Open ghost opened 2 years ago
There could be DNSSEC related test cases that should be executed even if the zone is not signed. We have at least one such test case, i.e. the test case that checks if the delegation from the parent has DS records or not. I think it is better to have the logic in each test case, i.e. it is determined for each test case it should be terminated without any messages if certain requirements are not fullfilled.
Another option is to allow dependencies between test cases as long as the dependencies form a directed acyclic graph. If each test case implementation knows what test cases it depends on it would be really simple to include those in the test run. The execution order of the test could be determined from the same information using a simple topological sort. I believe this would simplify and fix some bugs in the current test runner code. Possibly even some of the test cases themselves could be simplified.
Independent how we do it, it must start with the specification. Today's situation where the implementation does not fully follow the specification is not good. If we have dependencies between test cases it must be defined in both ends, else we risk that changes break the checks. It must also be defined in the dependent test case what it signals for the depending test case.
When looking at #1037, I came across the fact that not listing the
dnssec07
test in the profile.json will result in all DNSSEC test being run even if the zone is not configured with DNSSEC. Reading the specifications, only DNSSEC06 explicitly states that it needs DNSSEC07 to be run first. The current code implementation seems to use the DNSSEC07 result to assess if the zone is configured with DNSSEC. However ifdnssec07
is not configured in the profile, this check won't be done and all configured DNSSEC tests will be run for the zone.Should Zonemaster check for DNSSEC configuration before running any other DNSSEC test?
The following code shows that if the
dnssec07
test is not called, then we run the DNSSEC tests even if the zone is unsigned: https://github.com/zonemaster/zonemaster-engine/blob/087066d46a75a03d86fdd3f356288c8557be5a7a/lib/Zonemaster/Engine/Test/DNSSEC.pm#L213-L220