CloudHost/zonemaster.es
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add full Zonemaster stack with Docker and Spanish UI

Browse Source 
- Clone all 5 Zonemaster component repos (LDNS, Engine, CLI, Backend, GUI)
- Dockerfile.backend: 8-stage multi-stage build LDNS→Engine→CLI→Backend
- Dockerfile.gui: Astro static build served via nginx
- docker-compose.yml: backend (internal) + frontend (port 5353)
- nginx.conf: root redirects to /es/, /api/ proxied to backend
- zonemaster-gui/config.ts: defaultLanguage set to 'es' (Spanish)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Malin
2026-04-21 08:19:24 +02:00
commit 8d4eaa1489
1567 changed files with 204155 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
zonemaster/docs/internal/functional-tests/Behavior-TP/behavior01.md Normal file
View File

@@ -0,0 +1,35 @@
## BEHAVIOR01: NXDOMAIN returned in response in the event of querying a domain name that does not exist
### Test case identifier
**BEHAVIOR01:** Name Error RCODE returned in response in the event of
querying a domain name that does not exist
### Objective
This test is to verify whether the engine responds with a RCODE NXDOMAIN when
querying a domain name that does not exist.
### Inputs
The domain to be tested. The domain should not be already delegated in the DNS.
### Ordered description of steps to be taken to execute the test case
1. Zonemaster CLI is used to verify an invalid domain
2. If the query dont receive an RCODE NXDOMAIN, the test returns FAIL
### Results
Verifying the invalid domain with zonemaster CLI does provide conclusive errors as you
could see from the appendix
### Appendix
```
zonemaster-cli afnics.fr
Seconds Level Message
======= ========= =======
1.17 CRITICAL Nameserver for zone fr responded with NXDOMAIN to query for
glue.
1.17 CRITICAL Not enough data about afnics.fr was found to be able to run
tests.
```

39
zonemaster/docs/internal/functional-tests/Behavior-TP/behavior02.md Normal file
View File

@@ -0,0 +1,39 @@
## BEHAVIOR02: NODATA returned in response in the event of querying a domain name that exists but no relevant answers in the answer section
### Test case identifier
**BEHAVIOR02:** NODATA returned in response in the event of querying a
domain name that exist but no relevant answers in the answer section
### Objective
Section 1 of [RFC 2308](https://datatracker.ietf.org/doc/html/rfc2308) mentions that
"NODATA" is a pseudo RCODE. "NODATA" indicates that there are RRs for the requested
domain name, but none of them match the record type queried.
"NODATA" is indicated by an answer with RCODE set to "NOERROR" (defined in RFC
[RFC 1035](https://datatracker.ietf.org/doc/html/rfc1035)) and no relevant answers in the
answer section.
This test is to verify whether the engine responds with NODATA when
querying a domain name that exists, but the queried record type does not exist.
### Inputs
The domain to be tested. The domain should be already delegated in the DNS, but
should not contain delegation RRs or the queried RRs
### Results
Verifying a domain such as "gouv.fr" which does not have delegation RRs results
in expected results as you can see from the appendix.
### Appendix
```
zonemaster-cli gouv.fr
Seconds Level Message
======= ========= =======
1.16 CRITICAL Nameservers for "fr" provided no NS records for tested zone.
RCODE given was NOERROR.
1.16 CRITICAL Not enough data about gouv.fr was found to be able to run
tests.
```

44
zonemaster/docs/internal/functional-tests/Behavior-TP/behavior03.md Normal file
View File

@@ -0,0 +1,44 @@
## BEHAVIOR03: The behavior of the engine when IPv6 or IPv4 is disabled
### Test case identifier
**BEHAVIOR03:** The behavior of the engine when IPv6 or IPv4 is disabled
### Objective
This test is to verify whether appropriate results are displayed when
querying a domain name from the CLI with IPv6 or IPv4 disabled.
### Inputs
The domain to be tested.
### Ordered description of steps to be taken to execute the test case
1. A valid domain is verified with corresponding options "--no-ipv6" or "--no-ipv4" using Zonemaster CLI
2. If the query dont receive a CRITICAL or ERROR notice, the test returns PASS
### Results
Verifying a valid zone with either IPv4 or IPV6 disabled using the zonemaster
CLI does provide expected results without false positive or false negative as
seen in the appendix.
### Appendix
```
zonemaster-cli --no-ipv6 afnic.fr
Seconds Level Message
======= ========= =======
2.30 NOTICE IPv6 is disabled, not sending "NS" query to
ns1.nic.fr/2001:660:3003:2::4:1.
2.30 NOTICE IPv6 is disabled, not sending "NS" query to
ns2.nic.fr/2001:660:3005:1::1:2.
2.31 NOTICE IPv6 is disabled, not sending "NS" query to
ns3.nic.fr/2001:660:3006:1::1:1.
7.65 NOTICE SOA 'mname' nameserver (dnsmaster.nic.fr) is not listed in
"parent" NS records for tested zone (ns1.nic.fr;ns2.nic.fr;ns3.nic.fr).
7.65 NOTICE SOA 'refresh' value (7200) is less than the recommended one
(14400).
7.65 NOTICE SOA 'retry' value (1800) is less than the recommended one
(3600).
```

21
zonemaster/docs/internal/functional-tests/Behavior-TP/behavior04.md Normal file
View File

@@ -0,0 +1,21 @@
## BEHAVIOR04: Able to test a particular profile from the CLI using an option which selects a particular test profile
### Test case identifier
**BEHAVIOR04:** Able to test a particular profile from the CLI using an option
which selects a particular test profile
### Objective
Zonecheck CLI has an option '-P' which allows to select a particular profile to
test. For example, "zonecheck -P Afnic iis.se" tests the zone with the tests
defined in afnic.profile
(https://github.com/mat813/ZoneCheck/blob/master/etc/zonecheck/afnic.profile).
### Results
The Zonemaster-CLI has integrated this functionality even though
as of not we do not have different profiles to test.

41
zonemaster/docs/internal/functional-tests/Behavior-TP/behavior05.md Normal file
View File

@@ -0,0 +1,41 @@
## BEHAVIOR05: Capable of running the test when the delegation parameters are specified
### Test case identifier
**BEHAVIOR05:** Capable of running the test when the delegation parameters are specified
### Objective
This test is to verify whether the engine is capable of running an undelegated
test
### Inputs
The domain to be tested with NS and IP addresses. It could be either a delegated
or un delegated domain
### Ordered description of steps to be taken to execute the test case
1. A valid domain is verified using Zonemaster CLI with appropriate options as
seen in the appendix
2. If the query dont receive a CRITICAL or ERROR notice, the test returns PASS
### Results
As viewed in the appendix, the engine is capable of testing un delegated
domains.
### Appendix
```
zonemaster-cli iis.se --ns i.ns.se/194.146.106.22 --ns
i.ns.se/2001:67c:1010:5::53 --ns ns.nic.se/212.247.7.228 --ns
ns.nic.se/2a00:801:f0:53::53 --ns ns3.nic.se/212.247.8.152 --ns
ns3.nic.se/2a00:801:f0:211::152 IISIIS
Seconds Level Message
======= ========= =======
6.20 WARNING Nameserver ns3.nic.se has an IP address (212.247.8.152)
without PTR configured.
10.45 NOTICE 192.36.144.107 returned no DS records for iis.se.
11.51 NOTICE SOA 'refresh' value (10800) is less than the recommended one
(14400).
```

43
zonemaster/docs/internal/functional-tests/Behavior-TP/behavior06.md Normal file
View File

@@ -0,0 +1,43 @@
## BEHAVIOR06: Timestamps display
### Test case identifier
**BEHAVIOR06:** Timestamps display
### Objective
This test is to verify whether the engine displays timestamps on the test being
run
### Inputs
The domain to be tested.
### Ordered description of steps to be taken to execute the test case
1. A valid domain is verified using Zonemaster CLI with appropriate options as
see in the appendix
2. If the query dont show timestamp in the results, the test returns FAIL
### Results
### Appendix
```
zonemaster-cli --time afnic.fr
Seconds Level Message
======= ========= =======
17.89 NOTICE SOA 'mname' nameserver (dnsmaster.nic.fr) is not listed in
"parent" NS records for tested zone (ns1.nic.fr;ns2.nic.fr;ns3.nic.fr).
17.90 NOTICE SOA 'refresh' value (7200) is less than the recommended one
(14400).
17.90 NOTICE SOA 'retry' value (1800) is less than the recommended one
(3600).
sandoche@eryx:~$ zonemaster-cli afnic.fr
Seconds Level Message
======= ========= =======
8.16 NOTICE SOA 'mname' nameserver (dnsmaster.nic.fr) is not listed in
"parent" NS records for tested zone (ns1.nic.fr;ns2.nic.fr;ns3.nic.fr).
8.16 NOTICE SOA 'refresh' value (7200) is less than the recommended one
(14400).
8.17 NOTICE SOA 'retry' value (1800) is less than the recommended one
(3600).
```

33
zonemaster/docs/internal/functional-tests/Behavior-TP/behavior07.md Normal file
View File

@@ -0,0 +1,33 @@
## BEHAVIOR07: IDN Verification
### Test case identifier
**BEHAVIOR07:** IDN Verification
### Objective
The objective of this test is to verify the engine verifies IDN domains
### Inputs
The IDN domain to be tested.
### Ordered description of steps to be taken to execute the test case
1. A standard query for an IDN domain is made using the zonemaster CLI
2. If the output from the CLI does not verify the IDN domain as in the case of
normal domain names, then the test fails
### Results
As seen in the appendix, the engine is capable of verifying IDN domains
### Appendix
```
zonemaster-cli café.fr
Seconds Level Message
======= ========= =======
25.67 WARNING All nameservers are in the same AS (16509).
25.67 WARNING All nameservers IPv4 addresses are in the same AS (16509).
25.70 NOTICE 192.5.4.2 returned no DS records for xn--caf-dma.fr.

182
zonemaster/docs/internal/functional-tests/Behavior-TP/behavior08.md Normal file
View File

@@ -0,0 +1,182 @@
## BEHAVIOR08: Display of verbose information
### Test case identifier
**BEHAVIOR08:** Display of verbose information
### Objective
The objective of this test is to verify whether it is possible to obtain
different levels of information for a zone that is being tested
### Inputs
The domain to be tested.
### Ordered description of steps to be taken to execute the test case
1. A valid domain is verified using Zonemaster CLI with appropriate options as
seen in the appendix. The options --level (CRITICAL, ERROR, WARNING, NOTICE, INFO,
DEBUG, DEBUG2 or DEBUG3) provides different levels of information for the zone being tested
2. If the query doesn't have results with level to the verbose option then the
test return FAIL.
### Results
The engine passes the test as can be verified from the appendix
### Appendix
```
zonemaster-cli --level CRITICAL iis.se
Seconds Level Message
======= ========= =======
Looks OK.
```
```
zonemaster-cli --level INFO iis.se
Seconds Level Message
======= ========= =======
1.86 INFO Nameserver for zone se replies when trying to fetch glue.
1.86 INFO Nameserver for zone se listed these nameservers as glue:
i.ns.se.,ns.nic.se.,ns3.nic.se..
2.34 INFO IPv4 is enabled, can send "NS" query to
i.ns.se/194.146.106.22.
2.35 INFO Nameserver i.ns.se/194.146.106.22 listed these servers as
glue: i.ns.se.,ns.nic.se.,ns3.nic.se..
2.35 INFO IPv6 is enabled, can send "NS" query to
i.ns.se/2001:67c:1010:5::53.
2.37 INFO Nameserver i.ns.se/2001:67c:1010:5::53 listed these servers as
glue: i.ns.se.,ns.nic.se.,ns3.nic.se..
2.37 INFO IPv4 is enabled, can send "NS" query to
ns.nic.se/212.247.7.228.
2.42 INFO Nameserver ns.nic.se/212.247.7.228 listed these servers as
glue: i.ns.se.,ns.nic.se.,ns3.nic.se..
2.42 INFO IPv6 is enabled, can send "NS" query to
ns.nic.se/2a00:801:f0:53::53.
2.46 INFO Nameserver ns.nic.se/2a00:801:f0:53::53 listed these servers
as glue: i.ns.se.,ns.nic.se.,ns3.nic.se..
2.46 INFO IPv4 is enabled, can send "NS" query to
ns3.nic.se/212.247.8.152.
2.50 INFO Nameserver ns3.nic.se/212.247.8.152 listed these servers as
glue: i.ns.se.,ns.nic.se.,ns3.nic.se..
2.50 INFO IPv6 is enabled, can send "NS" query to
ns3.nic.se/2a00:801:f0:211::152.
2.54 INFO Nameserver ns3.nic.se/2a00:801:f0:211::152 listed these
servers as glue: i.ns.se.,ns.nic.se.,ns3.nic.se..
2.54 INFO Functional nameserver found. "A" query for www.iis.se test
aborted.
2.75 INFO All Nameserver addresses are in the routable public addressing
space.
6.84 WARNING Nameserver ns3.nic.se has an IP address (212.247.8.152)
without PTR configured.
8.78 INFO None of the 3 nameserver(s) with IPv6 addresses is part of a
bogon prefix.
8.78 INFO Nameserver i.ns.se/194.146.106.22 accessible over UDP on port
53.
8.81 INFO Nameserver i.ns.se/2001:67c:1010:5::53 accessible over UDP on
port 53.
8.85 INFO Nameserver ns.nic.se/212.247.7.228 accessible over UDP on port
53.
8.89 INFO Nameserver ns.nic.se/2a00:801:f0:53::53 accessible over UDP on
port 53.
8.93 INFO Nameserver ns3.nic.se/212.247.8.152 accessible over UDP on
port 53.
8.93 INFO Nameserver ns3.nic.se/2a00:801:f0:211::152 accessible over UDP
on port 53.
8.94 INFO Nameserver i.ns.se/194.146.106.22 accessible over TCP on port
53.
8.98 INFO Nameserver i.ns.se/2001:67c:1010:5::53 accessible over TCP on
port 53.
9.06 INFO Nameserver ns.nic.se/212.247.7.228 accessible over TCP on port
53.
9.15 INFO Nameserver ns.nic.se/2a00:801:f0:53::53 accessible over TCP on
port 53.
9.23 INFO Nameserver ns3.nic.se/212.247.8.152 accessible over TCP on
port 53.
9.31 INFO Nameserver ns3.nic.se/2a00:801:f0:211::152 accessible over TCP
on port 53.
11.06 INFO Domain's authoritative nameservers do not belong to the same
AS.
11.06 INFO A single SOA serial number was seen (1415096701).
11.06 INFO A single SOA rname value was seen (hostmaster.iis.se.)
11.07 INFO A single SOA time parameter set was seen
(REFRESH=10800,RETRY=3600,EXPIRE=1814400,MINIMUM=14400).
11.08 INFO A unique NS set was seen (i.ns.se.,ns.nic.se.,ns3.nic.se.).
11.12 INFO Found DS records with tags 18937.
11.13 INFO There are both DS and DNSKEY records with key tags 18937.
11.13 INFO DS record with keytag 18937 matches the DNSKEY with the same
tag.
11.13 INFO At least one DS record with a matching DNSKEY record was
found.
11.14 INFO The DNSKEY with tag 18937 uses algorithm number 5/(RSA/SHA1),
which is OK.
11.14 INFO The DNSKEY with tag 52823 uses algorithm number 5/(RSA/SHA1),
which is OK.
11.34 INFO The zone has NSEC records.
11.34 INFO Parent lists enough nameservers
(i.ns.se;ns.nic.se;ns3.nic.se). Lower limit set to 2.
11.34 INFO Child lists enough nameservers (i.ns.se;ns.nic.se;ns3.nic.se).
Lower limit set to 2.
11.35 INFO Parent and child list enough nameservers
(i.ns.se;ns.nic.se;ns3.nic.se). Lower limit set to 2.
11.35 INFO All the IP addresses used by the nameservers are unique
11.35 INFO The smallest possible legal referral packet is smaller than
513 octets (it is 357).
11.36 INFO All the nameservers are authoritative.
11.38 INFO No nameserver point to CNAME alias.
11.38 INFO All the nameservers have SOA record.
11.39 INFO All of the nameserver names are listed both at parent and
child.
11.39 INFO The module Example was disabled by the policy.
11.58 INFO None of the following nameservers is a recursor :
i.ns.se,ns.nic.se,ns3.nic.se.
11.78 INFO The following nameservers support EDNS0 :
ns.nic.se/212.247.7.228,i.ns.se/2001:67c:1010:5::53,ns3.nic.se/212.247.8.152,ns.nic.se/2a00:801:f0:53::53,ns3.nic.se/2a00:801:f0:211::152,i.ns.se/194.146.106.22.
11.78 INFO AXFR not available on nameserver i.ns.se/194.146.106.22.
11.82 INFO AXFR not available on nameserver i.ns.se/2001:67c:1010:5::53.
11.89 INFO AXFR not available on nameserver ns.nic.se/212.247.7.228.
11.97 INFO AXFR not available on nameserver ns.nic.se/2a00:801:f0:53::53.
12.05 INFO AXFR not available on nameserver ns3.nic.se/212.247.8.152.
12.13 INFO AXFR not available on nameserver
ns3.nic.se/2a00:801:f0:211::152.
12.14 INFO All nameservers reply with same IP used to query them.
12.33 INFO The following nameservers answer AAAA queries without problems
:
ns.nic.se/2a00:801:f0:53::53,ns3.nic.se/212.247.8.152,i.ns.se/2001:67c:1010:5::53,ns.nic.se/212.247.7.228,i.ns.se/194.146.106.22,ns3.nic.se/2a00:801:f0:211::152.
12.33 INFO All nameservers succeeded to resolve to an IP address.
12.34 INFO No illegal characters in the domain name (iis.se).
12.34 INFO Both ends of all labels of the domain name (iis.se) have no
hyphens.
12.34 INFO Domain name (iis.se) has no label with a double hyphen ('--')
in position 3 and 4 (with a prefix which is not 'xn--').
12.34 INFO Nameserver (i.ns.se) syntax is valid.
12.34 INFO Nameserver (ns.nic.se) syntax is valid.
12.34 INFO Nameserver (ns3.nic.se) syntax is valid.
12.34 INFO There is no misused '@' character in the SOA RNAME field
(hostmaster.iis.se.).
12.35 INFO The SOA RNAME field (hostmaster@iis.se) is compliant with
RFC2822.
12.35 INFO SOA MNAME (ns.nic.se) syntax is valid.
12.35 INFO Domain name MX (mx1.iis.se) syntax is valid.
12.35 INFO Domain name MX (mx2.iis.se) syntax is valid.
12.42 INFO SOA 'mname' nameserver (ns.nic.se) is authoritative for
'iis.se' zone.
12.42 NOTICE SOA 'refresh' value (10800) is less than the recommended one
(14400).
12.42 INFO SOA 'refresh' value (10800) is higher than the SOA 'retry'
value (3600).
12.43 INFO SOA 'expire' value (1814400) is higher than the minimum
recommended value (604800) and lower than 'refresh' value.
12.43 INFO SOA 'minimum' value (14400) is between the recommended ones
(300/86400).
12.46 INFO SOA 'mname' value (ns.nic.se) refers to a NS which is not an
alias (CNAME).
12.48 INFO SOA 'mname' value (ns.nic.se) refers to a NS which is not an
alias (CNAME).
12.49 INFO Target (MX=mx2.iis.se/MX=mx1.iis.se) found to deliver e-mail
for the domain name.
```

54
zonemaster/docs/internal/functional-tests/Behavior-TP/behavior09.md Normal file
View File

@@ -0,0 +1,54 @@
## BEHAVIOR09: Appropriate error code when the zone is misconfigured
### Test case identifier
**BEHAVIOR09:** Appropriate error code when the zone is misconfigured
### Objective
The objective of this test is to verify that the engine catches the zone
mis-configurations appropriately
### Inputs
The broken domain to be tested.
### Ordered description of steps to be taken to execute the test case
1. A standard query for the domain is made using the zonemaster CLI
2. If the output from the CLI does not catch the expected errors, then the test
returns FAIL
### Results
Even though exhaustive tests are not run, for the tests being run the engine
seems to capture the errors.
### Appendix
```
zonemaster-cli broken.dnssec.ee
Seconds Level Message
======= ========= =======
6.12 WARNING All nameservers are in the same AS (51349).
6.12 WARNING All nameservers IPv4 addresses are in the same AS (51349).
6.23 ERROR DS record with keytag 57307 does not match the DNSKEY with the
same tag.
6.24 ERROR No DS record with a matching DNSKEY record was found.
6.34 ERROR RRSIG with keytag 57307 and covering type(s) DNSKEY has
already expired (expiration is: 1393471638).
6.34 ERROR RRSIG with keytag 48381 and covering type(s) SOA has already
expired (expiration is: 1393882163).
6.41 ERROR Signature for DNSKEY with tag 57307 failed to verify with
error 'Bogus DNSSEC signature'.
6.41 ERROR The apex DNSKEY RRset was not correctly signed.
6.41 ERROR Trying to verify SOA RRset with signature 48381 gave error
'Bogus DNSSEC signature'.
6.41 ERROR No RRSIG correctly signed the SOA RRset.
6.47 ERROR Trying to verify NSEC3 RRset with RRSIG 48381 gave error
'Bogus DNSSEC signature'.
7.33 NOTICE SOA 'refresh' value (10800) is less than the recommended one
(14400).
```

39
zonemaster/docs/internal/functional-tests/Configuration-TP/configuration01.md Normal file
View File

@@ -0,0 +1,39 @@
## CONFIGURATION01: The data for a canonical name and its aliases cannot be different
### Test case identifier
**CONFIGURATION01:** The data for a canonical name and its aliases cannot be
different
### Objective
Section 3.6.2 of [RFC 1034](https://datatracker.ietf.org/doc/html/rfc1034)
mentions that if a CNAME RR is present at a node, no other data should be
present; this ensures that the data for a canonical name and its aliases cannot
be different. This rule also insures that a cached CNAME can be used without
checking with an authoritative server for other RR types.
The objective of this test is to verify whether the engine conforms to the
specification described above.
### Inputs
The domain to be tested.
### Ordered description of steps to be taken to execute the test case
1. Configure a live zone, wherein the CNAME record coexist with any other data
```
configuration02-z1.zft-root.rd.nic.fr.
```
2. A standard query for the domain is made
3. If the query dont receive Error response, the test returns with FAIL
### Results
Current DNS softwares does not allow a zone to be loaded wherein a CNAME coexist
with other RR. The only way to emulate this behavior is to use an old DNS
software version or write our own implementation. It has been decided that such
efforts are not necessary at this stage and hence this test is not run.

111
zonemaster/docs/internal/functional-tests/Configuration-TP/configuration02.md Normal file
View File

@@ -0,0 +1,111 @@
## CONFIGURATION02: Cyclic Zone Dependency
different
### Test case identifier
**CONFIGURATION02:** Cyclic Zone Dependency
### Objective
A cyclic zone dependency happens when two or more zones DNS service depends on
each other in a circular way. This scenario is possible due to configuration
errors in either or both of the zones; however in some cases it is also possible
when none of the involved zones has any noticeable configuration error. Thus the
combination of two or more correctly configured zones may also result in cyclic
zone dependency.
The objective here is to verify whether the engine identifies such a dependency.
### Inputs
The domain to be tested.
### Ordered description of steps to be taken to execute the test case
1. Configure live zone(s) with cyclic dependencies
```
configuration02-z1.zft-root.rd.nic.fr.
```
2. A standard query for the domain is made
3. If the query dont receive Error response, the test returns with FAIL
### Results
Verifying the zone with zonemaster CLI does not provide any conclusive errors as
you could see from the appendix
### Appendix
```
zonemaster-cli configuration02-z1.zft-root.rd.nic.fr.
Seconds Level Message
======= ========= =======
113.63 NOTICE Nameserver
dns2.configuration02-z1.zft-root.rd.nic.fr/46.105.116.200 did not respond to NS
query.
113.64 NOTICE Nameserver
ns2.configuration02-z2.zft-root.rd.nic.fr/46.105.116.200 did not respond to NS
query.
119.90 NOTICE Nameserver dns1.configuration02-z1.zft-root.rd.nic.fr has an
IP address (178.33.232.188) with mismatched PTR result
(ns324830.ip-178-33-232.eu.).
119.90 NOTICE Nameserver dns2.configuration02-z1.zft-root.rd.nic.fr has an
IP address (46.105.116.200) with mismatched PTR result
(ns334987.ip-46-105-116.eu.).
119.90 ERROR Nameserver
dns2.configuration02-z1.zft-root.rd.nic.fr/46.105.116.200 not accessible over
UDP on port 53.
119.94 ERROR Nameserver
dns2.configuration02-z1.zft-root.rd.nic.fr/46.105.116.200 not accessible over
TCP on port 53.
120.45 WARNING All nameservers are in the same AS (16276).
120.45 WARNING All nameservers IPv4 addresses are in the same AS (16276).
120.46 WARNING Nameserver
dns2.configuration02-z1.zft-root.rd.nic.fr/46.105.116.200 did not respond.
120.46 WARNING Nameserver
ns2.configuration02-z2.zft-root.rd.nic.fr/46.105.116.200 did not respond.
120.46 WARNING Nameserver
dns2.configuration02-z1.zft-root.rd.nic.fr/46.105.116.200 did not respond.
120.46 WARNING Nameserver
ns2.configuration02-z2.zft-root.rd.nic.fr/46.105.116.200 did not respond.
120.46 WARNING Nameserver
dns2.configuration02-z1.zft-root.rd.nic.fr/46.105.116.200 did not respond.
120.46 WARNING Nameserver
ns2.configuration02-z2.zft-root.rd.nic.fr/46.105.116.200 did not respond.
120.46 WARNING Nameserver
dns2.configuration02-z1.zft-root.rd.nic.fr/46.105.116.200 did not respond.
120.46 WARNING Nameserver
ns2.configuration02-z2.zft-root.rd.nic.fr/46.105.116.200 did not respond.
120.47 WARNING Nameserver
dns2.configuration02-z1.zft-root.rd.nic.fr/46.105.116.200 did not respond.
120.47 WARNING Nameserver
ns2.configuration02-z2.zft-root.rd.nic.fr/46.105.116.200 did not respond.
120.47 WARNING Nameserver
dns2.configuration02-z1.zft-root.rd.nic.fr/46.105.116.200 did not respond.
120.47 WARNING Nameserver
ns2.configuration02-z2.zft-root.rd.nic.fr/46.105.116.200 did not respond.
120.47 WARNING Nameserver
dns2.configuration02-z1.zft-root.rd.nic.fr/46.105.116.200 did not respond.
120.47 WARNING Nameserver
ns2.configuration02-z2.zft-root.rd.nic.fr/46.105.116.200 did not respond.
120.47 WARNING Nameserver
dns2.configuration02-z1.zft-root.rd.nic.fr/46.105.116.200 did not respond.
120.47 WARNING Nameserver
ns2.configuration02-z2.zft-root.rd.nic.fr/46.105.116.200 did not respond.
120.48 NOTICE 176.31.226.223 returned no DS records for
configuration02-z1.zft-root.rd.nic.fr.
120.49 NOTICE IP 178.33.232.188 refers to multiple nameservers
(dns1.configuration02-z1.zft-root.rd.nic.fr;ns1.configuration02-z2.zft-root.rd.nic.fr).
120.49 NOTICE IP 46.105.116.200 refers to multiple nameservers
(dns2.configuration02-z1.zft-root.rd.nic.fr;ns2.configuration02-z2.zft-root.rd.nic.fr).
120.52 WARNING Nameserver dns2.configuration02-z1.zft-root.rd.nic.fr response
is not authoritative on UDP port 53.
120.53 WARNING Nameserver dns2.configuration02-z1.zft-root.rd.nic.fr response
is not authoritative on TCP port 53.
120.53 WARNING Nameserver ns2.configuration02-z2.zft-root.rd.nic.fr response
is not authoritative on UDP port 53.
120.53 WARNING Nameserver ns2.configuration02-z2.zft-root.rd.nic.fr response
is not authoritative on TCP port 53.
150.68 NOTICE Nameserver
dns2.configuration02-z1.zft-root.rd.nic.fr/46.105.116.200 dropped AAAA query.
150.68 NOTICE Nameserver
ns2.configuration02-z2.zft-root.rd.nic.fr/46.105.116.200 dropped AAAA query.

59
zonemaster/docs/internal/functional-tests/Configuration-TP/configuration03.md Normal file
View File

@@ -0,0 +1,59 @@
## CONFIGURATION03: Lame Delegation
### Test case identifier
**CONFIGURATION03:** Lame delegation
### Objective
Lame delegation errors happen when a name server that is registered in the DNS
system as authoritative for a zone does not provide authoritative answers for
the zone.
### Inputs
The domain to be tested.
### Inputs
The domain to be tested.
### Ordered description of steps to be taken to execute the test case
1. Configure live zone(s) with lame delegation
```
zft-sandoche.rd.nic.fr
```
2. A standard query for the domain is made
3. If the query dont receive Error response, the test returns with FAIL
### Results
Verifying the zone with zonemaster CLI does provide conclusive errors as
you could see from the appendix
### Appendix
```
zonemaster-cli zft-sandoche.rd.nic.fr
Seconds Level Message
======= ========= =======
10.18 NOTICE Nameserver ns2.rd.nic.fr has an IP address (192.134.4.81) with
mismatched PTR result (lea.rd.nic.fr.).
10.18 NOTICE Nameserver ns2.rd.nic.fr has an IP address
(2001:67c:2218:3::1:7) with mismatched PTR result (dalila.rd.nic.fr.).
12.12 WARNING All nameservers IPv6 addresses are in the same AS (2485).
12.15 NOTICE 192.134.4.81 returned no DS records for
zft-sandoche.rd.nic.fr.
12.16 WARNING Nameserver ns2.rd.nic.fr response is not authoritative on UDP
port 53.
12.16 WARNING Nameserver ns2.rd.nic.fr response is not authoritative on TCP
port 53.
12.17 ERROR A SOA query NOERROR response from ns2.rd.nic.fr was received
empty.
12.91 NOTICE SOA 'refresh' value (3600) is less than the recommended one
(14400).
12.92 NOTICE SOA 'retry' value (1800) is less than the recommended one
(3600).
13.56 NOTICE No target (MX, A or AAAA record) to deliver e-mail for the
domain name.

59
zonemaster/docs/internal/functional-tests/Configuration-TP/configuration04.md Normal file
View File

@@ -0,0 +1,59 @@
## CONFIGURATION04: Delegation Inconsistency - Name Server Records
### Test case identifier
**CONFIGURATION04:** Delegation Inconsistency - Name Server Records
### Objective
When a parent zone 'P' delegates part of its namespace to a child 'C', P stores
the list of NS records for the authoritative servers of zone 'C'. This list of
NS records are kept both at the parent 'P' and the child zone 'C'.
Delegation inconsistency occurs when changes at the 'C' are not reflected to the NS RRs
at 'P'.
### Inputs
The domain to be tested.
### Ordered description of steps to be taken to execute the test case
1. Configure a live zone with inconsistency in name server records between parent
and child.
```
configuration04-1.zft-root.rd.nic.fr
```
2. The engine should return FAIL at least once for the configuration defined. If it
returns PASS for all the tests then the engine does not capture delegation
inconsistency in name server records.
### Results
Verifying the zone with zonemaster CLI does provide conclusive errors as
you could see from the appendix
### Appendix
Seconds |Level |Message
:--------|:---------|-----------------------------------------------------------------------------------------------
20.36 |ERROR |Nameserver ns2.rd.nic.fr/192.134.4.81 did not return NS records. RCODE was NOERROR|
20.36 |ERROR |Nameserver ns2.rd.nic.fr/2001:67c:2218:3::1:7 did not return NS records. RCODE was NOERROR|
30.39 |NOTICE |Nameserver ns334987.ip-46-105-116.eu/46.105.116.200 did not respond to NS query |
31.23 |ERROR |Nameserver ns334987.ip-46-105-116.eu/46.105.116.200 not accessible over UDP on port 53|
31.28 |ERROR |Nameserver ns334987.ip-46-105-116.eu/46.105.116.200 not accessible over TCP on port 53|
32.37 |WARNING |All nameservers IPv6 addresses are in the same AS (2485)|
32.38 |WARNING |Nameserver ns334987.ip-46-105-116.eu/46.105.116.200 did not respond|
32.38 |WARNING |Nameserver ns334987.ip-46-105-116.eu/46.105.116.200 did not respond|
32.38 |WARNING |Nameserver ns334987.ip-46-105-116.eu/46.105.116.200 did not respond|
32.38 |WARNING |Nameserver ns334987.ip-46-105-116.eu/46.105.116.200 did not respond|
32.39 |NOTICE |176.31.226.223 returned no DS records for configuration04-1.zft-root.rd.nic.fr|
32.40 |WARNING |Nameserver ns2.rd.nic.fr response is not authoritative on UDP port 53|
32.40 |WARNING |Nameserver ns2.rd.nic.fr response is not authoritative on TCP port 53|
32.40 |WARNING |Nameserver ns334987.ip-46-105-116.eu response is not authoritative on UDP port 53|
32.40 |WARNING |Nameserver ns334987.ip-46-105-116.eu response is not authoritative on TCP port 53|
32.40 |ERROR |A SOA query NOERROR response from ns2.rd.nic.fr was received empty|
32.40 |ERROR |Parent has nameserver(s) not listed at the child (ns2.rd.nic.fr;ns324830.ip-178-33-232.eu;ns334987.ip-46-105-116.eu)|
32.40 |ERROR |None of the nameservers listed at the parent are listed at the child|
62.52 |NOTICE |Nameserver ns334987.ip-46-105-116.eu/46.105.116.200 dropped AAAA query|

17
zonemaster/docs/internal/functional-tests/Restriction-TP/restriction01.md Normal file
View File

@@ -0,0 +1,17 @@
## RESTRICTION01: Label length
### Test case identifier
**RESTRICTION01:** Label length
### Objective
In DNS, domain names are expressed in terms of a sequence of labels. Section
2.3.1 of [RFC 1035](https://datatracker.ietf.org/doc/html/rfc1035) mentions that the
label must be 63 characters or less.
The objective for this test is verify whether the engine conforms to the
specification described in the previous paragraph.
### Results
Since it is not possible to fit in more than 63 octets in a DNS label
, it is impossible to run this test.

17
zonemaster/docs/internal/functional-tests/Restriction-TP/restriction02.md Normal file
View File

@@ -0,0 +1,17 @@
## RESTRICTION02: Domain name length
### Test case identifier
**RESTRICTION02:** Domain name length
### Objective
Section 3.1 of [RFC 1035](https://datatracker.ietf.org/doc/html/rfc1035) mentions that the
the total length of a domain name (i.e., label octets and label length octets)
is restricted to 255 octets or less.
The objective for this test is verify whether the engine conforms to the
specification described in the previous paragraph
### Results
Since it is not possible to fit in more than 255 octets in a DNS
packet, this test is not run.

24
zonemaster/docs/internal/functional-tests/Restriction-TP/restriction03.md Normal file
View File

@@ -0,0 +1,24 @@
## RESTRICTION03: Character set restriction for label
### Test case identifier
**RESTRICTION03:** Character set restriction for label
### Objective
Even though section 11 of [RFC 2181](https://datatracker.ietf.org/doc/html/rfc2181) mentions
that any binary string could be part of a label, many of the registries will
not permit special symbols in the label. This is an habit pursued by the
registries based on section 2.1 of the [RFC 1123](https://datatracker.ietf.org/doc/html/rfc1123),
i.e. following the LDH (Letters, Digits and Hyphen) format. Even for the
IDNs [RFC 5892](https://datatracker.ietf.org/doc/html/rfc5892) limits to the LDH
format.
The objective for this test is verify whether the engine identifies the
domain names which is not in the LDH format.
### Result
The engine does not capture the restriction for LDH and the explanation is
provided here : https://github.com/zonemaster/zonemaster/issues/153