search

zonemaster / zonemaster-engine

The Zonemaster Engine - part of the Zonemaster project
Other
34 stars 33 forks source link

Discussion on DNSSEC implementation and DNSSEC07 usage #1039

Open ghost opened 2 years ago

ghost commented 2 years ago

When looking at #1037, I came across the fact that not listing the dnssec07 test in the profile.json will result in all DNSSEC test being run even if the zone is not configured with DNSSEC. Reading the specifications, only DNSSEC06 explicitly states that it needs DNSSEC07 to be run first. The current code implementation seems to use the DNSSEC07 result to assess if the zone is configured with DNSSEC. However if dnssec07 is not configured in the profile, this check won't be done and all configured DNSSEC tests will be run for the zone.

Should Zonemaster check for DNSSEC configuration before running any other DNSSEC test?

The following code shows that if the dnssec07 test is not called, then we run the DNSSEC tests even if the zone is unsigned: https://github.com/zonemaster/zonemaster-engine/blob/087066d46a75a03d86fdd3f356288c8557be5a7a/lib/Zonemaster/Engine/Test/DNSSEC.pm#L213-L220

matsduf commented 2 years ago

There could be DNSSEC related test cases that should be executed even if the zone is not signed. We have at least one such test case, i.e. the test case that checks if the delegation from the parent has DS records or not. I think it is better to have the logic in each test case, i.e. it is determined for each test case it should be terminated without any messages if certain requirements are not fullfilled.

mattias-p commented 2 years ago

Another option is to allow dependencies between test cases as long as the dependencies form a directed acyclic graph. If each test case implementation knows what test cases it depends on it would be really simple to include those in the test run. The execution order of the test could be determined from the same information using a simple topological sort. I believe this would simplify and fix some bugs in the current test runner code. Possibly even some of the test cases themselves could be simplified.

matsduf commented 2 years ago

Independent how we do it, it must start with the specification. Today's situation where the implementation does not fully follow the specification is not good. If we have dependencies between test cases it must be defined in both ends, else we risk that changes break the checks. It must also be defined in the dependent test case what it signals for the depending test case.