CDS/CDNSKEY inconsistency error

[anandb-ripencc]

$ zonemaster-cli --version
Zonemaster-CLI version v7.0.0
Zonemaster-Engine version v6.0.0
Zonemaster-LDNS version 4.0.2
NL NetLabs LDNS version 1.8.3

$ zonemaster-cli 8.1.7.0.1.0.0.2.ip6.arpa --ns decsys.vsb.cz --ns nsa.ces.net --ns nsa.cesnet.cz
Loading profile from /etc/zonemaster/ripencc.json.
  /
Seconds Level    Message
======= ======== =======
   8.66 ERROR    All servers do not have the same CDS RRset.
   8.66 ERROR    All servers do not have the same CDNSKEY RRset.

I've removed the NOTICE and WARNING level messages. The interesting one is this ERROR about the CDS/CDNSKEY. I cannot see the inconsistency:

% dig +norec +short 8.1.7.0.1.0.0.2.ip6.arpa cds @nsa.cesnet.cz
37015 13 2 DCDB214392D046333752C10124170645EA86D299749F7953D66F8598 CE80CDD7
% dig +norec +short 8.1.7.0.1.0.0.2.ip6.arpa cds @nsa.ces.net
37015 13 2 DCDB214392D046333752C10124170645EA86D299749F7953D66F8598 CE80CDD7
% dig +norec +short 8.1.7.0.1.0.0.2.ip6.arpa cds @decsys.vsb.cz
37015 13 2 DCDB214392D046333752C10124170645EA86D299749F7953D66F8598 CE80CDD7

[matsduf]

I cannot see any relevant difference in the CDS and CDNSKEY RRsets, respectively. This has to be investigated.

[anandb-ripencc]

Any news on this issue?

[matsduf]

Due to vacation time we have, unfortunately, a little bit longer response time.

[tgreenx]

It appears that the problem lies with Zonemaster (Test case DNSSEC15). As you can see below, one of the name server (decsys.vsb.cz) returns a different case for the owner name of the RRs in the answer section of the response.

$ dig +norec 8.1.7.0.1.0.0.2.ip6.arpa cds @nsa.cesnet.cz +noall +answer
8.1.7.0.1.0.0.2.ip6.arpa. 0     IN      CDS     37015 13 2 DCDB214392D046333752C10124170645EA86D299749F7953D66F8598 CE80CDD7

$ dig +norec 8.1.7.0.1.0.0.2.ip6.arpa cds @nsa.ces.net +noall +answer
8.1.7.0.1.0.0.2.ip6.arpa. 0     IN      CDS     37015 13 2 DCDB214392D046333752C10124170645EA86D299749F7953D66F8598 CE80CDD7

$ dig +norec 8.1.7.0.1.0.0.2.ip6.arpa cds @decsys.vsb.cz +noall +answer
8.1.7.0.1.0.0.2.IP6.ARPA. 0     IN      CDS     37015 13 2 DCDB214392D046333752C10124170645EA86D299749F7953D66F8598 CE80CDD7

And in DNSSEC15 it seems that this field (owner name) is currently used for the RR comparison.
I'll work on a fix.

[anandb-ripencc]

Well look at that! I would have never even thought to look at the owner names, because I just assumed that all name comparisons in Zonemaster would be case-insensitive.

[tgreenx]

I just assumed that all name comparisons in Zonemaster would be case-insensitive.

They should, provided that those names are actual Zonemaster::Engine::DNSName objects and not plain strings, which unfortunately was not the case for this Test case. But the issue runs deeper, since it is not just an owner name that must be compared but the whole resource record (RRsets, actually). Unfortunately the necessary machinery for a proper fix in Zonemaster-Engine is not yet implemented in Zonemaster-LDNS (and I have created issue zonemaster/zonemaster-ldns#196 for that). TBC.

[tgreenx]

@anandb-ripencc I've come to a solution, see #1383.