profile/config knobs that affect behavior:
net.ipv4andnet.ipv6: disabled transports are skipped with transport debug tags.resolver.defaults.parallel: parallel nameserver query fanout.
Algorithm And Decision Flow
- Emit
TEST_CASE_START. - Read nameserver list from
Method4and5. - For each nameserver (parallelized, input-order merged logs):
- If transport is disabled, emit
IPV4_DISABLEDorIPV6_DISABLEDfor rrtypeCSYNC, then skip. - Send CSYNC query to the zone apex with default query options.
- If no response, or response is not authoritative NOERROR, skip this nameserver silently.
- Else record the CSYNC RRset from the answer section.
- Send SOA query to the same nameserver and record the SOA serial for comparison.
- If transport is disabled, emit
- Post-processing (sequential, over all collected outcomes):
- For each nameserver that returned an authoritative NOERROR response:
- If the CSYNC RRset has more than one record, emit
Z12_MULTIPLE_CSYNC(ns,count). - Else if exactly one CSYNC record is present:
- Group nameserver for consolidated
Z12_CSYNC_FOUNDby CSYNC content (serial,flags,type_bitmap). - If the SOA serial was retrieved, evaluate CSYNC serial against SOA serial:
- When
soaminimumflag is set (bit 1), emitZ12_SERIAL_MISMATCHonly ifcsync soaserialis greater than current SOA serial. - When
soaminimumflag is not set, emitZ12_SERIAL_MISMATCHifcsync soaserialdiffers from current SOA serial.
- When
- Group nameserver for consolidated
- Else (zero CSYNC records) collect nameserver for consolidated
Z12_NO_CSYNC.
- If the CSYNC RRset has more than one record, emit
- Emit consolidated
Z12_CSYNC_FOUNDfor each distinct CSYNC content group, withserverslist,serial,flags, andtype_bitmap. - If at least one nameserver has CSYNC and at least one has no CSYNC, emit
Z12_MIXED_PRESENCE. - If more than one nameserver has CSYNC and the CSYNC content differs across them, emit
Z12_INCONSISTENT_CSYNC.
- For each nameserver that returned an authoritative NOERROR response:
- Emit
TEST_CASE_END.
CSYNC content identity is determined by comparing the concatenation of soaserial, flags, and TypeBitMap fields.
Emitted Tags (Possible Set)
| Tag | Emitted when |
|---|---|
IPV4_DISABLED | IPv4 nameserver evaluation is skipped because IPv4 is disabled. |
IPV6_DISABLED | IPv6 nameserver evaluation is skipped because IPv6 is disabled. |
Z12_CSYNC_FOUND | CSYNC record found at zone apex (consolidated per distinct CSYNC content). |
Z12_INCONSISTENT_CSYNC | CSYNC content differs across authoritative nameservers. |
Z12_MIXED_PRESENCE | CSYNC present on some nameservers but absent on others. |
Z12_MULTIPLE_CSYNC | More than one CSYNC RR found at zone apex on this nameserver. |
Z12_NO_CSYNC | No CSYNC record found at zone apex (consolidated across all nameservers without CSYNC). |
Z12_SERIAL_MISMATCH | CSYNC soaserial fails RFC 7477 serial precondition against current SOA serial from the same nameserver. |
TEST_CASE_END | Testcase completion marker is emitted. |
TEST_CASE_START | Testcase start marker is emitted. |
Tag Arguments
| Tag | Argument key | Type | Meaning |
|---|---|---|---|
IPV4_DISABLED | ns | string | Nameserver identity (ns name only; use address for IP) skipped on IPv4. |
IPV4_DISABLED | address | string | Nameserver IP address for the same endpoint. |
IPV4_DISABLED | rrtype | string | rrtype skipped (CSYNC). |
IPV6_DISABLED | ns | string | Nameserver identity (ns name only; use address for IP) skipped on IPv6. |
IPV6_DISABLED | address | string | Nameserver IP address for the same endpoint. |
IPV6_DISABLED | rrtype | string | rrtype skipped (CSYNC). |
Z12_CSYNC_FOUND | servers | array<object> | Structured sorted list of nameservers with this CSYNC content ({ns}, {address} items). |
Z12_CSYNC_FOUND | serial | uint32 | SOA serial from the CSYNC soaserial field. |
Z12_CSYNC_FOUND | flags | uint16 | CSYNC flags field (bit 0 = immediate, bit 1 = soaminimum). |
Z12_CSYNC_FOUND | type_bitmap | string | Semicolon-separated DNS type names from the CSYNC TypeBitMap (e.g. NS;A;AAAA). |
Z12_MULTIPLE_CSYNC | ns | string | Nameserver identity (ns name only; use address for IP). |
Z12_MULTIPLE_CSYNC | address | string | Nameserver IP address for the same endpoint. |
Z12_MULTIPLE_CSYNC | count | int | Number of CSYNC records returned. |
Z12_NO_CSYNC | servers | array | Structured list of nameserver endpoints (name + address) without CSYNC. |
Z12_SERIAL_MISMATCH | ns | string | Nameserver identity (ns name only; use address for IP). |
Z12_SERIAL_MISMATCH | address | string | Nameserver IP address for the same endpoint. |
Z12_SERIAL_MISMATCH | csync_serial | uint32 | The serial carried in the CSYNC soaserial field. |
Z12_SERIAL_MISMATCH | soa_serial | uint32 | The current SOA serial from the same nameserver. |
TEST_CASE_END | testcase | string | Testcase display name (Zone12). |
TEST_CASE_START | testcase | string | Testcase display name (Zone12). |
Severity Levels Per Tag
| Tag | Level | Notes |
|---|---|---|
IPV4_DISABLED | DEBUG | Default from share/profile.json (test_levels.ZONE). |
IPV6_DISABLED | DEBUG | Default from share/profile.json (test_levels.ZONE). |
Z12_CSYNC_FOUND | INFO | Default from share/profile.json (test_levels.ZONE). |
Z12_INCONSISTENT_CSYNC | WARNING | Default from share/profile.json (test_levels.ZONE). |
Z12_MIXED_PRESENCE | WARNING | Default from share/profile.json (test_levels.ZONE). |
Z12_MULTIPLE_CSYNC | WARNING | Default from share/profile.json (test_levels.ZONE). |
Z12_NO_CSYNC | INFO | Default from share/profile.json (test_levels.ZONE). CSYNC is optional per RFC 7477. |
Z12_SERIAL_MISMATCH | WARNING | Default from share/profile.json (test_levels.ZONE). |
TEST_CASE_END | DEBUG | Default from share/profile.json (test_levels.ZONE). |
TEST_CASE_START | DEBUG | Default from share/profile.json (test_levels.ZONE). |
Differences From Upstream
- No upstream (Zonemaster) equivalent exists; this is a gonemaster-specific test case.
- References: RFC 7477
Edge Cases And Limitations
- CSYNC is an optional zone apex record per RFC 7477;
Z12_NO_CSYNCis informational only and does not indicate a problem. - Only authoritative NOERROR responses are evaluated. Nameservers returning non-NOERROR or non-AA responses are skipped silently.
- SOA serial comparison (
Z12_SERIAL_MISMATCH) is only performed when the SOA query to the same nameserver succeeds and returns a SOA record. If the SOA query fails, no mismatch is reported for that nameserver. - With CSYNC
soaminimumflag set, an older CSYNC serial than current SOA serial is accepted and does not emitZ12_SERIAL_MISMATCH. - For nameservers returning multiple CSYNC records (
Z12_MULTIPLE_CSYNC), the records are not included in the cross-nameserver consistency comparison.