Merge pull request #1441 from zonemaster/master

Merge master into develop (Engine)

.github/workflows/ci.yml

@@ -5,12 +5,12 @@ on:
     branches:
       - develop
       - master
-      - 'releases/**'
+      - 'release/**'
   pull_request:
     branches:
       - develop
       - master
-      - 'releases/**'
+      - 'release/**'
 
 jobs:
   run-tests:

Changes

@@ -1,5 +1,23 @@
 Release history for Zonemaster component Zonemaster-Engine
 
+v7.1.0 2025-03-04 (part of Zonemaster v2024.2.1 release)
+
+ [Release information]
+ - Translations have not been fully updated in this release. They will
+   be updated in an upcoming extra release.
+
+ [Features]
+- Adds translation to Slovenian language (#1385, #1435)
+
+ [Fixes]
+- Updates translations for Swedish, Spanish and French (#1416, #1417, #1430)
+- Corrects how EDNS buffer size is set through 'edns_details' (#1429)
+- Corrects how Test Cases use returned values from some TestMethodsV2
+  methods (#1427)
+- Updates implementation of test case DNSSEC10 (#1415)
+- Updates the name server blacklisting mechanism (#1423)
+- Fixes an infinite recursion bug when NS record points to CNAME (#1422)
+
 
 v7.0.0 2024-12-09 (part of Zonemaster v2024.2 release)
 

MANIFEST

@@ -61,6 +61,7 @@ share/locale/es/LC_MESSAGES/Zonemaster-Engine.mo
 share/locale/fi/LC_MESSAGES/Zonemaster-Engine.mo
 share/locale/fr/LC_MESSAGES/Zonemaster-Engine.mo
 share/locale/nb/LC_MESSAGES/Zonemaster-Engine.mo
+share/locale/sl/LC_MESSAGES/Zonemaster-Engine.mo
 share/locale/sv/LC_MESSAGES/Zonemaster-Engine.mo
 share/Makefile
 share/modules.txt

lib/Zonemaster/Engine.pm

@@ -3,7 +3,7 @@ package Zonemaster::Engine;
 use v5.16.0;
 use warnings;
 
-use version; our $VERSION = version->declare("v7.0.0");
+use version; our $VERSION = version->declare("v7.1.0");
 
 BEGIN {
     # Locale::TextDomain (<= 1.20) doesn't know about File::ShareDir so give a helping hand.

lib/Zonemaster/Engine/Constants.pm

@@ -129,6 +129,10 @@ our %EXPORT_TAGS = (
 
 =item * C<$ALGO_STATUS_NOT_ZONE_SIGN>
 
+=item * C<$BLACKLISTING_ENABLED>
+
+A boolean, used to enable the name server blacklisting mechanism.
+
 =item * C<$CNAME_MAX_CHAIN_LENGTH>
 
 An integer, used to define the maximum length of a CNAME chain when doing consecutive recursive lookups.

lib/Zonemaster/Engine/Nameserver.pm

@@ -421,7 +421,7 @@ sub _query {
 
     my $before = time();
     my $res;
-    if ( $BLACKLISTING_ENABLED and $self->blacklisted->{ $flags{usevc} }{ $flags{dnssec} } ) {
+    if ( $BLACKLISTING_ENABLED and $self->blacklisted->{ $flags{usevc} } ) {
         Zonemaster::Engine->logger->add(
             IS_BLACKLISTED => {
                 message => "Server transport has been blacklisted due to previous failure",
@@ -430,7 +430,8 @@ sub _query {
                 type    => $type,
                 class   => $href->{class},
                 proto   => $flags{usevc} ? q{TCP} : q{UDP},
-                dnssec  => $flags{dnssec}
+                dnssec  => $flags{dnssec},
+                edns_size => $flags{q{edns_size}}
             }
         );
     }
@@ -439,29 +440,23 @@ sub _query {
             my $pkt = Zonemaster::LDNS::Packet->new("$name", $type, $href->{class} );
             $pkt->set_edns_present();
 
+            $pkt->do($flags{q{dnssec}});
+            $pkt->edns_size($flags{q{edns_size}});
+
             if ( exists $href->{edns_details}{version} ) {
                 $pkt->edns_version($href->{edns_details}{version});
             }
-    	    if ( exists $href->{edns_details}{z} ) {
+            if ( exists $href->{edns_details}{z} ) {
                 $pkt->edns_z($href->{edns_details}{z});
             }
-    	    if ( exists $href->{edns_details}{do} ) {
-                $pkt->do($href->{edns_details}{do});
-            }
-            elsif ( $flags{q{dnssec}} ) {
-                $pkt->do($flags{q{dnssec}});
-            }
-    	    if ( exists $href->{edns_details}{size} ) {
-                $pkt->edns_size($href->{edns_details}{size});
-            }
-    	    if ( exists $href->{edns_details}{rcode} ) {
+            if ( exists $href->{edns_details}{rcode} ) {
                 $pkt->edns_rcode($href->{edns_details}{rcode});
             }
             if ( exists $href->{edns_details}{data} ) {
                 $pkt->edns_data($href->{edns_details}{data});
             }
 
-    	    $res = eval { $self->dns->query_with_pkt( $pkt ) };
+            $res = eval { $self->dns->query_with_pkt( $pkt ) };
         }
         else {
             $res = eval { $self->dns->query( "$name", $type, $href->{class} ) };
@@ -470,15 +465,15 @@ sub _query {
         if ( $@ ) {
             my $msg = "$@";
             my $trailing_info = " at ".__FILE__;
+
             chomp( $msg );
             $msg =~ s/$trailing_info.*/\./;
+
             Zonemaster::Engine->logger->add( LOOKUP_ERROR =>
                   { message => $msg, ns => "$self", domain => "$name", type => $type, class => $href->{class} } );
-            if ( not $href->{q{blacklisting_disabled}} ) {
-                $self->blacklisted->{ $flags{usevc} }{ $flags{dnssec} } = 1;
-                if ( !$flags{dnssec} ) {
-                    $self->blacklisted->{ $flags{usevc} }{ !$flags{dnssec} } = 1;
-                }
+
+            if ( not $href->{q{blacklisting_disabled}} and $type eq q{SOA} and $flags{q{edns_size}} == 0 ) {
+                $self->blacklisted->{ $flags{usevc} } = 1;
             }
         }
     }
@@ -733,6 +728,13 @@ A reference to a L<Zonemaster::Engine::Nameserver::Cache> object holding the cac
 
 A reference to a list with elapsed time values for the queries made through this nameserver.
 
+=item blacklisted
+
+A reference to a hash used to prevent sending subsequent queries to the name server after specific queries have failed.
+
+The mechanism will only trigger on no response from non-EDNS SOA queries and is protocol dependent (i.e. TCP/UDP). It can be disabled
+on a per query basis with L<blacklisting_disabled>, or globally with L<Zonemaster::Engine::Constants/$BLACKLISTING_ENABLED>.
+
 =back
 
 =head1 CLASS METHODS
@@ -819,7 +821,7 @@ If set to true, incoming response packets with the TC flag set fall back to EDNS
 
 =item blacklisting_disabled
 
-If set to true, prevents a server to be black-listed on a query in case there is no answer OR rcode is REFUSED.
+If set to true, prevents a name server from being blacklisted.
 
 =item edns_size
 

lib/Zonemaster/Engine/Recursor.pm

@@ -245,7 +245,7 @@ sub _resolve_cname {
     }
 
     # CNAME target has already been followed (outer loop); no need to recurse
-    if ( $state->{tseen}{lc( $target )}  ) {
+    if ( exists $state->{in_progress}{lc( $target )}{$type} ) {
         Zonemaster::Engine->logger->add( CNAME_LOOP_OUTER => { name => $name, target => $target, targets_seen => join( ';', keys %{ $state->{tseen} } ) } );
         return ( undef, $state );
     }
@@ -263,7 +263,7 @@ sub _resolve_cname {
     unless ( $name->is_in_bailiwick( $target ) ) {
         Zonemaster::Engine->logger->add( CNAME_FOLLOWED_OUT_OF_ZONE => { name => $name, target => $target } );
         ( $p, $state ) = $class->_recurse( $target, $type, $dns_class,
-            { ns => [ root_servers() ], count => 0, common => 0, seen => {}, tseen => $state->{tseen}, tcount => $state->{tcount}, glue => {} });
+            { ns => [ root_servers() ], count => 0, common => 0, seen => {}, tseen => $state->{tseen}, tcount => $state->{tcount}, glue => {}, in_progress => $state->{in_progress} });
     }
     else {
         # What do do here?

lib/Zonemaster/Engine/Test/Connectivity.pm

@@ -804,11 +804,10 @@ sub connectivity04 {
     my %prefixes;
     my %ip_already_processed;
 
-    my @nss = Zonemaster::Engine::TestMethodsV2->get_del_ns_names_and_ips( $zone ) ?
-                Zonemaster::Engine::TestMethodsV2->get_zone_ns_names_and_ips( $zone ) ?
-                    @{ Zonemaster::Engine::TestMethodsV2->get_zone_ns_names_and_ips( $zone ), Zonemaster::Engine::TestMethodsV2->get_del_ns_names_and_ips( $zone ) }
-                : @{ Zonemaster::Engine::TestMethodsV2->get_del_ns_names_and_ips( $zone ) }
-              : ();
+    my @nss = grep { $_->isa('Zonemaster::Engine::Nameserver') } (
+                @{ Zonemaster::Engine::TestMethodsV2->get_del_ns_names_and_ips( $zone ) // [] },
+                @{ Zonemaster::Engine::TestMethodsV2->get_zone_ns_names_and_ips( $zone ) // [] }
+              );
 
     foreach my $ns ( @nss ) {
         my $ip = $ns->address;

lib/Zonemaster/Engine/Test/DNSSEC.pm

@@ -3145,26 +3145,28 @@ sub dnssec10 {
     my ( @nsec_response_error, @nsec3param_response_error );
     my ( @with_dnskey, @without_dnskey );
 
-    my @nss = Zonemaster::Engine::TestMethodsV2->get_del_ns_names_and_ips( $zone ) ?
-                Zonemaster::Engine::TestMethodsV2->get_zone_ns_names_and_ips( $zone ) ?
-                    @{ Zonemaster::Engine::TestMethodsV2->get_zone_ns_names_and_ips( $zone ), Zonemaster::Engine::TestMethodsV2->get_del_ns_names_and_ips( $zone ) }
-                : @{ Zonemaster::Engine::TestMethodsV2->get_del_ns_names_and_ips( $zone ) }
-              : ();
+    my @nss = grep { $_->isa('Zonemaster::Engine::Nameserver') } (
+                @{ Zonemaster::Engine::TestMethodsV2->get_del_ns_names_and_ips( $zone ) // [] },
+                @{ Zonemaster::Engine::TestMethodsV2->get_zone_ns_names_and_ips( $zone ) // [] }
+              );
+    my @ignored_nss;
 
     my %ip_already_processed;
     my $testing_time = time;
 
-    for my $ns ( sort @nss ) {
+    for my $ns ( @nss ) {
         next if exists $ip_already_processed{$ns->address->short};
         $ip_already_processed{$ns->address->short} = 1;
 
         if ( _ip_disabled_message( \@results, $ns, @query_types ) ) {
+            push @ignored_nss, $ns;
             next;
         }
 
         my $dnskey_p = $ns->query( $zone->name, $type_dnskey, { dnssec => 1 } );
 
         if ( not $dnskey_p or $dnskey_p->rcode ne q{NOERROR} or not $dnskey_p->aa ) {
+            push @ignored_nss, $ns;
             next;
         }
 
@@ -3177,7 +3179,7 @@ sub dnssec10 {
 
         push @with_dnskey, $ns;
 
-        my $nsec_p = $ns->query( $zone->name, $type_nsec, { dnssec => 1, blacklisting_disabled => 1 } );
+        my $nsec_p = $ns->query( $zone->name, $type_nsec, { dnssec => 1 } );
 
         if ( not $nsec_p or $nsec_p->rcode ne q{NOERROR} or not $nsec_p->aa ) {
             push @nsec_response_error, $ns;
@@ -3282,7 +3284,7 @@ sub dnssec10 {
             }
         }
 
-        my $nsec3param_p = $ns->query( $zone->name, $type_nsec3param, { dnssec => 1, blacklisting_disabled => 1 } );
+        my $nsec3param_p = $ns->query( $zone->name, $type_nsec3param, { dnssec => 1 } );
 
         if ( not $nsec3param_p or $nsec3param_p->rcode ne q{NOERROR} or not $nsec3param_p->aa ) {
             push @nsec3param_response_error, $ns;
@@ -3786,7 +3788,7 @@ sub dnssec10 {
           );
     }
 
-    $lc = List::Compare->new( [ @nss ], [ @without_dnskey, @nsec_in_answer, @nsec3param_nsec_nodata, @nsec3param_in_answer, @nsec_nsec3_nodata ] );
+    $lc = List::Compare->new( [ @nss ], [ @ignored_nss, @without_dnskey, @nsec_in_answer, @nsec3param_nsec_nodata, @nsec3param_in_answer, @nsec_nsec3_nodata ] );
     @first = $lc->get_unique;
 
     if ( @first ) {

lib/Zonemaster/Engine/Test/Nameserver.pm

@@ -673,7 +673,7 @@ sub nameserver01 {
         my $has_seen_ra    = 0;
         for my $nonexistent_name ( @NONEXISTENT_NAMES ) {
 
-            my $p = $ns->query( $nonexistent_name, q{A}, { blacklisting_disabled => 1 } );
+            my $p = $ns->query( $nonexistent_name, q{A} );
             if ( !$p ) {
                 push @results,
                   _emit_log(
@@ -1118,7 +1118,7 @@ sub nameserver07 {
 
             next if $nsnames_and_ip{ $local_ns->name->string . q{/} . $local_ns->address->short };
 
-            my $p = $local_ns->query( q{.}, q{NS}, { blacklisting_disabled => 1 } );
+            my $p = $local_ns->query( q{.}, q{NS} );
             if ( $p ) {
                 my @ns = $p->get_records( q{NS}, q{authority} );
 
@@ -1732,7 +1732,7 @@ sub nameserver15 {
         $sending_version_query{$ns} = 1;
 
         foreach my $query_name ( q{version.bind}, q{version.server} ) {
-            my $p_txt = $ns->query( $query_name, q{TXT}, { class => q{CH}, blacklisting_disabled => 1 } );
+            my $p_txt = $ns->query( $query_name, q{TXT}, { class => q{CH} } );
 
             if ( not $p_txt or $p_txt->rcode eq q{SERVFAIL} ) {
                 push @{ $error_on_version_query{$query_name} }, $ns;