zonemaster / zonemaster-cli Goto Github PK

The Zonemaster CLI - part of the Zonemaster project

License: Other

Perl 93.10% Makefile 4.35% Dockerfile 2.27% Shell 0.28%

zonemaster-cli's Introduction

Introduction
Background
Purpose
Documentation
Prerequisites
Support of DNSKEY algorithms 15 and 16
Translation
Zonemaster and its components
Installation
Versions
Participation
Bug reporting
Notable bugs and issues
Contact and mailing lists
License

Introduction

Zonemaster is a software package that validates the quality of a DNS delegation. The ambition of the Zonemaster project is to develop and maintain an open source DNS validation tool, offering improved performance over existing tools and providing extensive documentation which could be re-used by similar projects in the future.

Zonemaster consists of several modules or components. The components will help different types of users to check domain servers for configuration errors and generate a report that will assist in fixing the errors.

Background

DNSCheck from IIS and Zonecheck from AFNIC are two old software packages that validate the quality of a DNS delegation. AFNIC and IIS came together to develop a new DNS validation tool from scratch under the name Zonemaster. Zonemaster intends to be a major rewrite of Zonecheck and DNSCheck, and aims to implement the best parts of both.

Purpose

The components developed as part of the Zonemaster project will help different types of users to check domain servers for configuration errors and generate a report that will assist in fixing the errors.

The ambition of the Zonemaster project is to develop and maintain an open source DNS validation tool, offering improved performance over existing tools and providing extensive documentation which could be re-used by similar projects in the future.

Documentation

This is the main project repository. In this repository, most documentation of Zonemaster is found.

In the public documentation you will find e.g. specifications of all Test Cases for the Zonemaster implementation, as well as installation instructions and user guides for each Zonemaster component.

In the internal tree you can find documentation regarding the design and requirements of the Zonemaster implementation.

The public documentation can be built using mdbook, its mdbook-linkcheck plugin and the following commands:

cd docs/public
mdbook build
open book/index.html

Prerequisites

See Prerequisites document.

Support of DNSKEY algorithms 15 and 16

To be able to support and process DNSKEY algorithms 15 (Ed25519) and 16 (Ed448) for DNSSEC the underlying OS must have a recent version of OpenSSL installed, and LDNS being linked against that OpenSSL (see Zonemaster-LDNS-README for more details). Then information below on support of the algorithms assumes that the installation instructions given for Zonemaster have been followed. A test of the domains ed25519.nl and superdns.nl will reveal if the Zonemaster installation has the support or not for algorithms 15 and 16, respectively.

All supported OSs support algorithms 15 and 16 out of the box.

Translation

Zonemaster comes with translation to the following languages. Translation is available as methods in Zonemaster::Engine, zonemaster-cli (i.e. the Zonemaster-CLI interface to Zonemaster::Engine), Zonemaster-Backend RPCAPI interface to Zonemaster::Engine) and the Zonemaster-GUI interface to RPCAPI.

Danish (da, da_DK.UTF-8)
English (en, en_US.UTF-8)
Finnish (fi, fi_FI.UTF-8)
French (fr, fr_FR.UTF-8)
Norwegian (nb, nb_NO.UTF-8)
Spanish (es, es_ES.UTF-8)
Swedish (sv, sv_SE.UTF-8)

Zonemaster and its components

The Zonemaster product consists of the main part and five components. The main part consists of specifications and documentation for the Zonemaster product, and is stored in the main Zonemaster Github repository.

All the software for the Zonemaster project belong to the five components, each component being stored in its own Github repository (listed below).

The software has not yet been packaged for any operating systems, and you have to install most of it from the source code. The recommended method is to install from CPAN (except for Zonemaster-GUI), but it is possible to install directly from clones of the Github repositories. Zonemaster-GUI has no Perl code, and is installed directly from its repository at Github.

The Zonemaster Product includes the following components:

Zonemaster-LDNS - LDNS with a Perl frontend used by Zonemaster-Engine.
Zonemaster-Engine - The Zonemaster test library.
Zonemaster-CLI - A Command Line Interface (CLI) to the test library (Zonemaster-Engine).
Zonemaster-Backend - A JSON/RPC interface with database to the test library (Zonemaster-Engine).
Zonemaster-GUI - A web user interface to the test library via Zonemaster-Backend.

Installation

Zonemaster itself can be installed manually. It can also be run using Docker. For detailed instructions on both options, see the Installation document.

Versions

Go to the release list of this repository to find the latest version of Zonemaster and the versions of the specific components. Be sure to read the release note of each component before installing or upgrading.

Participation

You can submit code by forking this repository and creating pull requests. When you create a pull request, please select the "develop" branch in the relevant Zonemaster repository.

See our contact and mailing lists page for information on mailing lists.

Bug reporting

For bug reporting go to the relevant Zonemaster repository and create a GitHub issue there. Before creating the issue, please search for the problem in the issue tracker in the relevant repository. If you find an open issue covering your issue, please add a comment with any additional information.

If you cannot determine which repository to create the issue in, please select the main Zonemaster repository (i.e. general issues in Zonemaster).

Notable bugs and issues

None.

Contact and mailing lists

See our contact and mailing lists page for contact information and information on mailing lists.

License

This is free software under a 2-clause BSD license. The full text of the license can be found in the LICENSE file included in this respository.

zonemaster-cli's People

Contributors

Stargazers

Watchers

zonemaster-cli's Issues

Clarify modes of operation

zonemaster-cli has many modes of operation. This issue does not concern itself with the --help, --version, --dump_config and --dump_policy pseudo-modes, each of which only prints a static message before terminating.

This issue regards the four options --dump_profile, --json_stream, --json and --raw options which are used to specify one out of five modes. It should to be clear from the usage documentation that there are five modes, what they are and how you activate them.

As a solution to this problem I suggest that a new --mode option is introduced with one valid value for each of the five modes, normal being the default. The four existing options should be deprecated (and marked as such) but remain in place for the time being. When specified on the command line they should print deprecation warnings and update the value of the --mode option.

In the current implementation of Zonemaster::CLI is inferred from a hodgepodge of individual mode-options, complex boolean expressions over mode-options and the local variable $translator. This is needlessly complex. Instead the mode should be solely inferred from the value of the --mode option.

Adapt Code to Engine new name space

See zonemaster/zonemaster-engine#304

The first query to a server gets a timeout

I get not-so-likely results from using --nstimes:

Testing blipp.com I get this:

boa.blipp.com/2001:1b40:5600:900:4321:1234:9b92:4bc0  10010.62    31.07   939.99  2868.38    31.43  20679.79

Manual tests from the same machine does not indicate that I would receive any slow responses at all.

Testing iis.se I see something similar:

ns.nic.se/2a00:801:f0:53::53  10010.63     3.90  1434.30  3501.27     4.79  10040.12

Again, nothing that indicates that something is slow.

Something else that might be broken with this?

Translation on FreeBSD (CLI)

On FreeBSD the --locale parameter is ignored. Instead the translation language is determined from the LC_ALL, LC_MESSAGES and LANG environment variables.

See issue #46.

Crasch when --locale has incorrect value

Selector "--locale" can make zonemaster-cli display the result in another language than the default locale setting governs. At least in FreeBSD, if "--locale" has a value which is not a legal locale value, zonemaster-cli crasches.

$ zonemaster-cli zonemaster.net --locale fr_FR
Warning: setting locale category LC_MESSAGES to fr_FR failed (is it installed on this system?).

Warning: setting locale category LC_CTYPE to fr_FR failed (is it installed on this system?).

Use of uninitialized value $locale in string eq at /usr/local/lib/perl5/site_perl/Zonemaster/Engine/Translator.pm line 139.
Attribute (locale) does not pass the type constraint because: Validation failed for 'Str' with value undef at accessor Zonemaster::Engine::Translator::locale (defined at /usr/local/lib/perl5/site_perl/Zonemaster/Engine/Translator.pm line 18) line 4
	Zonemaster::Engine::Translator::locale('Zonemaster::Engine::Translator=HASH(0x80c75bf00)', undef) called at /usr/local/lib/perl5/site_perl/mach/5.30/Class/MOP/Method/Wrapped.pm line 56
	Zonemaster::Engine::Translator::_wrapped_locale('Zonemaster::Engine::Translator=HASH(0x80c75bf00)', undef) called at /usr/local/lib/perl5/site_perl/mach/5.30/Class/MOP/Method/Wrapped.pm line 95
	Zonemaster::Engine::Translator::locale('Zonemaster::Engine::Translator=HASH(0x80c75bf00)', undef) called at /usr/local/lib/perl5/site_perl/Zonemaster/Engine/Translator.pm line 125
	Zonemaster::Engine::Translator::BUILD('Zonemaster::Engine::Translator=HASH(0x80c75bf00)', 'HASH(0x80c75dd68)') called at constructor Zonemaster::Engine::Translator::new (defined at /usr/local/lib/perl5/site_perl/Zonemaster/Engine/Translator.pm line 222) line 56
	Zonemaster::Engine::Translator::new('Zonemaster::Engine::Translator') called at /usr/local/lib/perl5/site_perl/Zonemaster/CLI.pm line 367
	Zonemaster::CLI::run('Zonemaster::CLI=HASH(0x80c6e2990)') called at /usr/local/bin/zonemaster-cli line 20

Unhelpful output when option is incorrect

If you use an incorrect option, say --show-module instead of --show-module you get a very long output that hides the error message, as below. Instead, a short message is enough and makes it easier to read.

Proposed output:

# zonemaster-cli --show-module zonemaster.net --no-ipv6                                   
Unknown option: show-module
Run "zonemaster-cli -h" to get the valid options
#

Output today:

# zonemaster-cli --show-module zonemaster.net --no-ipv6                                   
Unknown option: show-module
usage: zonemaster-cli [-?h] [long options...]
	-h -? --usage --help   Prints this usage information.
	--[no-]version         Print version information and exit.
	--level STR            The minimum severity level to display. Must be
	                       one of CRITICAL, ERROR, WARNING, NOTICE, INFO
	                       or DEBUG.
	--locale STR           The locale to use for messages translation.
	--[no-]json            Flag indicating if output should be in JSON or
	                       not.
	--[no-]json_stream     Flag indicating if output should be streaming
	                       JSON or not.
	--[no-]json_translate  Flag indicating if streaming JSON output
	                       should include the translated message of the
	                       tag or not.
	--[no-]raw             Flag indicating if output should be translated
	                       to human language or dumped raw.
	--[no-]time            Print timestamp on entries.
	--[no-]show_level      Print level on entries.
	--[no-]show_module     Print the name of the module on entries.
	--[no-]show_testcase   Print the name of the test case (method) on
	                       entries.
	--ns STR...            A name/ip string giving a nameserver for
	                       undelegated tests, or just a name which will
	                       be looked up for IP addresses. Can be given
	                       multiple times.
	--save STR             Name of a file to save DNS data to after
	                       running tests.
	--restore STR          Name of a file to restore DNS data from before
	                       running test.
	--[no-]ipv4            Flag to permit or deny queries being sent via
	                       IPv4. --ipv4 permits IPv4 traffic, --no-ipv4
	                       forbids it.
	--[no-]ipv6            Flag to permit or deny queries being sent via
	                       IPv6. --ipv6 permits IPv6 traffic, --no-ipv6
	                       forbids it.
	--[no-]list_tests      Instead of running a test, list all available
	                       tests.
	--test STR...          Specify test to run. Should be either the name
	                       of a module, or the name of a module and the
	                       name of a method in that module separated by a
	                       "/" character (Example: "Basic/basic1"). The
	                       method specified must be one that takes a zone
	                       object as its single argument. This switch can
	                       be repeated.
	--stop_level STR       As soon as a message at this level or higher
	                       is logged, execution will stop. Must be one of
	                       CRITICAL, ERROR, WARNING, NOTICE, INFO or
	                       DEBUG.
	--profile STR          Name of profile file to load. (DEFAULT)
	--config STR           Name of configuration file to load.
	                       (TERMINATED)
	--policy STR           Name of policy file to load. (TERMINATED)
	--ds STR...            Strings with DS data on the form
	                       "keytag,algorithm,type,digest"
	--[no-]count           Print a count of the number of messages at
	                       each level
	--[no-]progress        Boolean flag for activity indicator. Defaults
	                       to on if STDOUT is a tty, off if it is not.
	                       Disable with --noprogress.
	--encoding STR         Name of the character encoding used for
	                       command line arguments
	--[no-]nstimes         At the end of a run, print a summary of the
	                       times the zone's name servers took to answer.
	--[no-]dump_profile    Print the effective profile used in JSON
	                       format, then exit.
	--[no-]dump_config     Print the effective configuration used in JSON
	                       format, then exit. (TERMINATED)
	--[no-]dump_policy     Print the effective policy used in JSON
	                       format, then exit. (TERMINATED)
	--sourceaddr STR       Local IP address that the test engine should
	                       try to send its requests from.
	--[no-]elapsed         Print elapsed time at end of run.
#

Add share/nb.po

When zonemaster/zonemaster-engine#751 has been merged, and share/nb.po should be added.

Selecting language with --locale does not always work

The command line tool zonemaster-cli has an option --locale with which you can
select the language the output is to be written in. Currently English (the default), French,
Swedish or Danish can be selected.

Under Ubuntu, Debian or CentOS

If the environment variable LANGUAGE is set, then the --locale option might not work.
See the examples from Ubuntu further down. The work-around is to unset or reset the
LANGUAGE variable before running the zonemaster-cli command, e.g.

unset LANGUAGE
zonemaster-cli zonemaster.net --locale sv_SE.utf8

LANGUAGE=sv_SE.utf8 zonemaster-cli zonemaster.net

Under FreeBSD

The --locale option does not currently work under FreeBSD. You can use the following
work-around:

LC_ALL=sv_SE.utf8 zonemaster-cli zonemaster.net

Examples run from Ubuntu

$ # Variables set with locale:
$ env | grep -i utf-8
LC_ALL=sv_SE.UTF-8
LANG=sv_SE.UTF-8
LANGUAGE=sv_SE.UTF-8
LC_CTYPE=sv_SE.UTF-8

$ # Running default gives Swedish messages:
$ zonemaster-cli iis.se
 Sekund Nivå      Meddelande
======= ====      ==========
   5.16 NOTIS     Namnservern 'i.ns.se' har en IP-adress (194.146.106.22) med en icke-matchande bakåtuppslagning (se1.dnsnode.net.).
   5.16 NOTIS     Namnservern 'i.ns.se' har en IP-adress (2001:67c:1010:5::53) med en icke-matchande bakåtuppslagning (se1.dnsnode.net.).

$ # Selecting French locale with --locale does not help:
$ zonemaster-cli iis.se --locale fr_FR.utf8
 Sekund Nivå      Meddelande
======= ====      ==========
  10.14 NOTIS     Namnservern 'i.ns.se' har en IP-adress (194.146.106.22) med en icke-matchande bakåtuppslagning (se1.dnsnode.net.).
  10.15 NOTIS     Namnservern 'i.ns.se' har en IP-adress (2001:67c:1010:5::53) med en icke-matchande bakåtuppslagning (se1.dnsnode.net.).

$ # Unsetting all variables gives default or English output:
$ (unset LC_ALL; unset LANG; unset LANGUAGE; unset LC_CTYPE; zonemaster-cli iis.se)
Seconds Level     Message
======= ========= =======
   5.21 NOTICE    Nameserver i.ns.se has an IP address (194.146.106.22) with mismatched PTR result (se1.dnsnode.net.).
   5.21 NOTICE    Nameserver i.ns.se has an IP address (2001:67c:1010:5::53) with mismatched PTR result (se1.dnsnode.net.).

$ # Unsetting LANGUAGE and setting French gives correct language:
$ (unset LANGUAGE; zonemaster-cli iis.se --locale fr_FR.utf8)
Durée   Niveau    Message
======= ========= =======
   5.19 NOTICE    Le serveur de noms i.ns.se a une adresse IP (194.146.106.22) qui ne correspond pas aux enregistrements "PTR" retournés (se1.dnsnode.net.) pour celle-ci.
   5.20 NOTICE    Le serveur de noms i.ns.se a une adresse IP (2001:67c:1010:5::53) qui ne correspond pas aux enregistrements "PTR" retournés (se1.dnsnode.net.) pour celle-ci.

Issue using --ns-times, Use of uninitialized value $max in concatenation (.)

Hello, I found an issue running zonemaster-cli. Here is an example

System

zonemaster-cli --version
CLI version:    v2.0.4
Engine version: v3.1.2

Test module versions:
	Address: v1.0.5
	Basic: v1.0.12
	Connectivity: v1.0.14
	Consistency: v1.1.12
	DNSSEC: v1.1.17
	Delegation: v1.0.16
	Nameserver: v1.0.24
	Syntax: v1.0.7
	Zone: v1.0.12

Perl : (v5.28.1)

Command

zonemaster-cli donotexistsggg.fr --nstimes

Output

Seconds Level     Message
======= ========= =======
  11.48 CRITICAL  No NS records for tested zone from parent. NS tests skipped.
  11.48 CRITICAL  Not enough data about donotexistsggg.fr was found to be able to run tests.
  /
Use of uninitialized value $max in concatenation (.) or string at /usr/local/share/perl/5.28.1/Zonemaster/CLI.pm line 527, <DATA> line 1.
Server  Max (ms)      Min      Avg   Stddev   Median     Total
Use of uninitialized value $max in concatenation (.) or string at /usr/local/share/perl/5.28.1/Zonemaster/CLI.pm line 528, <DATA> line 1.
Use of uninitialized value $max in repeat (x) at /usr/local/share/perl/5.28.1/Zonemaster/CLI.pm line 528, <DATA> line 1.
  ======== ======== ======== ======== ======== =========

Terminology of tests should be consistent

Under tests there are specifications. Usually those items are called "test cases". In CLI.pm the equivalent implementation is called "method". The terminology should be consistent, and "test case" should be the term.

"Warning: Net::LDNS not compiled with libidn" warning on STDOUT

The warning in the subject is directed to STDOUT, it should be output on STDERR.

Add TravisCI to this repo

http://docs.travis-ci.com/user/languages/perl/

Add support for test profiles for the CLI

See zonemaster/Zonemaster-GUI--ARCHIVED-OLD-VERSION-NOT-TO-BE-USED#42 and zonemaster/zonemaster-engine#19.

Warning while running make

[zonemaster@vps323914 zonemaster-cli]$ perl Makefile.PL
include /home/zonemaster/zonemaster-cli/inc/Module/Install.pm
include inc/Module/Install/Metadata.pm
include inc/Module/Install/Base.pm
include inc/Module/Install/Makefile.pm
include inc/Module/Install/Scripts.pm
include inc/Module/Install/Share.pm
include inc/Module/Install/WriteAll.pm
include inc/Module/Install/Win32.pm
include inc/Module/Install/Can.pm
include inc/Module/Install/Fetch.pm
Checking if your kit is complete...
Warning: the following files are missing in your kit:
	META.yml
	share/locale/da/LC_MESSAGES/Zonemaster-CLI.mo
	share/locale/en/LC_MESSAGES/Zonemaster-CLI.mo
	share/locale/fr/LC_MESSAGES/Zonemaster-CLI.mo
	share/locale/sv/LC_MESSAGES/Zonemaster-CLI.mo
Please inform the author.
Warning: prerequisite JSON::XS 0 not found.
Warning: prerequisite MooseX::Getopt 0 not found.
Warning: prerequisite Text::Reflow 0 not found.
Warning: prerequisite Zonemaster::Engine 2 not found.
Warning: prerequisite Zonemaster::LDNS 1 not found.
Writing Makefile for Zonemaster::CLI
Writing MYMETA.yml and MYMETA.json
Writing META.yml

Remove dependency of gettext binary at build time

At installation, the *.po (locale translation files) are converted to the equivalent *.mo files and put in the correct locale directory, but only if the binary msgfmt is available. The conversion must be done at installation time since it is architecture dependent.

Use perl library Locale::Msgfmt instead to get rid of the dependency.

See zonemaster/zonemaster-engine#305

Update installation instructions for CLI for Debian 10

Debian 10 is a new OS planned to be supported by release v2019.2. The installation instructions probably need to be adjusted for Debian 10. There could be more binary packages available, but there could also be other changes.

Display bug when using --nstimes with --no-ipv6 or --no-ipv4

In this case, the calculation of Median and Total is impossible which results in a erroneous output.

The fix is easy, I am going to push it in a few minutes.

Should required version be set in the code?

Version v2.0.x of Zonemaster::CLI requires at least version v3.0.0 of Zonemaster::Engine and at least version v2.0.0 of Zonemaster::LDNS, but that is not stated in the code (CLI.pm). It accepts any version. Wouldn't it be better to state it there to get a meaningful error message if wrong version is installed?

Have unified documentation output

The top part of man zonemaster-cli (options) is more or less identical to zonemaster-cli --help, but not completely:

They are presented in different ways.
man is in English only, --help is partly translated.
Some options are mentioned in help only, such as --config and --sourceaddr.

Make those to be identical by just defining it once. In the implementation the man page comes from the script zonemaster-cli and the help comes from CLI.pm.

The is an option --usage which gives the same as --help. Confusing.

Version information contains superfluous "v"

When the cli is asked for version information, it returns:

$ zonemaster-cli --version
CLI version:    v1.0.5
Engine version: v1.0.15

It's obvious that the numbers are version numbers, and don't need a "v" before them. Most other software reports its version as X.Y.Z, and there is no need for a "v" before it. Please consider reporting the version number in a way that most other software reports it.

Undelegated test (CLI) does lookup on in-zone names

When creating an undelegated test (with "--ns") the IP address could be provided with the servername. If no IP address is provided for a name, zonemaster-cli will do a lookup through a general resolver. If a servername is in-zone (e.g. ns3.nic.se for zone nic.se) such a lookup must considered to be wrong, since the IP address (or addresses) must be provided as glue.

The problem reported here is that lookup is done for in-zone names. The lookup is done in the same code as reported in issue #39.

Profiles in CLI

The behavior of Zonemaster Engine is configurable with regard to what tests are performed, how they are performed, and how the results are analyzed.

Today this configurability is split up into config and policy. However there is no documentation on the reason for the separation nor on how each part works. Also the config and policy differ with regards to file locations.

There must be proper documentation for the configurability.

This is the CLI part of zonemaster/zonemaster#498.

State clearly that a given name is not a domain when it is not a domain

The technically correct messages that are printed now are not clear enough for most users.

DEBUG3 gives cluttered output

Up to and including DEBUG2 messages are single line. DEBUG3 includes something that looks like dig output, which is multiline. That make reading the output hard. Next is an excerpt from the following command, zonemaster-cli --level=DEBUG3 --test=CONSISTENCY/consistency05 --show_module iis.se:

   0.09 DEBUG2    SYSTEM       SYSTEM:NS_CREATED ip=202.12.27.33; name=m.root-servers.net
   0.10 DEBUG2    SYSTEM       SYSTEM:NS_CREATED ip=2001:0dc3:0000:0000:0000:0000:0000:0035; name=m.root-servers.net
   0.10 DEBUG2    SYSTEM       SYSTEM:RECURSE_QUERY address=2001:0dc3:0000:0000:0000:0000:0000:0035; class=IN; name=iis.se; ns=m.root-servers.net; source=m.root-servers.net/2001:dc3::35; type=SOA
   0.10 DEBUG2    SYSTEM       SYSTEM:QUERY flags={"class":"IN"}; ip=2001:dc3::35; name=iis.se; type=SOA
   0.10 DEBUG2    SYSTEM       SYSTEM:CACHE_CREATED ip=2001:0dc3:0000:0000:0000:0000:0000:0035
   0.11 DEBUG2    SYSTEM       SYSTEM:CACHE_FETCHED ip=2001:0dc3:0000:0000:0000:0000:0000:0035
   0.11 DEBUG     SYSTEM       SYSTEM:EXTERNAL_QUERY flags={"class":"IN"}; ip=2001:dc3::35; name=iis.se; type=SOA
   0.15 DEBUG3    SYSTEM       SYSTEM:EXTERNAL_RESPONSE packet=;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 55847
;; flags: qr ; QUERY: 1, ANSWER: 0, AUTHORITY: 10, ADDITIONAL: 15 
;; QUESTION SECTION:
;; iis.se.      IN      SOA

;; ANSWER SECTION:

;; AUTHORITY SECTION:
se.     172800  IN      NS      z.ns.se.
se.     172800  IN      NS      x.ns.se.
se.     172800  IN      NS      y.ns.se.
se.     172800  IN      NS      j.ns.se.
se.     172800  IN      NS      a.ns.se.
se.     172800  IN      NS      c.ns.se.
se.     172800  IN      NS      f.ns.se.
se.     172800  IN      NS      g.ns.se.
se.     172800  IN      NS      i.ns.se.
se.     172800  IN      NS      b.ns.se.

;; ADDITIONAL SECTION:
a.ns.se.        172800  IN      A       192.36.144.107
b.ns.se.        172800  IN      A       192.36.133.107
c.ns.se.        172800  IN      A       192.36.135.107
f.ns.se.        172800  IN      A       192.71.53.53
g.ns.se.        172800  IN      A       130.239.5.114
i.ns.se.        172800  IN      A       194.146.106.22
j.ns.se.        172800  IN      A       199.254.63.1
x.ns.se.        172800  IN      A       213.108.25.4
y.ns.se.        172800  IN      A       185.159.197.150
z.ns.se.        172800  IN      A       185.159.198.150
a.ns.se.        172800  IN      AAAA    2a01:3f0:0:301::53
b.ns.se.        172800  IN      AAAA    2001:67c:254c:301::53
c.ns.se.        172800  IN      AAAA    2001:67c:2554:301::53
f.ns.se.        172800  IN      AAAA    2a01:3f0:0:305::53
g.ns.se.        172800  IN      AAAA    2001:6b0:e:3::1

;; Query time: 36 msec
;; SERVER: 2001:dc3::35
;; WHEN: Mon Jul 29 14:17:23 2019
;; MSG SIZE  rcvd: 487
   0.15 DEBUG3    SYSTEM       SYSTEM:CACHED_RETURN packet=;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 55847
;; flags: qr ; QUERY: 1, ANSWER: 0, AUTHORITY: 10, ADDITIONAL: 15 
;; QUESTION SECTION:
;; iis.se.      IN      SOA

;; ANSWER SECTION:

;; AUTHORITY SECTION:
se.     172800  IN      NS      z.ns.se.
se.     172800  IN      NS      x.ns.se.
se.     172800  IN      NS      y.ns.se.
se.     172800  IN      NS      j.ns.se.
se.     172800  IN      NS      a.ns.se.
se.     172800  IN      NS      c.ns.se.
se.     172800  IN      NS      f.ns.se.
se.     172800  IN      NS      g.ns.se.
se.     172800  IN      NS      i.ns.se.
se.     172800  IN      NS      b.ns.se.

;; ADDITIONAL SECTION:
a.ns.se.        172800  IN      A       192.36.144.107
b.ns.se.        172800  IN      A       192.36.133.107
c.ns.se.        172800  IN      A       192.36.135.107
f.ns.se.        172800  IN      A       192.71.53.53
g.ns.se.        172800  IN      A       130.239.5.114
i.ns.se.        172800  IN      A       194.146.106.22
j.ns.se.        172800  IN      A       199.254.63.1
x.ns.se.        172800  IN      A       213.108.25.4
y.ns.se.        172800  IN      A       185.159.197.150
z.ns.se.        172800  IN      A       185.159.198.150
a.ns.se.        172800  IN      AAAA    2a01:3f0:0:301::53
b.ns.se.        172800  IN      AAAA    2001:67c:254c:301::53
c.ns.se.        172800  IN      AAAA    2001:67c:2554:301::53
f.ns.se.        172800  IN      AAAA    2a01:3f0:0:305::53
g.ns.se.        172800  IN      AAAA    2001:6b0:e:3::1

;; Query time: 36 msec
;; SERVER: 2001:dc3::35
;; WHEN: Mon Jul 29 14:17:23 2019
;; MSG SIZE  rcvd: 487
   0.15 DEBUG2    SYSTEM       SYSTEM:IS_REDIRECT name="iis.se"; to="se"; type=SOA
   0.16 DEBUG2    SYSTEM       SYSTEM:NS_CREATED ip=192.36.144.107; name=a.ns.se
   0.16 DEBUG2    SYSTEM       SYSTEM:NS_CREATED ip=2a01:03f0:0000:0301:0000:0000:0000:0053; name=a.ns.se
   0.16 DEBUG2    SYSTEM       SYSTEM:NS_CREATED ip=192.36.133.107; name=b.ns.se
   0.16 DEBUG2    SYSTEM       SYSTEM:NS_CREATED ip=2001:067c:254c:0301:0000:0000:0000:0053; name=b.ns.se
   0.17 DEBUG2    SYSTEM       SYSTEM:NS_CREATED ip=192.36.135.107; name=c.ns.se
   0.17 DEBUG2    SYSTEM       SYSTEM:NS_CREATED ip=2001:067c:2554:0301:0000:0000:0000:0053; name=c.ns.se
   0.17 DEBUG2    SYSTEM       SYSTEM:NS_CREATED ip=192.71.53.53; name=f.ns.se

Each "dig output" above belongs to the previous message, but the delimitation is hard to see. Also note that the first line of the "dig output" is presented at the end of the log message line. I propose the following format for "dig messages". Note the line break before the first line of the "dig message":

   0.09 DEBUG2    SYSTEM       SYSTEM:NS_CREATED ip=202.12.27.33; name=m.root-servers.net
   0.10 DEBUG2    SYSTEM       SYSTEM:NS_CREATED ip=2001:0dc3:0000:0000:0000:0000:0000:0035; name=m.root-servers.net
   0.10 DEBUG2    SYSTEM       SYSTEM:RECURSE_QUERY address=2001:0dc3:0000:0000:0000:0000:0000:0035; class=IN; name=iis.se; ns=m.root-servers.net; source=m.root-servers.net/2001:dc3::35; type=SOA
   0.10 DEBUG2    SYSTEM       SYSTEM:QUERY flags={"class":"IN"}; ip=2001:dc3::35; name=iis.se; type=SOA
   0.10 DEBUG2    SYSTEM       SYSTEM:CACHE_CREATED ip=2001:0dc3:0000:0000:0000:0000:0000:0035
   0.11 DEBUG2    SYSTEM       SYSTEM:CACHE_FETCHED ip=2001:0dc3:0000:0000:0000:0000:0000:0035
   0.11 DEBUG     SYSTEM       SYSTEM:EXTERNAL_QUERY flags={"class":"IN"}; ip=2001:dc3::35; name=iis.se; type=SOA
   0.15 DEBUG3    SYSTEM       SYSTEM:EXTERNAL_RESPONSE packet=
                               ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 55847
                               ;; flags: qr ; QUERY: 1, ANSWER: 0, AUTHORITY: 10, ADDITIONAL: 15 
                               ;; QUESTION SECTION:
                               ;; iis.se.      IN      SOA

                               ;; ANSWER SECTION:

                               ;; AUTHORITY SECTION:
                               se.     172800  IN      NS      z.ns.se.
                               se.     172800  IN      NS      x.ns.se.
                               se.     172800  IN      NS      y.ns.se.
                               se.     172800  IN      NS      j.ns.se.
                               se.     172800  IN      NS      a.ns.se.
                               se.     172800  IN      NS      c.ns.se.
                               se.     172800  IN      NS      f.ns.se.
                               se.     172800  IN      NS      g.ns.se.
                               se.     172800  IN      NS      i.ns.se.
                               se.     172800  IN      NS      b.ns.se.
                               
                               ;; ADDITIONAL SECTION:
                               a.ns.se.        172800  IN      A       192.36.144.107
                               b.ns.se.        172800  IN      A       192.36.133.107
                               c.ns.se.        172800  IN      A       192.36.135.107
                               f.ns.se.        172800  IN      A       192.71.53.53
                               g.ns.se.        172800  IN      A       130.239.5.114
                               i.ns.se.        172800  IN      A       194.146.106.22
                               j.ns.se.        172800  IN      A       199.254.63.1
                               x.ns.se.        172800  IN      A       213.108.25.4
                               y.ns.se.        172800  IN      A       185.159.197.150
                               z.ns.se.        172800  IN      A       185.159.198.150
                               a.ns.se.        172800  IN      AAAA    2a01:3f0:0:301::53
                               b.ns.se.        172800  IN      AAAA    2001:67c:254c:301::53
                               c.ns.se.        172800  IN      AAAA    2001:67c:2554:301::53
                               f.ns.se.        172800  IN      AAAA    2a01:3f0:0:305::53
                               g.ns.se.        172800  IN      AAAA    2001:6b0:e:3::1
                               
                               ;; Query time: 36 msec
                               ;; SERVER: 2001:dc3::35
                               ;; WHEN: Mon Jul 29 14:17:23 2019
                               ;; MSG SIZE  rcvd: 487
   0.15 DEBUG3    SYSTEM       SYSTEM:CACHED_RETURN packet=
                               ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 55847
                               ;; flags: qr ; QUERY: 1, ANSWER: 0, AUTHORITY: 10, ADDITIONAL: 15 
                               ;; QUESTION SECTION:
                               ;; iis.se.      IN      SOA
                               
                               ;; ANSWER SECTION:
                               
                               ;; AUTHORITY SECTION:
                               se.     172800  IN      NS      z.ns.se.
                               se.     172800  IN      NS      x.ns.se.
                               se.     172800  IN      NS      y.ns.se.
                               se.     172800  IN      NS      j.ns.se.
                               se.     172800  IN      NS      a.ns.se.
                               se.     172800  IN      NS      c.ns.se.
                               se.     172800  IN      NS      f.ns.se.
                               se.     172800  IN      NS      g.ns.se.
                               se.     172800  IN      NS      i.ns.se.
                               se.     172800  IN      NS      b.ns.se.
                               
                               ;; ADDITIONAL SECTION:
                               a.ns.se.        172800  IN      A       192.36.144.107
                               b.ns.se.        172800  IN      A       192.36.133.107
                               c.ns.se.        172800  IN      A       192.36.135.107
                               f.ns.se.        172800  IN      A       192.71.53.53
                               g.ns.se.        172800  IN      A       130.239.5.114
                               i.ns.se.        172800  IN      A       194.146.106.22
                               j.ns.se.        172800  IN      A       199.254.63.1
                               x.ns.se.        172800  IN      A       213.108.25.4
                               y.ns.se.        172800  IN      A       185.159.197.150
                               z.ns.se.        172800  IN      A       185.159.198.150
                               a.ns.se.        172800  IN      AAAA    2a01:3f0:0:301::53
                               b.ns.se.        172800  IN      AAAA    2001:67c:254c:301::53
                               c.ns.se.        172800  IN      AAAA    2001:67c:2554:301::53
                               f.ns.se.        172800  IN      AAAA    2a01:3f0:0:305::53
                               g.ns.se.        172800  IN      AAAA    2001:6b0:e:3::1
                               
                               ;; Query time: 36 msec
                               ;; SERVER: 2001:dc3::35
                               ;; WHEN: Mon Jul 29 14:17:23 2019
                               ;; MSG SIZE  rcvd: 487
   0.15 DEBUG2    SYSTEM       SYSTEM:IS_REDIRECT name="iis.se"; to="se"; type=SOA
   0.16 DEBUG2    SYSTEM       SYSTEM:NS_CREATED ip=192.36.144.107; name=a.ns.se
   0.16 DEBUG2    SYSTEM       SYSTEM:NS_CREATED ip=2a01:03f0:0000:0301:0000:0000:0000:0053; name=a.ns.se
   0.16 DEBUG2    SYSTEM       SYSTEM:NS_CREATED ip=192.36.133.107; name=b.ns.se
   0.16 DEBUG2    SYSTEM       SYSTEM:NS_CREATED ip=2001:067c:254c:0301:0000:0000:0000:0053; name=b.ns.se
   0.17 DEBUG2    SYSTEM       SYSTEM:NS_CREATED ip=192.36.135.107; name=c.ns.se
   0.17 DEBUG2    SYSTEM       SYSTEM:NS_CREATED ip=2001:067c:2554:0301:0000:0000:0000:0053; name=c.ns.se
   0.17 DEBUG2    SYSTEM       SYSTEM:NS_CREATED ip=192.71.53.53; name=f.ns.se

Update docs/Installation.md

When zonemaster/zonemaster-engine#751 has been merged, docs/Installation.md should be updated.

Disabling progress indication

Zonemaster-cli shows a progress spinner by default if STDOUT is a TTY. It's possible to enable the spinner even if STDOUT is not a TTY but it's not possible to disable it if STDOUT is a TTY. It should be possible to turn it off. In the mean time the workaround is to pipe STDOUT through cat:

zonemaster-cli example.com | cat

Make CLI Makefiles BSD compatible

Today share/Makefile uses the GNU-specific $(wildcard) function, and our documentation works around this fact by specifying the use of gmake on FreeBSD. A better way would be to make the Makefiles portable and use the make command on all platforms.

See also the related issue zonemaster/zonemaster-engine#702.

Information about AS' is hidden even at DEBUG-level

It should be possible to see all available data on AS-numbers when running at DEBUG level; as it is now the only information available (regardless of level) is the number/name itself and not the network or operator. This is from DNSCheck (something similar should be implemented in Zonemaster):
3.338: DEBUG [ASN:RAW] 85.24.141.132;8473 | 85.24.128.0/18 | SE | ripencc | 2005-02-24
3.341: DEBUG [ASN:ANNOUNCE_BY] 85.24.141.132;8473
3.342: DEBUG [ASN:ANNOUNCE_IN] 85.24.141.132;85.24.128.0/18

While Zonemaster, at level DEBUG, only says:
2.34 INFO CONNECTIVITY:NAMESERVER_HAS_TCP_53 address=85.24.141.132, ns=ns1.rayceem.com
5.64 INFO CONNECTIVITY:IPV4_ASN asn=8473
5.64 INFO CONNECTIVITY:IPV6_ASN asn=
5.64 WARNING CONNECTIVITY:NAMESERVERS_IPV4_WITH_UNIQ_AS asn=8473

This is not a bug but it is a feature request for us data miners. :)

Mimic translation tooling from Engine

Today the process for updating the PO files in CLI is completely manual. On the other hand Engine uses xgettext and msgmerge to do much of the heavy lifting. CLI should adopt the same tooling as Engine.

Clean up removed --dump_config and --dump_policy

The --dump_config and --dump_policy functionalities were removed in https://github.com/zonemaster/zonemaster-cli/releases/tag/v2.0.0. However the actual options still remain as placeholders. Those placeholders serve no purpose and should also be removed.

Missing files in the Kit while running perl Makefile.PL - CentOS 7

perl Makefile.PL 
include /home/sandoche/zonemaster-cli/inc/Module/Install.pm
include inc/Module/Install/Metadata.pm
include inc/Module/Install/Base.pm
include inc/Module/Install/Makefile.pm
include inc/Module/Install/Scripts.pm
include inc/Module/Install/Share.pm
include inc/Module/Install/WriteAll.pm
include inc/Module/Install/Win32.pm
include inc/Module/Install/Can.pm
include inc/Module/Install/Fetch.pm
Checking if your kit is complete...
Warning: the following files are missing in your kit:
        META.yml
        share/locale/da/LC_MESSAGES/Zonemaster-CLI.mo
        share/locale/en/LC_MESSAGES/Zonemaster-CLI.mo
        share/locale/fr/LC_MESSAGES/Zonemaster-CLI.mo
        share/locale/sv/LC_MESSAGES/Zonemaster-CLI.mo
Please inform the author.
Warning: prerequisite JSON::XS 0 not found.
Warning: prerequisite Locale::TextDomain 1.23 not found. We have 1.20.
Warning: prerequisite MooseX::Getopt 0 not found.
Warning: prerequisite Text::Reflow 0 not found.
Warning: prerequisite Zonemaster::Engine 3 not found.
Warning: prerequisite Zonemaster::LDNS 2 not found.
Writing Makefile for Zonemaster::CLI
Writing MYMETA.yml and MYMETA.json
Writing META.yml

Case in-sentitive --level parameter

Zonemaster CLI should perform case folding of its CLI arguments where reasonable. Today the --level parameter is case sensitive. In the following example, only the first command is accepted. Both should be accepted and they should be equivalent.

zonemaster-cli --level INFO zonemaster.net
zonemaster-cli --level info zonemaster.net

Markdown rendering

Github has updated its markdown rendering engine, breaking some of documents. We need to update our markup to make it compliant with the new spec.

Specifically I've noted problems with headings that don't render properly anymore. The new spec doesn't recognize NBSP as a separator between the '#' prefix and the heading text. We need to replace our NBSP characters with SPACE characters.

Less helpful error message when source address of --sourceaddr cannot be used

Zonemaster CLI has the option --sourceaddr. If that is set to localhost or to an adress not bound to any interface, the error message is less helpful.

$ ifconfig eth0 | grep "inet "
          inet addr:109.74.12.66  Bcast:109.74.13.255  Mask:255.255.254.0

$ zonemaster-cli --sourceaddr 109.74.12.67 google.de
Seconds Level     Message
======= ========= =======
   0.15 ERROR     No response from nameserver for zone . when trying to fetch glue.
   0.17 CRITICAL  Not enough data about google.de was found to be able to run tests.

$ zonemaster-cli --sourceaddr 127.0.0.1 google.de
Seconds Level     Message
======= ========= =======
   0.14 ERROR     No response from nameserver for zone . when trying to fetch glue.
   0.15 CRITICAL  Not enough data about google.de was found to be able to run tests.

$ zonemaster-cli --sourceaddr ::1 google.de
Seconds Level     Message
======= ========= =======
  90.32 ERROR     No response from nameserver for zone . when trying to fetch glue.
  90.34 CRITICAL  Not enough data about google.de was found to be able to run tests.

NOTE (2021-01-19): #110 fixes the first case (using a address not attached to any interface) but not the second and third (using a localhost address). The first case was the most important, so this issue is considered to be resolved.

Check of PO files

In Zonemaster-Engine there are unit tests that checks the PO files, and that is check by Travis. It should exist in CLI too.

https://github.com/zonemaster/zonemaster-engine/blob/master/t/po-files.t

Replace Github service Travis

Github services are deprecated. The repo uses Github service to get the Travis function. We need to update before the end-date.

https://developer.github.com/changes/2018-04-25-github-services-deprecation/
https://blog.travis-ci.com/2018-05-07-announcing-support-for-github-checks-api-on-travis-ci-com

The --config and --policy options of the CLI are not clear

$ zonemaster-cli --help
...
        --config STR          Name of configuration file to load.
        --policy STR          Name of policy file to load.
...
$ zonemaster-cli --config anand ripe.net
Loading configuration from anand.
read_file 'anand' - sysopen: No such file or directory at /opt/zonemaster/lib/perl5/Zonemaster/Engine/Config.pm line 131.
$ ls /etc/zonemaster/
backend_config.ini  config_ripedb.json  policy_ripedb.json
$ zonemaster-cli --config config_ripedb.json ripe.net
Loading configuration from config_ripedb.json.
read_file 'config_ripedb.json' - sysopen: No such file or directory at /opt/zonemaster/lib/perl5/Zonemaster/Engine/Config.pm line 131.

The problem here is that the option says the "config" and "policy" are names. This is quite different from paths. In reality, the CLI wants an absolute path to the config file name, including its extension.

Inconsistent CLI options documentation

The command line options are documented in two different ways. The two different documentations can be show with the commands zonemaster-cli --help and perldoc zonemaster-cli respectively. Both commands should output the same documentation.

--sourceaddr is not correctly implemented

Zonemaster CLI has the option --sourceaddr:

$ zonemaster-cli --help
usage: zonemaster-cli [-?h] [long options...]
	-h -? --usage --help  Prints this usage information.
(...)
	--sourceaddr          Local IP address that the test engine should
	                      try to send its requests from.
	--elapsed             Print elapsed time at end of run.

but it does not work at all, as it seems:

zonemaster-cli --sourceaddr 109.74.12.66 --no-ipv6 google.de
Seconds Level     Message
======= ========= =======
Looks OK.
Failed to parse IP address: 1 at /usr/local/share/perl/5.18.2/Zonemaster/Nameserver.pm line 83, <DATA> line 20.

Looking at the code,

cat -n /usr/local/share/perl/5.18.2/Zonemaster/Nameserver.pm | head -87 | tail -17
    71	sub _build_dns {
    72	    my ( $self ) = @_;
    73	
    74	    my $res = Net::LDNS->new( $self->address->ip );
    75	    $res->recurse( 0 );
    76	
    77	    my %defaults = %{ Zonemaster->config->resolver_defaults };
    78	    foreach my $flag ( keys %defaults ) {
    79	        $res->$flag( $defaults{$flag} );
    80	    }
    81	
    82	    if ( $self->source_address ) {
    83	        $res->source( $self->source_address );
    84	    }
    85	
    86	    return $res;
    87	}

it turns out that $self->source_address on line 83 returns 1 when --sourceaddr is set to some address, which does not seem to be correct.

Use zip file instead of git in Travis

We have updated the Travis configuration to use the develop branch for testing (#92). It uses git to get the branch. Consider downloading a zip file with the checkout files in the develop branch to give less overhead to Travis and possibly being faster. The Git structure is of no importance here.

https://github.com/zonemaster/zonemaster-engine/archive/develop.zip

share/Makefile not compatible with FreeBSD "make"

The share/Makefile contains the GNU Make "wildcard" macro not compatible with FreeBSD. Also see zonemaster/zonemaster-engine#697.

Nagios mode

Add a Nagios mode to zonemaster-cli, where a user defined log level generates the different Nagios return codes. This makes it easy to use Zonemaster as a Nagios plugin.

Undelegated test (CLI) ignores name that does not resolve to address

As @aabdnn writes in issue zonemaster/zonemaster-engine#278 there is a bug in Zonemaster-CLI when an undelegated test is fed with name that cannot be resolved to an address:

I expect this test to fail (because name server abcdef does not exist):
zonemaster-cli 193.in-addr.arpa --ns pri.authdns.ripe.net --ns sns-pb.isc.org --ns tinnie.arin.net --ns sec3.apnic.net --ns abcdef
However, Zonemaster (CLI 1.0.5, engine 1.0.16) happily passes this, with no errors emitted.

As far as I can see, method add_fake_delegation in Zonemaster/CLI.pm just ignores any name that cannot be resolved to an address.

        if ($ip) {
            push @{ $data{ $self->to_idn( $name ) } }, $ip;
        }
        else {
            my $n = $self->to_idn( $name );
            my @ips = Net::LDNS->new->name2addr($n);
            push @{ $data{$n} }, $_ for @ips;
        }

If name is fed without address, the address is looked up with my @ips = Net::LDNS->new->name2addr($n); and if that returns nothing, the name is ignored.

Option --dump_policy does not work

There is an option to print the policy by CLI:

$ LC_ALL=C zonemaster-cli --h | tail -5 | head -2
	--dump_policy        Print the effective policy used in JSON format,
	                     then exit.

But it does not work

$ zonemaster-cli --dump_policy
encountered object '1', but neither allow_blessed nor convert_blessed settings are enabled at /usr/local/share/perl/5.18.2/Zonemaster/CLI.pm line 629, <DATA> line 20.

Update Changes file for the v2019.2 release

The Changes file needs to be updated for the release. A partial update was done in #128, but further updates are needed.

Update installation instructions for CLI for CentOS 8

CentOS 8 is a new OS planned to be supported by release v2019.2. The installation instructions probably need to be adjusted for CentOS 8. There could be more binary packages available, but there could also be other changes.

Print diagnostics to STDERR

The --config and --policy parameters print diagnostic information about what file was loaded (e.g. "Loading policy from myfile.json"). Today these diagnostics are printed to STDOUT. This behavior is problematic when the output is fed to jq for pretty printing. The diagnostics should be printed to STDERR instead in order to keep them separated from the normal output.

Make options more user friendly

Multi-word options, like "show module", uses underscore "_" instead of hyphen "-" as a substitution for space. I.e.:

--show_module
--no-show_module

It would be more user-friendly with

--show-module
--no-show-module

Since underscore has been used for a long time, I suggest that both are supported.

Make translation to Danish complete (CLI)

Translation to Danish is beeing added to Engine (zonemaster/zonemaster-engine#354). Translation is needed in CLI too.

There is now a share/da.po, but that is only a placeholder with English translation. That must be translated to Danish.

DNSSEC signature expire

Hi, I miss the DNSSEC signature expire who dnscheck prints out.

Example from dnscheck
INFO DNSSEC signature expires at: Fri Mar 6 15:35:01 2015

It would be nice to have it printed out when in
--level INFO --raw
mode and with SOA and DNSKEY's separate printed out

And if expire for NS, MX and ev. www RR also is printed out it's great!

/Tobbe