Tighten CNAME validation to block cases that fail various validators

[Kris Deugau]

Currently CNAMEs may be created in parallel with existing records. This can cause validation failures in external DNSSEC signing tools or lookup failures when the records are published.

Add checks for parallel records with options to:

• warn and continue
• suggest/coerce-to ALIAS (root domain only)
• fail with error
• remove the parallel record(s)

[Kris Deugau]

In 937:

/branches/cname-collision

First pass/chunk for a CNAME-collision sub
Comment much-simplified local check in CNAME validation sub, add prelimiary call to new sub
See #72.

[Kris Deugau]

In 938:

/branches/cname-collision

Refine collision sub calling convention/arguments
Add preliminary call in A record validation
See #72.

[Kris Deugau]

In 939:

/branches/cname-collision

Logic bug checking the CNAME record count
Fix up call to collision sub so it might actually run
See #72

[Kris Deugau]

In 940:

/branches/cname-collision

Add calls to collision sub in AAAA, SRV, and CAA record validation subs
See #72

[Kris Deugau]

In 941:

/branches/cname-collision

Correct "how did past me set up this hash anyway?"-ism
Move call to collision check sub to end of CNAME validator
See #72

[Kris Deugau]

In 942:

/branches/cname-collision

Move A record CNAME collision check to end of validator
Add CNAME collision check call to NS, PTR, MX, TXT. Calls also cover A+PTR,

AAAA+PTR, and RP types as those call the A, AAAA, and TXT validators respectively.

See #72

[Kris Deugau]

In 950:

/branches/cname-collision

Start adding actual tests. See #88.

First chunk, tests for CNAME collision checks. See #72.

[Kris Deugau]

In 951:

/branches/cname-collision

Add CNAME record-add tests for reverse zones. See #88, #72

[Kris Deugau]

In 952:

/branches/cname-collision

Add add-duplicate-CNAME test that got missed somehow when shuffling patches
Wrap domain and reverse zone groups of tests in their own blocks
See #88, #72

[Kris Deugau]

In 953:

/branches/cname-collision

Add domain record update tests
See #88, #72

[Kris Deugau]

In 954:

/branches/cname-collision

Fix another patch-shuffling oops; accidentally duplicated a test instead
of copying in the appropriate variantion.
See #72, #88

[Kris Deugau]

In 955:

/branches/cname-collision

Rename some subtests for consistency
Fix trivial whitespace oops
See #72, #88

[Kris Deugau]

In 956:

/branches/cname-collision

More test name fiddling for consistency
See #72, #88

[Kris Deugau]

In 958:

/branches/cname-collision

Merge a minor bit of test framework stuff from /trunk
See #88, #72

[Kris Deugau]

In 959:

/branches/cname-collision

Extend _cname_collision() lookups to skip the record passed in for update,
so as to not fail the checks by finding that record itself.
See #72.

[Kris Deugau]

In 960:

/branches/cname-collision

Add calls to _cname_collision() in a couple more record validators (A+PTR
template, delegation, ALIAS).
See #72.

[Kris Deugau]

In 964:

/branches/cname-collision

Tests for CNAME updates in reverse zones
See #72, #88

[Kris Deugau]

In 968:

/branches/cname-collision

Exclude expired records from collision failures
See #72, #88

[Kris Deugau]

In 969:

/branches/cname-collision

Test for collision with yet-to-expire record. Technically overkill as it
falls through to the non-expiring-record case but future refinements may
make this relevant.
See #72, #88

[Kris Deugau]

In 970:

/branches/cname-collision

Compact the timestamp check from r968 since it's looking like further
timestamp-related checks will need to go elsewhere anyway, and copy it
into the second section.
See #72, #88

[Kris Deugau]

In 973:

/branches/cname-collision

Revise/tighten normalization for $stamp and $expires in addRec() and
updateRec() so that they can be passed to the validators, so that CNAME
collision checking can account for record expiry/valid-after.
See #72

[Kris Deugau]

In 974:

/branches/cname-collision

Fix SQL logic bug picking out possible colliding records
See #72

[Kris Deugau]

In 976:

/branches/cname-collision

Add a set of test records with various expiry/valid-after settings for
testing CNAME collisions
Add a file of SQL UPDATEs and a call in the test setup module to normalize
the actual tested timestamps to a sliding window so that the base SQL
reference doesn't need to be updated on an ongoing basis for the tests to
work correctly
See #72, #88

[Kris Deugau]

In 978:

/branches/cname-collision

Fold the "not-a-CNAME" and "only-CNAME" lookups into a loop to avoid
mistake-prone copypasta in extending CNAME collision checks further
See #72

[Kris Deugau]

In 979:

/branches/cname-collision

Fix dumb typo in timestamped record timestamp reset SQL
See #72

[Kris Deugau]

In 980:

/branches/cname-collision

Fix missed pass-by-reference on timestamp flag calling into the validator subs
See #72

[Kris Deugau]

In 981:

/branches/cname-collision

Remove calls to _cname_collision() from individual validator subs in favour
of a followup call direct from addRec() and updateRec(), so that warnings
from the validators can be more cleanly (ie, less copy-pasty) merged from
potential warnings from the CNAME collision check (some timestamp cases will
use this).
See #72

[Kris Deugau]

In 982:

/branches/cname-collision

Add test for new non-timestamped CNAME colliding with a record with a
future valid-after stamp
See #72, #88

[Kris Deugau]

In 983:

/branches/cname-collision

Account for future valid-after records when checking CNAME collisions.
See #72

[Kris Deugau]

In 984:

/branches/cname-collision

Added specific test for CNAME colliding with a record that has a valid-after
timestamp in the past.

• additional test record
• adjusted timestamp-retrieval SQL
• extend logic tree for this case

See #72, #88

[Kris Deugau]

In 987:

/branches/cname-collision

Add test subgroup for expiring CNAME. First two tests are arguably retries
of earlier tests from domain group, included for completeness.
See #72, #88

[Kris Deugau]

In 989:

/branches/cname-collision

Add test for new CNAME with expiry before pending valid-after
Add missing 'use Date::Parse' so user input can be parsed for timestamp comparisons
See #72, #88

[Kris Deugau]

In 992:

/branches/cname-collision

Add test and supporting record for new CNAME with expiry after an existing
record's valid-after timestamp
See #72, #88

[Kris Deugau]

In 994:

/branches/cname-collision

Add test and target record for checking adding an expiring CNAME after a
same-name record has expired.
See #72, #88

[Kris Deugau]

In 995:

/branches/cname-collision

Add a configuration option to set how to handle several cases of overlapping
timestamp expiry/valid-after cases checking for CNAME collisions
See #72

[Kris Deugau]

In 996:

/branches/cname-collision

Significant rewrite of most of the collision lookups due to edge cases
checking for various overlapping expiry/valid-after timestamps and
optionally resetting them to non-overlapping values.
Includes a truth table in a .ods spreadsheet.
See #72

[Kris Deugau]

In 997:

/branches/cname-collision

Fix up tests for non-timestamped CNAME colliding with timestamped existing
records to match revised logic tree collision and truth table
See #72

[Kris Deugau]

In 998:

/branches/cname-collision

Add test records for another group of tests (add CNAME with expiry)
See #72

[Kris Deugau]

In 999:

/branches/cname-collision

Set a default for coerce_cname_timestamp
Override coerce_cname_timestamp in the test support module to better
exercise deeper branches of the CNAME collision checks
See #72

[Kris Deugau]

In 1000:

/branches/cname-collision

Load coerce_cname_timestamp setting from dnsdb.conf
Note that an additional unused value 'full' is accepted but not implemented
(intended to affect adding/updating a record without a timestamp that
conflicts with a record that has one)
See #72

[Kris Deugau]

In 1001:

/branches/cname-collision

Revise test for adding expiring CNAME when an existing expired CNAME already
exists to match updated logic tree and truth table.
See #72, #88

[Kris Deugau]

In 1003:

/branches/cname-collision

Revise logic branch for new/updated record with valid-after potentially
colliding with existing record with expiry stamp to match intended behaviour
in truth table, including adjusting valid-after timestamp to match the
existing expiry if the appropriate ocnfiguration flag is set.
See #72

[Kris Deugau]

In 1004:

/branches/cname-collision

Start adding test group for adding a CNAME with a valid-after timestamp

• collision with existing non-timestamped record

See #72, #88

[Kris Deugau]

In 1005:

/branches/cname-collision

Test for correct handling and timestamp adjustment to new valid-after
overlapping an existing pending-expiry
See #72, #88

[Kris Deugau]

In 1006:

/branches/cname-collision

Test for new valid-after CNAME active after existing valid-after with the same name
See #72, #88

[Kris Deugau]

In 1009:

/branches/cname-collision

Test for new CNAME with valid-after timestamp before an existing
valid-after record with the same name
See #72, #88

[Kris Deugau]

In 1010:

/branches/cname-collision

Test for new CNAME with valid-after timestamp after existing record expires
See #72, #88

[Kris Deugau]

In 1012:

/branches/cname-collision

Fix up test checking adjustment of valid-after timestamp when the requested
time is before an existing valid-after

• Record count made more accurate by counting all records with the test name
• Somehow missed checking the timestamp values in r1005

See #72, #88

[Kris Deugau]

In 1014:

/branches/cname-collision

Add another test zone and records for update-to-CNAME test cases
Add relevant timestamp updates for the new test suite records
See #72, #88

[Kris Deugau]

In 1015:

/branches/cname-collision

Start adding tests calling updateRec() with new non-timestamp CNAME data
See #72, #88

[Kris Deugau]

In 1016:

/branches/cname-collision

Add the other three tests for "update record to non-timestamp CNAME
colliding with variously timestamped existing record"
See #72, #88

[Kris Deugau]

In 1017:

/branches/cname-collision

Add record group for testing update to CNAME with expiry
See #72, #88

[Kris Deugau]

In 1018:

/branches/cname-collision

Refine one subbranch of the collision check logic; while in general an
expiring record can have its expiry time coerced to match a conflicting
valid-after record, it makes little sense to allow adding a record that
expires in the past to match a valid-after record with a timestamp in the
past.

The inverse case of a new/updated valid-after record conflicting with an
expired record with a timestamp in the past at least makes sense to allow
as the new record will be active immediately.

See #72

[Kris Deugau]

In 1019:

/branches/cname-collision

Relocate changes from r1018 to correct subbranch.

See #72

[Kris Deugau]

In 1020:

/branches/cname-collision

Add test group for updating a record to a CNAME with an expiry
Add arguably redundant test checking for collision with nontimestamped record
See #72, #88

[Kris Deugau]

In 1021:

/branches/cname-collision

Test with updating to a CNAME that expires:
Add test for collision with existing pending-expiry record
See #72, #88

[Kris Deugau]

In 1022:

/branches/cname-collision

Test with updating to a CNAME that expires:
Add test for collision with already-expired record
See #72, #88

[Kris Deugau]

In 1023:

/branches/cname-collision

Test with updating to a CNAME that expires:
Add test for overlap with pending valid-after record
See #72, #88

[Kris Deugau]

In 1024:

/branches/cname-collision

Test with updating to a CNAME that expires:
Add test for expiry after active valid-after record
See #72, #88

[Kris Deugau]

In 1025:

/branches/cname-collision

Test with updating to a CNAME that expires:
Add test for expiry before pending valid-after record. Note this probes the
(corrected) revised handling in r1019.

See #72, #88

[Kris Deugau]

In 1026:

/branches/cname-collision

Add test records and timestamp window adjustments for what should be the
last group of records for testing CNAME collisions
See #72, #88

[Kris Deugau]

In 1027:

/branches/cname-collision

Add test group for updating a record to a valid-after CNAME
Add arguably redundant test checking for collision with nontimestamped record
See #72, #88

[Kris Deugau]

In 1028:

/branches/cname-collision

Test with updating to a valid-after CNAME:
Add test for collision with existing pending-expiry record with timestamp
before existing expiry
See #72, #88

[Kris Deugau]

In 1029:

/branches/cname-collision

Test with updating to a valid-after CNAME:
Add test for collision with existing pending-expiry record with timestamp
after existing expiry
See #72, #88

[Kris Deugau]

In 1030:

/branches/cname-collision

Test with updating to a valid-after CNAME:
Add test for collision with existing valid-after record, new timestamp before existing
See #72, #88

[Kris Deugau]

In 1031:

/branches/cname-collision

Test with updating to a valid-after CNAME:
Add test for collision with existing valid-after record, new timestamp after existing
See #72, #88

[Kris Deugau]

In 1040:

/branches/cname-collision

Last-minute-ish addition of another block of tests to make sure non-CNAMEs
collide with CNAMEs, but continue to not collide with each other
First, the new domain and records
See #72, #88

[Kris Deugau]

In 1041:

/branches/cname-collision

Add new test domain and record checks in DNSTest.pm
Also tweak a critical bailout error message
See #72, #88

[Kris Deugau]

In 1042:

/branches/cname-collision

First block of actual tests - add nonexpiring non-CNAME
See #72, #88