zonemaster/docs/public/specifications/tests/DNSSEC-TP/dnssec06.md

## DNSSEC06: Verify DNSSEC additional processing

### Test case identifier
**DNSSEC06** Verify DNSSEC additional processing

### Objective

In order for an authoritative name server to be DNSSEC compliant,
it must serve DNSSEC signatures (RRSIG) as additional data in a DNS answer.
This additional processing is described in section 3.1 of [RFC 4035](
https://datatracker.ietf.org/doc/html/rfc4035#section-3.1).

### Inputs

The domain name to be tested.

### Ordered description of steps to be taken to execute the test case

1. For each name server configured for the domain:
2. Retrieve the DNSKEY RR set from the child zone.
3. If the answer from the query does contain a DNSKEY _and_ RRSIG, this
   test case passes.
4. If there is no DNSKEY RR or RRSIG RR in the answer and the RCODE is
   NOERROR, this test case fails.

### Outcome(s)

If any of the name servers configured for the domains fail to answer with
DNSSEC data, this test case fails.

### Special procedural requirements

None.

### Intercase dependencies

This test should only run if [DNSSEC07](dnssec07.md) has been successful
in finding a DNSKEY for the domain.
feat: add full Zonemaster stack with Docker and Spanish UI - Clone all 5 Zonemaster component repos (LDNS, Engine, CLI, Backend, GUI) - Dockerfile.backend: 8-stage multi-stage build LDNS→Engine→CLI→Backend - Dockerfile.gui: Astro static build served via nginx - docker-compose.yml: backend (internal) + frontend (port 5353) - nginx.conf: root redirects to /es/, /api/ proxied to backend - zonemaster-gui/config.ts: defaultLanguage set to 'es' (Spanish) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-21 08:19:24 +02:00			`## DNSSEC06: Verify DNSSEC additional processing`

			`### Test case identifier`
			`DNSSEC06 Verify DNSSEC additional processing`

			`### Objective`

			`In order for an authoritative name server to be DNSSEC compliant,`
			`it must serve DNSSEC signatures (RRSIG) as additional data in a DNS answer.`
			`This additional processing is described in section 3.1 of [RFC 4035](`
			`https://datatracker.ietf.org/doc/html/rfc4035#section-3.1).`

			`### Inputs`

			`The domain name to be tested.`

			`### Ordered description of steps to be taken to execute the test case`

			`1. For each name server configured for the domain:`
			`2. Retrieve the DNSKEY RR set from the child zone.`
			`3. If the answer from the query does contain a DNSKEY _and_ RRSIG, this`
			`test case passes.`
			`4. If there is no DNSKEY RR or RRSIG RR in the answer and the RCODE is`
			`NOERROR, this test case fails.`

			`### Outcome(s)`

			`If any of the name servers configured for the domains fail to answer with`
			`DNSSEC data, this test case fails.`

			`### Special procedural requirements`

			`None.`

			`### Intercase dependencies`

			`This test should only run if [DNSSEC07](dnssec07.md) has been successful`
			`in finding a DNSKEY for the domain.`