CloudHost/zonemaster.es
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add full Zonemaster stack with Docker and Spanish UI

Browse Source 
- Clone all 5 Zonemaster component repos (LDNS, Engine, CLI, Backend, GUI)
- Dockerfile.backend: 8-stage multi-stage build LDNS→Engine→CLI→Backend
- Dockerfile.gui: Astro static build served via nginx
- docker-compose.yml: backend (internal) + frontend (port 5353)
- nginx.conf: root redirects to /es/, /api/ proxied to backend
- zonemaster-gui/config.ts: defaultLanguage set to 'es' (Spanish)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Malin
2026-04-21 08:19:24 +02:00
commit 8d4eaa1489
1567 changed files with 204155 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
zonemaster/docs/public/specifications/test-zones/Address-TP/README.md Normal file
View File

@@ -0,0 +1,8 @@
# Specification of test scenarios for Address-TP
Test scenario specifications are available for:
* Address01 *not yet available*
* Address02 *not yet available*
* [Address03](address03.md)

216
zonemaster/docs/public/specifications/test-zones/Address-TP/address01.md Normal file
View File

@@ -0,0 +1,216 @@
# Specification of test scenarios for ADDRESS01
## Table of contents
* [Background](#background)
* [Test Case](#test-case)
* [Test scenarios](#test-scenarios)
* [Test zone names](#test-zone-names)
* [Test scenarios and message tags](#test-scenarios-and-message-tags)
* [Zone setup for test scenarios]
## Background
See the [test zone README file].
## Test Case
This document specifies defined test scenarios for test case [ADDRESS01].
## Test scenarios
The purpose of the test scenarios is to cover all reasonable contexts where
different message tags are outputted when [ADDRESS01] is run on a test zone.
The message tags are defined in the test case ([ADDRESS01]) and the scenarios
are defined below.
The test scenarios are structured as stated in the [test zone README file].
## Test zone names
The test zone for each test scenario in this document is a subdomain delegated
from the base name (`address01.xa`) and that subdomain having the same name as the
scenario. The names of those zones are given in section
"[Zone setup for test scenarios]" below.
## All tags
The test case can output any of these message tags, but not necessarily in any combination.
- A01_ADDR_NOT_GLOBALLY_REACHABLE
- A01_DOCUMENTATION_ADDR
- A01_GLOBALLY_REACHABLE_ADDR
- A01_LOCAL_USE_ADDR
- A01_NO_GLOBALLY_REACHABLE_ADDR
- A01_NO_NAME_SERVERS_FOUND
## Test scenarios and message tags
If a message tag is not listed for the scenario, its presence or non-presence is
irrelevant to the test scenario and must be ignored.
| Scenario name | Mandatory message tag | Forbidden message tags |
|:--------------------|:------------------------------------------------------------------------------------------------------------|:-----------------------|
| GOOD-1 | A01_GLOBALLY_REACHABLE_ADDR | 2) |
| MIXED-LOCAL-DOC-1 | A01_LOCAL_USE_ADDR, A01_DOCUMENTATION_ADDR, A01_GLOBALLY_REACHABLE_ADDR | 2) |
| MIXED-LOCAL-DOC-2 | A01_LOCAL_USE_ADDR, A01_DOCUMENTATION_ADDR, A01_GLOBALLY_REACHABLE_ADDR | 2) |
| MIXED-LOCAL-OTHER-1 | A01_LOCAL_USE_ADDR, A01_ADDR_NOT_GLOBALLY_REACHABLE, A01_GLOBALLY_REACHABLE_ADDR | 2) |
| MIXED-LOCAL-OTHER-2 | A01_LOCAL_USE_ADDR, A01_ADDR_NOT_GLOBALLY_REACHABLE, A01_GLOBALLY_REACHABLE_ADDR | 2) |
| MIXED-DOC-OTHER-1 | A01_DOCUMENTATION_ADDR, A01_ADDR_NOT_GLOBALLY_REACHABLE, A01_GLOBALLY_REACHABLE_ADDR | 2) |
| MIXED-DOC-OTHER-2 | A01_DOCUMENTATION_ADDR, A01_ADDR_NOT_GLOBALLY_REACHABLE, A01_GLOBALLY_REACHABLE_ADDR | 2) |
| MIXED-ALL-1 | A01_ADDR_NOT_GLOBALLY_REACHABLE, A01_DOCUMENTATION_ADDR, A01_LOCAL_USE_ADDR, A01_GLOBALLY_REACHABLE_ADDR | 2) |
| MIXED-ALL-2 | A01_ADDR_NOT_GLOBALLY_REACHABLE, A01_DOCUMENTATION_ADDR, A01_LOCAL_USE_ADDR, A01_GLOBALLY_REACHABLE_ADDR | 2) |
| ALL-NON-REACHABLE | A01_ADDR_NOT_GLOBALLY_REACHABLE, A01_LOCAL_USE_ADDR, A01_DOCUMENTATION_ADDR, A01_NO_GLOBALLY_REACHABLE_ADDR | 2) |
| NO_NAME_SERVERS | A01_NO_NAME_SERVERS_FOUND | 2) |
* (1) All tags except for those specified as "Forbidden message tags" (no instances for these test scenarios)
* (2) All tags except for those specified as "Mandatory message tags"
## Zone setup for test scenarios
Assumptions for the scenario specifications unless otherwise specified for
the specific scenario:
* The child zone is `SCENARIO.address01.xa`.
* There is no zone file or zone data for the child zone.
* For each scenario zone there are two NS records (ns\[1-2]).
* All NS are in-bailiwick
* All NS have both IPv4 and IPv6 addresses
* All required glue are present in the delegation.
* EDNS, version 0, is included in all responses on queries with EDNS.
* EDNS is not included in responses on queries without EDNS.
| Address designation | Meaning |
|:-----------------------|:------------------------------------------------------------------------------------------------------|
| OK | Globally routable, public IPv4 address or global IPv6 address (not from any special purpose registry) |
| OK_SPECIAL | Globally routable IPv4 or IPv6 address from one of the special purpose registries |
| LOCAL_USE_ADDR | Address part of range used for private networks (loopback, RFC1918, Provider shared, etc.) |
| DOCUMENTATION_ADDR | Address part of range used for documentation purposes |
| NOT_GLOBALLY_REACHABLE | Address part of any other range listed as not globally reachable |
Designations are based on the address block ranges from the
[Special purpose IPv4 addresses] and [Special purpose IPv6 addresses] registries.
### GOOD-1
The "happy path". Everything is fine.
* Zone: good-1.address01.xa
* ns1
* IPv4 address OK
* IPv6 address OK
* ns2
* IPv4 address OK_SPECIAL
* IPv6 address OK_SPECIAL
### MIXED-LOCAL-DOC-1
* Zone: mixed-local-doc-1.address01.xa
* ns1
* IPv4 address LOCAL_USE_ADDR
* IPv6 address OK
* ns2
* IPv4 address OK
* IPv6 address DOCUMENTATION_ADDR
### MIXED-LOCAL-DOC-2
* Zone: mixed-local-doc-2.address01.xa
* ns1
* IPv4 address DOCUMENTATION_ADDR
* IPv6 address OK
* ns2
* IPv4 address OK
* IPv6 address LOCAL_USE_ADDR
### MIXED-DOC-OTHER-1
* Zone: mixed-doc-other-1.address01.xa
* ns1
* IPv4 address DOCUMENTATION_ADDR
* IPv6 address OK
* ns2
* IPv4 address OK
* IPv6 address NOT_GLOBALLY_REACHABLE
### MIXED-DOC-OTHER-2
* Zone: mixed-doc-other-2.address01.xa
* ns1
* IPv4 address NOT_GLOBALLY_REACHABLE
* IPv6 address OK
* ns2
* IPv4 address OK
* IPv6 address DOCUMENTATION_ADDR
### MIXED-LOCAL-OTHER-1
* Zone: mixed-local-other-1.address01.xa
* ns1
* IPv4 address LOCAL_USE_ADDR
* IPv6 address OK
* ns2
* IPv4 address OK
* IPv6 address NOT_GLOBALLY_REACHABLE
### MIXED-LOCAL-OTHER-2
* Zone: mixed-local-other-2.address01.xa
* ns1
* IPv4 address NOT_GLOBALLY_REACHABLE
* IPv6 address OK
* ns2
* IPv4 address OK
* IPv6 address LOCAL_USE_ADDR
### MIXED-ALL-1
* Zone: mixed-all-1.address01.xa
* ns1
* IPv4 address LOCAL_USE_ADDR
* IPv6 address OK
* ns2
* IPv4 address DOCUMENTATION_ADDR
* IPv6 address NOT_GLOBALLY_REACHABLE
### MIXED-ALL-2
* Zone: mixed-all-2.address01.xa
* ns1
* IPv4 address NOT_GLOBALLY_REACHABLE
* IPv6 address LOCAL_USE_ADDR
* ns2
* IPv4 address OK
* IPv6 address DOCUMENTATION_ADDR
### ALL-NON-REACHABLE
All addresses of all nameservers falls within one of the address blocks listed
as not globally reachable. Delegation contains three name servers to cover all
combinations of defined address block types.
* Zone: all-non-reachable.address01.xa
* ns1
* IPv4 address LOCAL_USE_ADDR
* IPv6 address NOT_GLOBALLY_REACHABLE
* ns2
* IPv4 address DOCUMENTATION_ADDR
* IPv6 address LOCAL_USE_ADDR
+ ns3
* IPv4 address NOT_GLOBALLY_REACHABLE
* IPv6 address DOCUMENTATION_ADDR
### NO_NAME_SERVERS
No delegation for the zone and the zone does not exist.
* Zone: no-name-servers.address01.xa
* No delegation
* No zone
[ADDRESS01]: ../../tests/Address-TP/address01.md
[RCODE Name]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6
[Special purpose IPv4 addresses]: https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xml
[Special purpose IPv6 addresses]: https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xml
[Test zone README file]: ../README.md
[Zone setup for test scenarios]: #zone-setup-for-test-scenarios

249
zonemaster/docs/public/specifications/test-zones/Address-TP/address03.md Normal file
View File

@@ -0,0 +1,249 @@
# Specification of Test Scenarios for Address03
## Table of contents
* [Background](#background)
* [Test Case](#test-case)
* [Test scenarios](#test-scenarios)
* [Test zone names](#test-zone-names)
* [All message tags](#all-message-tags)
* [Test scenarios and message tags](#test-scenarios-and-message-tags)
* [Test scenarios and setup of test zones]
## Background
See the [test scenario README file].
## Test Case
This document specifies defined test scenarios for test case [Address03].
## Test scenarios
The purpose of the test scenarios is to cover all reasonable contexts where
different message tags are outputted when [Address03] is run on a test zone.
The message tags are defined in the test case ([Address03]) and the scenarios
are defined below.
The test scenarios are structured as stated in the [test scenario README file].
## Test zone names
The test zone for each test scenario in this document is a subdomain delegated
from the base name (`address03.xa`) and that subdomain having the same name as
the scenario. The names of those zones are given in section "[Test scenarios
and setup of test zones]" below.
## All message tags
The test case can output any of these message tags, but not necessarily in any
combination. See [Address03] for the specification of the tags.
* NAMESERVER_IP_PTR_MATCH
* NAMESERVER_IP_PTR_MISMATCH
* NAMESERVER_IP_WITHOUT_REVERSE
* NO_RESPONSE_PTR_QUERY
## Test scenarios and message tags
If a message tag is not listed for the scenario, its presence or non-presence is
irrelevant to the test scenario and must be ignored.
| Scenario name | Mandatory message tags | Forbidden message tags |
|:---------------------------|:------------------------------|:----------------------------------------------------|
| ALL-NS-HAVE-PTR-1 | NAMESERVER_IP_PTR_MATCH | 2) |
| ALL-NS-HAVE-PTR-2 | NAMESERVER_IP_PTR_MATCH | 2) |
| NO-NS-HAVE-PTR | NAMESERVER_IP_WITHOUT_REVERSE | 2) |
| INCOMPLETE-PTR-1 | NAMESERVER_IP_WITHOUT_REVERSE | 2) |
| INCOMPLETE-PTR-2 | NAMESERVER_IP_WITHOUT_REVERSE | 2) |
| NON-MATCHING-NAMES | NAMESERVER_IP_PTR_MISMATCH | 2) |
| PTR-IS-GOOD-CNAME-1 | NAMESERVER_IP_PTR_MATCH | 2) |
| PTR-IS-GOOD-CNAME-2 | NAMESERVER_IP_PTR_MATCH | 2) |
| PTR-IS-DANGLING-CNAME | NAMESERVER_IP_WITHOUT_REVERSE | 2) |
| PTR-IS-ILLEGAL-CNAME | NAMESERVER_IP_WITHOUT_REVERSE | NAMESERVER_IP_PTR_MATCH, NAMESERVER_IP_PTR_MISMATCH |
| PTR-RESOLUTION-NO-RESPONSE | NO_RESPONSE_PTR_QUERY | NAMESERVER_IP_PTR_MATCH, NAMESERVER_IP_PTR_MISMATCH |
| PTR-RESOLUTION-SERVFAIL | NO_RESPONSE_PTR_QUERY | NAMESERVER_IP_PTR_MATCH, NAMESERVER_IP_PTR_MISMATCH |
* (1) All tags except for those specified as "Forbidden message tags" (no instances for these test scenarios)
* (2) All tags except for those specified as "Mandatory message tags"
## Test scenarios and setup of test zones
### Default zone configuration
Unless otherwise specified in the specific scenario specification, the test zone
for the scenario will follow the default setup as stated below. The `child zone`
is the zone to be tested for the scenario.
* The child zone is `SCENARIO.address03.xa`.
* There is a zone file for the child zone.
* The child zone is delegated to two out-of-bailiwick name servers.
* Both name servers have the same content.
* The authoritative name servers for the zone all have an IPv4 and an IPv6
address, and the reverse zones contain a single PTR resource record
matching their names for all of their addresses.
* The NS record set in the child zone is consistent with the parent zones
delegation.
* The parent zone is `address03.xa`.
* It is served by two in-bailiwick NS (ns1.address03.xa and
ns2.address03.xa).
* ns1 and ns2 have the same zone content.
* ns1 and ns2 have both IPv4 and IPv6 glue in the delegation of the parent
zone.
* The records matching glue in the zone are identical to the glue records.
* All authoritative name servers for the scenarios child zones have names
matching ns\<NUMBER\>.child.address03.xa. These name serverss names are
abbreviated by leaving out address03.xa from their names.
* All responses will have the AA bit set.
* All responses will have the [RCODE Name] "NoError".
### ALL-NS-HAVE-PTR-1
A happy path: a zone whose name server IP addresses have single and correct
PTR records.
* Zone: all-ns-have-ptr-1.address03.xa
* Delegated to: ns1.child and ns2.child.
### ALL-NS-HAVE-PTR-2
Another happy path: like ALL-NS-HAVE-PTR-1, but for one of the name servers,
both its IPv4 and IPv6 addresses have multiple PTR records. In each PTR
resource record set, one of the PTR records matches the name servers name.
* Zone: all-ns-have-ptr-2.address03.xa
* Delegated to: ns1.child and ns3.child.
* ns3.childs IP addresses have multiple PTR records, among which one points
to ns3.child.
### NO-NS-HAVE-PTR
None of the name servers IP addresses have PTR records at all. For one of
them, NODATA is returned on PTR query; for the other, NXDOMAIN is returned.
* Zone: no-ns-have-ptr.address03.xa
* Delegated to: ns4.child and ns5.child.
* ns4.childs IP addresses have no PTR records; the reverse zone is
configured to provoke NODATA responses on PTR queries by making the
expected node an empty non-terminal.
* ns5.childs IP addresses have no PTR records; the reverse zone is
configured to provoke NXDOMAIN responses on PTR queries.
### INCOMPLETE-PTR-1
For one of the name servers, the PTR record is missing for its IPv4 address.
* Zone: incomplete-ptr-1.address03.xa
* Delegated to: ns1.child and ns6.child.
* ns6.childs IPv4 address has no PTR record, but its IPv6 address does.
### INCOMPLETE-PTR-2
For one of the name servers, the PTR record is missing for its IPv6 address.
* Zone: incomplete-ptr-2.address03.xa
* Delegated to: ns1.child and ns7.child.
* ns7.childs IPv4 address has a PTR record, but its IPv6 address does not.
### NON-MATCHING-NAMES
Both name servers IP addresses have one or more PTR records, but none
matching the name server name.
* Zone: non-matching-names.address03.xa
* Delegated to: ns8.child and ns9.child.
* ns8.childs IP addresses have a single PTR record, but its hostname in
RDATA is different from the name servers name.
* ns9.childs IP addresses have more than one PTR record, and each of them
has a hostname in RDATA different from the name servers name.
### PTR-IS-GOOD-CNAME-1
The reverse name of one of the name servers IP address has an alias (CNAME)
whose target, with a PTR record, is in the same reverse zone.
* Zone: ptr-is-good-cname-1.address03.xa
* Delegated to: ns1.child and ns10.child.
* ns10.childs IP addresses have reverse names that are aliased (CNAME) to
another name in the same zone. In other words, resolving the PTR resource
records for their IP addresses returns a CNAME resource record and the PTR
record after walking the CNAME chain.
### PTR-IS-GOOD-CNAME-2
The reverse name of one of the name servers IP address has an alias (CNAME)
whose target, with a PTR record, is in a different zone.
* Zone: ptr-is-good-cname-2.address03.xa
* Delegated to: ns1.child and ns11.child.
* ns11.childs IP addresses have reverse names that are aliased (CNAME) to
another name in a different zone. In other words, resolving the PTR
resource records for their IP addresses returns only a CNAME resource
record, and another query for the name at the target of the CNAME resource
record is needed.
### PTR-IS-DANGLING-CNAME
The reverse name of one of the name servers IP address has an alias (CNAME)
whose target does not exist.
* Zone: ptr-is-dangling-cname.address03.xa
* Delegated to: ns5.child and ns12.child.
* ns5.child is configured as described in the NO-NS-HAVE-PTR scenario.
* ns12.childs IP addresses have reverse names that are aliased to a
nonexistent node. In other words, there is a CNAME pointing to a node
that does not exist.
### PTR-IS-ILLEGAL-CNAME
One of the name servers has IP addresses whose reverse names contain more than
one CNAME resource record.
* Zone: ptr-is-illegal-cname.address03.xa
* Delegated to: ns4.child and ns13.child.
* ns4.child is configured as described in the NO-NS-HAVE-PTR scenario.
* ns13.childs IP addresses have reverse names that give two CNAME
resource records.
Whether or not NO_RESPONSE_PTR_QUERY is allowed to be outputted is
intentionally left unspecified.
### PTR-RESOLUTION-NO-RESPONSE
One of the name servers has IP addresses whose reverse names fail to resolve
because the authoritative name server for the reverse zone does not respond.
One of the name servers IP addresses fail to resolve to PTR records because
an attempt at querying corresponding node in the `in-addr.arpa` or `ip6.arpa`
subtrees returns no response.
* Zone: ptr-resolution-no-response.address03.xa
* Delegated to: ns1.child and ns14.child.
* Querying the PTR records for ns14.childs IP addresses return no response.
Whether or not NAMESERVER_IP_WITHOUT_REVERSE is allowed to be outputted is
intentionally left unspecified.
### PTR-RESOLUTION-SERVFAIL
One of the name servers has IP addresses whose reverse names fail to resolve
because the authoritative name server for the reverse zone gives a response
whose [RCODE Name] is neither "NoError" nor "NXDomain".
* Zone: ptr-resolution-no-response.address03.xa
* Delegated to: ns1.child and ns15.child.
* Querying the PTR records for ns15.childs IP addresses return a "ServFail"
response.
Whether or not NAMESERVER_IP_WITHOUT_REVERSE is allowed to be outputted is
intentionally left unspecified.
[ADDRESS03]: ../../tests/Address-TP/address03.md
[RCODE Name]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6
[test scenario README file]: ../README.md
[Test scenarios and setup of test zones]: #test-scenarios-and-setup-of-test-zones

7
zonemaster/docs/public/specifications/test-zones/Basic-TP/README.md Normal file
View File

@@ -0,0 +1,7 @@
# Specification of test scenarios for Basic-TP
Test scenario specifications are available for:
* [Basic01](basic01.md)
* [Basic02](basic02.md)
* Basic03 *not yet available*

502
zonemaster/docs/public/specifications/test-zones/Basic-TP/basic01.md Normal file
View File

@@ -0,0 +1,502 @@
# Specification of test zones for Basic01
## Table of contents
* [Background](#background)
* [Test Case](#test-case)
* [Test scenarios](#test-scenarios)
* [Test zone names](#test-zone-names)
* [Test scenarios and message tags](#test-scenarios-and-message-tags)
* [Zone setup for test scenarios]
## Background
See the [test zone README file].
## Test Case
This document specifies defined test zones for test case [Basic01].
## Test scenarios
The purpose of the test scenarios is to cover all reasonable contexts where
different message tags are outputted when [Basic01] is run on a test zone.
The message tags are defined in the test case ([Basic01]) and the scenarios
are defined below.
The test scenarios are structured as stated in the [test zone README file].
## Test zone names
The test zone for each test scenario in this document is a subdomain (or lower
zone) delegated from the base name (`basic01.xa`) and that subdomain having the
same name as the scenario. The names of those zones are given in section
"[Zone setup for test scenarios]" below.
## All tags
The test case can output any of these message tags, but not necessarily in any combination.
* B01_CHILD_FOUND
* B01_CHILD_IS_ALIAS
* B01_INCONSISTENT_ALIAS
* B01_INCONSISTENT_DELEGATION
* B01_NO_CHILD
* B01_PARENT_DISREGARDED
* B01_PARENT_FOUND
* B01_PARENT_NOT_FOUND
* B01_PARENT_UNDETERMINED
* B01_ROOT_HAS_NO_PARENT
* B01_SERVER_ZONE_ERROR
## Test scenarios and message tags
If a message tag is not listed for the scenario, its presence or non-presence is
irrelevant to the test scenario and must be ignored.
Scenario name | Mandatory message tag | Forbidden message tags
:-------------------------|:----------------------------------------------------------------------------------|:----------------------
GOOD-1 | B01_CHILD_FOUND, B01_PARENT_FOUND | 2)
GOOD-MIXED-1 | B01_CHILD_FOUND, B01_PARENT_FOUND | 2)
GOOD-MIXED-2 | B01_CHILD_FOUND, B01_PARENT_FOUND | 2)
GOOD-PARENT-HOST-1 | B01_CHILD_FOUND, B01_PARENT_FOUND | 2)
GOOD-GRANDPARENT-HOST-1 | B01_CHILD_FOUND, B01_PARENT_FOUND | 2)
GOOD-UNDEL-1 | B01_CHILD_FOUND, B01_PARENT_DISREGARDED | 2)
GOOD-MIXED-UNDEL-1 | B01_CHILD_FOUND, B01_PARENT_DISREGARDED | 2)
GOOD-MIXED-UNDEL-2 | B01_CHILD_FOUND, B01_PARENT_DISREGARDED | 2)
NO-DEL-UNDEL-1 | B01_CHILD_FOUND, B01_PARENT_DISREGARDED | 2)
NO-DEL-MIXED-UNDEL-1 | B01_CHILD_FOUND, B01_PARENT_DISREGARDED | 2)
NO-DEL-MIXED-UNDEL-2 | B01_CHILD_FOUND, B01_PARENT_DISREGARDED | 2)
NO-CHILD-1 | B01_NO_CHILD, B01_PARENT_FOUND | 2)
NO-CHILD-2 | B01_NO_CHILD, B01_PARENT_FOUND | 2)
NO-CHLD-PAR-UNDETER-1 | B01_NO_CHILD, B01_PARENT_FOUND, B01_PARENT_UNDETERMINED | 2)
CHLD-FOUND-PAR-UNDET-1 | B01_CHILD_FOUND, B01_PARENT_FOUND, B01_PARENT_UNDETERMINED | 2)
CHLD-FOUND-INCONSIST-1 | B01_CHILD_FOUND, B01_INCONSISTENT_DELEGATION, B01_PARENT_FOUND | 2)
CHLD-FOUND-INCONSIST-2 | B01_CHILD_FOUND, B01_INCONSISTENT_DELEGATION, B01_PARENT_FOUND | 2)
CHLD-FOUND-INCONSIST-3 | B01_CHILD_FOUND, B01_INCONSISTENT_DELEGATION, B01_PARENT_FOUND | 2)
CHLD-FOUND-INCONSIST-4 | B01_CHILD_IS_ALIAS, B01_CHILD_FOUND, B01_INCONSISTENT_DELEGATION, B01_PARENT_FOUND| 2)
CHLD-FOUND-INCONSIST-5 | B01_CHILD_FOUND, B01_INCONSISTENT_DELEGATION, B01_PARENT_FOUND | 2)
CHLD-FOUND-INCONSIST-6 | B01_CHILD_FOUND, B01_INCONSISTENT_DELEGATION, B01_PARENT_FOUND | 2)
CHLD-FOUND-INCONSIST-7 | B01_CHILD_FOUND, B01_INCONSISTENT_DELEGATION, B01_PARENT_FOUND | 2)
CHLD-FOUND-INCONSIST-8 | B01_CHILD_FOUND, B01_INCONSISTENT_DELEGATION, B01_PARENT_FOUND | 2)
CHLD-FOUND-INCONSIST-9 | B01_CHILD_IS_ALIAS, B01_CHILD_FOUND, B01_INCONSISTENT_DELEGATION, B01_PARENT_FOUND| 2)
CHLD-FOUND-INCONSIST-10 | B01_CHILD_FOUND, B01_INCONSISTENT_DELEGATION, B01_PARENT_FOUND | 2)
NO-DEL-UNDEL-NO-PAR-1 | B01_CHILD_FOUND, B01_PARENT_DISREGARDED | 2)
NO-DEL-UNDEL-PAR-UND-1 | B01_CHILD_FOUND, B01_PARENT_DISREGARDED | 2)
NO-CHLD-NO-PAR-1 | B01_NO_CHILD, B01_PARENT_NOT_FOUND, B01_SERVER_ZONE_ERROR | 2)
CHILD-ALIAS-1 | B01_CHILD_IS_ALIAS, B01_NO_CHILD, B01_PARENT_FOUND | 2)
CHILD-ALIAS-2 | B01_CHILD_IS_ALIAS, B01_NO_CHILD, B01_INCONSISTENT_ALIAS, B01_PARENT_FOUND | 2)
ZONE-ERR-GRANDPARENT-1 | B01_CHILD_FOUND, B01_PARENT_FOUND, B01_SERVER_ZONE_ERROR | 2)
ZONE-ERR-GRANDPARENT-2 | B01_CHILD_FOUND, B01_PARENT_FOUND, B01_SERVER_ZONE_ERROR | 2)
ZONE-ERR-GRANDPARENT-3 | B01_CHILD_FOUND, B01_PARENT_FOUND, B01_SERVER_ZONE_ERROR | 2)
ROOT-ZONE | B01_CHILD_FOUND, B01_ROOT_HAS_NO_PARENT | 2)
* (1) All tags except for those specified as "Forbidden message tags" (no instances for these test scenarios)
* (2) All tags except for those specified as "Mandatory message tags"
## Zone setup for test scenarios
Assumptions for the scenario specifications unless otherwise specified for
the specific scenario:
* The child zone is `child.parent.SCENARIO.basic01.xa`.
* It is delegated to two name servers, `ns1-delegated-child.basic01.xa`
and `ns2-delegated-child.basic01.xa`.
* The name server names have A and AAAA records to avoid non-relevant error
messages.
* There is no zone file or zone data for the child zone.
* If there is an undelegated "version" of the child zone, it is
referred to `ns3-undelegated-child.basic01.xa` and
`ns4-undelegated-child.basic01.xa`.
* The name server names have A and AAAA records to avoid non-relevant error
messages.
* There is no zone file or zone data for the undelegated "version".
* The parent zone is `parent.SCENARIO.basic01.xa`.
* It is served by two in-bailiwick NS (ns1 and ns2).
* ns1 and ns2 have the same zone content.
* ns1 and ns2 have both IPv4 and IPv6 glue.
* The records matching glue in the zone are complete.
* The delegation from the grand parent has the same NS with complete glue.
* The grandparent zone is `SCENARIO.basic01.xa`.
* It is served by two in-bailiwick NS (ns1 and ns2).
* ns1 and ns2 have the same zone content.
* ns1 and ns2 have both IPv4 and IPv6 glue.
* The records matching glue in the zone are complete.
* The delegation from the SCENARIO zone has the same NS with complete glue.
* Responds with a A record for the zone on query for A.
* Responds with a AAAA record for the zone on query for AAAA.
* All responses are authoritative with [RCODE Name] "NoError"
* EDNS, version 0, is included in all responses on queries with EDNS.
* EDNS is not included in responses on queries without EDNS.
* Standard test zone root is used.
* In all cases, delegation and zone are consistent.
* Same NS.
* Any required glue matches address records in zone.
* No extra address records for the NS names.
### GOOD-1
A "happy path". Everything is fine.
* Zone: child.parent.good-1.basic01.xa
### GOOD-MIXED-1
One grandparent server also serves parent zone.
* Zone: child.parent.good-mixed-1.basic01.xa
* Parent zone `parent.good-mixed-1.basic01.xa` is served by `ns1`, `ns2` and on
`ns4.good-mixed-1.basic01.xa`.
* Grandparent zone `good-mixed-1.basic01.xa` is served on `ns1` and `ns4`.
### GOOD-MIXED-2
One parent server also hosts the child zone.
* Zone: child.parent.good-mixed-2.basic01.xa
* Child zone is served by `ns1`, `ns2` and
`ns4.parent.good-mixed-2.basic01.xa`.
* Child zone exists.
* There is a zone file for the child zone, and that is loaded on the child
zone name servers.
* Parent zone `parent.good-mixed-2.basic01.xa` is served by `ns1` and `ns4`.
### GOOD-PARENT-HOST-1
The child is hosted on parent servers only.
* Zone: child.parent.good-parent-host-1.basic01.xa
* Child zone is served by `ns1.parent.good-parent-host-1.basic01.xa` and
`ns2.parent.good-parent-host-1.basic01.xa`.
* There is a zone file for the child zone.
### GOOD-GRANDPARENT-HOST-1
The child is hosted on grandparent servers only.
* Zone: child.parent.good-grandparent-host-1.basic01.xa
* Child zone is served by `ns1.good-grandparent-host-1.basic01.xa` and
`ns2.good-grandparent-host-1.basic01.xa`.
* There is a zone file for the child zone.
### GOOD-UNDEL-1
The child zone is delegated, but there is also an undelegated version which is
the one tested.
* Zone: child.parent.good-undel-1.basic01.xa
* Child zone is delegated, but there is also an undelegated version.
* There are no zone files for child (delegated or undelegated).
* Undelegated data:
* ns3-undelegated-child.basic01.xa
* ns4-undelegated-child.basic01.xa
### GOOD-MIXED-UNDEL-1
The child zone is delegated, but there is also an undelegated version which is
the one tested. One grandparent server, in the delegated tree, also serves
parent zone.
* Zone: child.parent.good-mixed-undel-1.basic01.xa
* Parent zone `parent.good-mixed-undel-1.basic01.xa` is served by `ns1`, `ns2` and on
`ns4.good-mixed-undel-1.basic01.xa`.
* Grandparent zone `good-mixed-undel-1.basic01.xa` is served on `ns1` and `ns4`.
* Child zone is delegated, but there is also an undelegated version.
* No child zone exists.
* Undelegated data:
* ns3-undelegated-child.basic01.xa
* ns4-undelegated-child.basic01.xa
### GOOD-MIXED-UNDEL-2
The child zone is delegated, but there is also an undelegated version. One parent
server also serves the delegated child zone.
* Zone: child.parent.good-mixed-undel-2.basic01.xa
* Child zone is served by `ns1`, `ns2` and
`ns6.parent.good-mixed-undel-2.basic01.xa`.
* Child zone exists.
* Parent zone `parent.good-mixed-undel-2.basic01.xa` is served by `ns1` and
`ns6`.
* Child zone is delegated, but there is also an undelegated version, but no
zone for the undelegated version.
* Undelegated data:
* ns3-undelegated-child.basic01.xa
* ns4-undelegated-child.basic01.xa
### NO-DEL-UNDEL-1
The child zone is not delegated, but there is an undelegated version.
* Zone: child.parent.no-del-undel-1.basic01.xa
* Undelegated data:
* ns3-undelegated-child.basic01.xa
* ns4-undelegated-child.basic01.xa
### NO-DEL-MIXED-UNDEL-1
The child zone is not delegated, but there is an undelegated version that is
tested. One grandparent server also serves the parent zone.
* Zone: child.parent.no-del-mixed-undel-1.basic01.xa
* Parent zone `parent.no-del-mixed-undel-1.basic01.xa` is served by `ns1`, `ns2` and on
`ns4.no-del-mixed-undel-1.basic01.xa`.
* Grandparent zone `no-del-mixed-undel-1.basic01.xa` is served on `ns1` and `ns4`.
* Child zone is not delegated, but there is an undelegated version, but no zone file.
* Undelegated data:
* ns3-undelegated-child.basic01.xa
* ns4-undelegated-child.basic01.xa
### NO-DEL-MIXED-UNDEL-2
The child zone is not delegated, but there is an undelegated version that is
tested. One grandparent server also serves the parent zone. There are extra empty
nodes between the zone cuts.
* Zone: child.w.x.parent.y.z.no-del-mixed-undel-2.basic01.xa
* Parent zone `parent.y.z.no-del-mixed-undel-2.basic01.xa` is served by `ns1`,
`ns2` and on `ns4.no-del-mixed-undel-2.basic01.xa`.
* Grandparent zone `no-del-mixed-undel-2.basic01.xa` is served on `ns1` and `ns4`.
* There are no zone cuts at `w`, `x`, `y` and `z`.
* Child zone is not delegated, but there is also an undelegated version, but no
zone file.
* Undelegated data:
* ns3-undelegated-child.basic01.xa
* ns4-undelegated-child.basic01.xa
### NO-CHILD-1
The child zone is not delegated. Parent zone returns NXDOMAIN.
* Zone: child.parent.no-child-1.basic01.xa
* Child zone does not exist and is not served by any NS.
### NO-CHILD-2
The child zone is not delegated. Parent zone returns NODATA.
* Zone: child.parent.no-child-2.basic01.xa
* Child zone does not exist and is not served by any NS.
* The name child.parent.no-child-2.basic01.xa exists as a TXT record.
### NO-CHLD-PAR-UNDETER-1
The child zone is not delegated. One grandparent NS lacks delegation of parent
and return NXDOMAIN of child. The parent zone lacks delegation of child.
* Zone: child.parent.no-chld-par-undeter-1.basic01.xa
* Child zone does not exist is not served by any NS.
* Grandparent `ns1` lacks delegation of parent.
* Grandparent `ns2` has delegation of parent (to both parent NS).
* Parent zone lacks delegation of child.
### CHLD-FOUND-PAR-UNDET-1
The child zone is delegated from one grandparent NS and from the parent zone.
* Zone: child.parent.chld-found-par-undet-1.basic01.xa
* Grandparent `ns1` has delegation of child but lacks delegation of parent.
* Grandparent `ns2` has delegation of parent (to both parent NS).
* Parent zone has delegation of child.
### CHLD-FOUND-INCONSIST-1
The child is delegated from one parent NS. The other responds with NXDOMAIN.
* Zone: child.parent.chld-found-inconsist-1.basic01.xa
* Parent `ns1` has normal delegation of child to two child NS, `ns1` and `ns2`.
* Parent `ns2` lacks delegation of child (NXDOMAIN).
### CHLD-FOUND-INCONSIST-2
The child is delegated from one parent NS. On the other there is an CNAME
response.
* Zone: child.parent.chld-found-inconsist-2.basic01.xa
* Parent `ns1` has normal delegation of child to two child NS, `ns1` and `ns2`.
* Parent `ns2` lacks delegation of child, and has a CNAME on that name,
pointing at `no-child.parent.chld-found-inconsist-2.basic01.xa`, which has
two address records (A and AAAA) with the IP addresses of child `ns2`.
### CHLD-FOUND-INCONSIST-3
The child is delegated from one parent NS. On the other there is a CNAME
to another name, and that other name is delegated.
* Zone: child.parent.chld-found-inconsist-3.basic01.xa
* Parent `ns1` has normal delegation of child to two child NS, `ns1` and `ns2`.
* Parent `ns2` lacks delegation of child, and has a CNAME on the name,
pointing at `sister.parent.chld-found-inconsist-3.basic01.xa`, which is
delegated to `ns1-delegated-child.basic01.xa` and
`ns2-delegated-child.basic01.xa`.
* Zone `sister` does not exist.
### CHLD-FOUND-INCONSIST-4
The child is delegated from one parent NS. On the other there is a DNAME to
another name.
* Zone: child.parent.chld-found-inconsist-4.basic01.xa
* Parent `ns1` has normal delegation of child to two child NS, `ns1` and `ns2`.
* Parent `ns2` has a DNAME on `child` pointing at
`sister.parent.chld-found-inconsist-4.basic01.xa` which is delegated to
`ns1-delegated-child.basic01.xa` and `ns2-delegated-child.basic01.xa`.
* Zone `sister` does not exist.
### CHLD-FOUND-INCONSIST-5
The child is delegated from one parent NS. On the other there is a NODATA
response.
* Zone: child.parent.chld-found-inconsist-5.basic01.xa
* Parent `ns1` has normal delegation of child to two child NS, `ns1` and `ns2`.
* Parent `ns2` lacks delegation of child, instead `child` has two address
records (A and AAAA) with the IP addresses of child `ns2`.
### CHLD-FOUND-INCONSIST-6
The child is delegated from one parent NS, which is also NS for the child.
On the other there is an NXDOMAIN response.
* Zone: child.parent.chld-found-inconsist-6.basic01.xa
* Parent `ns1` has normal delegation of child to the two child NS.
* Parent `ns2` lacks delegation of child (NXDOMAIN).
* Child shares `ns1.parent.chld-found-inconsist-6.basic01.xa` with parent.
* Child also uses child `ns2`.
* Child exists with a zone.
### CHLD-FOUND-INCONSIST-7
The child is delegated from one parent NS, which is also NS for the child. On the
other there is a CNAME response.
* Zone: child.parent.chld-found-inconsist-7.basic01.xa
* Parent `ns1` has normal delegation of child to two child NS, `ns1` and `ns2`.
* Parent `ns2` lacks delegation of child, and has a CNAME on that name,
pointing at `no-child.parent.chld-found-inconsist-7.basic01.xa`, which has
two address records (A and AAAA) with the IP addresses of child `ns2`.
* Child shares `ns1.parent.chld-found-inconsist-7.basic01.xa` with parent.
* Child also uses `ns2`.
* Child exists with a zone.
### CHLD-FOUND-INCONSIST-8
The child is delegated from one parent NS, which is also NS for the child. On
the other there is a CNAME to another name, and that other name is delegated.
* Zone: child.parent.chld-found-inconsist-8.basic01.xa
* Parent `ns1` has normal delegation of child to two child NS, `ns1` and `ns2`.
* Parent `ns2` lacks delegation of child, and has a CNAME on the name,
pointing at `sister.parent.chld-found-inconsist-8.basic01.xa`, which is
`ns1-delegated-child.basic01.xa` and `ns2-delegated-child.basic01.xa`.
* Zone `sister` does not exist.
* Child shares `ns1.parent.chld-found-inconsist-8.basic01.xa` with parent.
* Child also uses `ns2`.
* Child exists with a zone.
### CHLD-FOUND-INCONSIST-9
The child is delegated from one parent NS, which is also NS for the child. On
the other there is a DNAME to another name.
* Zone: child.parent.chld-found-inconsist-9.basic01.xa
* Parent `ns1` has normal delegation of child to two child NS, `ns1` and `ns2`.
* Parent `ns2` has a DNAME on `child` pointing at
`sister.parent.chld-found-inconsist-9.basic01.xa` which is delegated to
`ns1-delegated-child.basic01.xa` and `ns2-delegated-child.basic01.xa`.
* Zone `sister` does not exist.
* Child shares `ns1.parent.chld-found-inconsist-9.basic01.xa` with parent.
* Child also uses `ns2`.
* Child exists with a zone.
### CHLD-FOUND-INCONSIST-10
The child is delegated from one parent NS, which is also NS for the child. On the
other there is a NODATA response.
* Zone: child.parent.chld-found-inconsist-10.basic01.xa
* Parent `ns1` has normal delegation of child to two child NS, `ns1` and `ns2`.
* Parent `ns2` lacks delegation of child, instead `child` has two address
records (A and AAAA) with the IP addresses of child `ns2`.
* Child shares `ns1.parent.chld-found-inconsist-10.basic01.xa` with parent.
* Child also uses `ns2`.
* Child exists with a zone.
### NO-DEL-UNDEL-NO-PAR-1
The child is not delegated, but there is undelegated data to test. Both
grandparent NS return SERVFAIL.
* Zone: child.parent.no-del-undel-no-par-1.basic01.xa
* Grandparent `ns1` and `ns2` both return SERVFAIL.
* No need of parent zone.
* Child zone is not delegated, but there is an undelegated version.
* Undelgated data:
* ns3-undelegated-child.basic01.xa
* ns4-undelegated-child.basic01.xa
### NO-DEL-UNDEL-PAR-UND-1
The child is not delegated, but there is an undelegated data to test. One
grandparent NS lacks delegation of parent and return NXDOMAIN of child. The
parent zone lacks delegation of child.
* Zone: child.parent.no-del-undel-par-und-1.basic01.xa
* Child zone does not exist is not served by any NS.
* Grandparent `ns1` lacks delegation of parent.
* Grandparent `ns2` has delegation of parent (to both parent NS).
* Parent zone lacks delegation of child.
* Child zone is not delegated, but there is an undelegated version.
* Undelegated data:
* ns3-undelegated-child.basic01.xa
* ns4-undelegated-child.basic01.xa
### NO-CHLD-NO-PAR-1
The child is not delegated. Both grandparent NS return SERVFAIL.
* Zone: child.parent.no-chld-no-par-1.basic01.xa
* Grandparent `ns1` and `ns2` both return SERVFAIL.
* No need of parent zone.
* Child zone is not delegated, and there is no undelegated data.
* No need of child zone.
### CHILD-ALIAS-1
The child zone does not exist, instead there is a DNAME in the parent zone.
* Zone: child.parent.child-alias-1.basic01.xa
* Parent has a DNAME on `child` pointing at
`sister.parent.child-alias-1.basic01.xa` which is delegated to
`ns1-delegated-child.basic01.xa` and `ns2-delegated-child.basic01.xa`.
* Zone `sister` does not exist.
### CHILD-ALIAS-2
The child zone does not exist, instead there is a DNAME in the parent zone,
however, different DNAME targets in the two parents.
* Zone: child.parent.child-alias-2.basic01.xa
* On `ns1` parent has a DNAME on `child` pointing at
`sister.parent.child-alias-2.basic01.xa` which is delegated to
`ns1-delegated-child.basic01.xa` and `ns2-delegated-child.basic01.xa`.
* Zone `sister` does not exist.
* On `ns2` parent has a DNAME on `child` pointing at
`brother.parent.child-alias-2.basic01.xa` which is delegated to
`ns1-delegated-child.basic01.xa` and `ns2-delegated-child.basic01.xa`.
* Zone `brother` does not exist.
### ZONE-ERR-GRANDPARENT-1
Grandparent `ns2` responds with AA bit unset on queries for grandparent zone.
* Zone: child.parent.zone-err-grandparent-1.basic01.xa
* Normal response on grandparent `ns1`.
* Grandparent `ns2` responds with AA bit unset on queries for the
grandparent zone.
### ZONE-ERR-GRANDPARENT-2
Grandparent `ns2` responds with NODATA on NS query for grandparent zone.
* Zone: child.parent.zone-err-grandparent-2.basic01.xa
* Normal response on grandparent `ns1`.
* Grandparent `ns2` responds with NODATA on NS query for the
grandparent zone.
### ZONE-ERR-GRANDPARENT-3
Grandparent `ns2` responds with wrong owner name on NS
on query for grandparent zone NS.
* Zone: child.parent.zone-err-grandparent-3.basic01.xa
* Normal response on grandparent `ns1`.
* Grandparent `ns2` responds with other owner name on NS query for
`zone-err-grandparent-3.basic01.xa`:
* Owner name `oncle.zone-err-grandparent-3.basic01.xa` instead.
### ROOT-ZONE
Test on the standard root zone.
* Zone: .
* No special zone files are to be created.
[Basic01]: ../../tests/Basic-TP/basic01.md
[RCODE Name]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6
[Test zone README file]: ../README.md
[Zone setup for test scenarios]: #zone-setup-for-test-scenarios

416
zonemaster/docs/public/specifications/test-zones/Basic-TP/basic02.md Normal file
View File

@@ -0,0 +1,416 @@
# Specification of Test Scenarios for Basic02
## Table of contents
* [Background](#background)
* [Test Case](#test-case)
* [Test scenarios](#test-scenarios)
* [Test zone names](#test-zone-names)
* [All message tags](#all-message-tags)
* [Test scenarios and message tags](#test-scenarios-and-message-tags)
* [Test scenarios and setup of test zones](#test-scenarios-and-setup-of-test-zones)
## Background
See the [test scenario README file].
## Test Case
This document specifies defined test scenarios for test case [Basic02].
## Test scenarios
The purpose of the test scenarios is to cover all reasonable contexts where
different message tags are outputted when [Basic02] is run on a test zone.
The message tags are defined in the test case ([Basic02]) and the scenarios
are defined below.
The test scenarios are structured as stated in the [test scenario README file].
## Test zone names
The test zone or zones for each test scenario in this document is a subdomain
(or lower zone) delegated from the base name (`basic02.xa`) and that subdomain
having the same name as the scenario. The names of those zones are given in
section "[Test scenarios and setup of test zones]" below.
## All message tags
The test case can output any of these message tags, but not necessarily in any
combination. See [Basic02] for the specification of the tags.
* B02_AUTH_RESPONSE_SOA
* B02_NO_DELEGATION
* B02_NO_WORKING_NS
* B02_NS_BROKEN
* B02_NS_NOT_AUTH
* B02_NS_NO_IP_ADDR
* B02_NS_NO_RESPONSE
* B02_UNEXPECTED_RCODE
## Test scenarios and message tags
If a message tag is not listed for the scenario, its presence or non-presence is
irrelevant to the test scenario and must be ignored.
Scenario name | Mandatory message tag | Forbidden message tags
:------------------------------|:-------------------------------------------|:----------------------
GOOD-1 | B02_AUTH_RESPONSE_SOA | 2)
GOOD-2 | B02_AUTH_RESPONSE_SOA | 2)
GOOD-UNDEL-1 | B02_AUTH_RESPONSE_SOA | 2)
GOOD-UNDEL-2 | B02_AUTH_RESPONSE_SOA | 2)
GOOD-UNDEL-3 | B02_AUTH_RESPONSE_SOA | 2)
GOOD-UNDEL-4 | B02_AUTH_RESPONSE_SOA | 2)
GOOD-UNDEL-5 | B02_AUTH_RESPONSE_SOA | 2)
GOOD-UNDEL-6 | B02_AUTH_RESPONSE_SOA | 2)
GOOD-UNDEL-7 | B02_AUTH_RESPONSE_SOA | 2)
GOOD-UNDEL-8 | B02_AUTH_RESPONSE_SOA | 2)
GOOD-UNDEL-9 | B02_AUTH_RESPONSE_SOA | 2)
GOOD-UNDEL-10 | B02_AUTH_RESPONSE_SOA | 2)
GOOD-UNDEL-11 | B02_AUTH_RESPONSE_SOA | 2)
MIXED-1 | B02_AUTH_RESPONSE_SOA | 2)
NO-DELEGATION-1 | B02_NO_DELEGATION | 2)
NS-BROKEN-1 | B02_NS_BROKEN, B02_NO_WORKING_NS | 2)
NS-NOT-AUTH-1 | B02_NS_NOT_AUTH, B02_NO_WORKING_NS | 2)
NS-NO-IP-1 | B02_NS_NO_IP_ADDR, B02_NO_WORKING_NS | 2)
NS-NO-IP-2 | B02_NS_NO_IP_ADDR, B02_NO_WORKING_NS | 2)
NS-NO-IP-3 | B02_NS_NO_IP_ADDR, B02_NO_WORKING_NS | 2)
NS-NO-IP-UNDEL-1 | B02_NS_NO_IP_ADDR, B02_NO_WORKING_NS | 2)
NS-NO-IP-UNDEL-2 | B02_NS_NO_IP_ADDR, B02_NO_WORKING_NS | 2)
NS-NO-RESPONSE-1 | B02_NS_NO_RESPONSE, B02_NO_WORKING_NS | 2)
UNEXPECTED-RCODE-1 | B02_UNEXPECTED_RCODE, B02_NO_WORKING_NS | 2)
* (1) All tags except for those specified as "Forbidden message tags" (no instances for these test scenarios)
* (2) All tags except for those specified as "Mandatory message tags"
## Test scenarios and setup of test zones
### Default zone configuration
Unless otherwise specified in the specific scenario specification, the test zone
or zones for the scenario will follow the default setup as stated below. The
`child zone` is the zone to be tested for the scenario.
`basic02.xb` is a zone for out-of-bailiwick name servers for applicable
scenario.
* The child zone is `SCENARIO.basic02.xa`.
* It is delegated to two name servers, `ns1.SCENARIO.basic02.xa`
and `ns2.SCENARIO.basic02.xa`.
* The name server names have A and AAAA records to avoid non-relevant error
messages.
* The delegation of the child zone is complete with glue records.
* There is a zone file for the child zone.
* All child zone servers give the same response.
* All responses will have the AA bit set.
* All responses will have the [RCODE Name] "NoError".
* NS and any glue matches NS and authoritative address records in zone.
* If NS are out of bailiwick, the names are defined in another zone with correct
A and AAAA records.
### GOOD-1
A "happy path". Everything is fine.
* Zone: good-1.basic02.xa
* Zone is set up as default.
### GOOD-2
Like GOOD-1 but name servers are out-of-bailiwick.
* Zone: good-1.basic02.xa
* ns1 is ns1.good-2.basic02.xb.
* ns2 is ns2.good-2.basic02.xb.
* Delegation is without glue.
### Overview of the GOOD-UNDEL-x scenarios
Scenario name | Delegated zone | Undelegated data
:--------------|:------------------------------|:--------------------
GOOD-UNDEL-1 | no delegation | IB with glue
GOOD-UNDEL-2 | no delegation | OOB without glue, NS names are defined
GOOD-UNDEL-3 | IB, no response | OOB without glue, NS names are defined
GOOD-UNDEL-4 | IB, no glue | OOB without glue, NS names are defined
GOOD-UNDEL-5 | IB, no glue | IB with glue
GOOD-UNDEL-6 | OOB, no response | IB with glue
GOOD-UNDEL-7 | OOB, no address records | OOB with glue, NS names are undefined
GOOD-UNDEL-8 | IB, no response | IB, IP redefined
GOOD-UNDEL-9 | OOB, no response | OOB, IP redefined
GOOD-UNDEL-10 | OOB, SERVFAIL/REFUSED | OOB
GOOD-UNDEL-11 | OOB, cannot look addr up | OOB, IP through lookup
### GOOD-UNDEL-1
The zone is not delegated. Undelegated data provides a working zone.
* Zone: good-undel-1.basic02.xa
* The zone is not delegated.
* Else, the zone from undelegated data is set up as default.
* Undelegated data:
* ns1.good-undel-1.basic02.xa/IPv4
* ns1.good-undel-1.basic02.xa/IPv6
* ns2.good-undel-1.basic02.xa/IPv4
* ns2.good-undel-1.basic02.xa/IPv6
### GOOD-UNDEL-2
The zone is not delegated. Undelegated data provides a working zone. NS are
out-of-bailiwick.
* Zone: good-undel-2.basic02.xa
* The zone is not delegated.
* The undelegated data has out-of-bailiwick name servers without glue.
* Normal lookup provides IP addresses for the name server names.
* Else, the zone from undelegated data is set up as default.
* Undelegated data:
* ns1.good-undel-2.basic02.xb
* ns2.good-undel-2.basic02.xb
### GOOD-UNDEL-3
Delegated zone does not respond. There is a working zone from undelegated data.
Those NS are out-of-bailiwick.
* Zone: good-undel-3.basic02.xa
* The name servers in delegation are ns1 and ns2.
* Name servers from delegation do not respond.
* The undelegated data has out-of-bailiwick name servers without glue.
* Normal lookup provides IP addresses for the name server names.
* Else, the zone from undelegated data is set up as default.
* Undelegated data:
* ns3.good-undel-3.basic02.xb
* ns4.good-undel-3.basic02.xb
### GOOD-UNDEL-4
Delegation of zone lacks glue. There is a working zone from undelegated data.
Those NS are out-of-bailiwick.
* Zone: good-undel-4.basic02.xa
* The name servers in delegation are ns1 and ns2.
* There is no glue for ns1 and ns2.
* The undelegated data has out-of-bailiwick name servers without glue.
* Normal lookup provides IP addresses for the name server names.
* Else, the zone from undelegated data is set up as default.
* Undelegated data:
* ns1.good-undel-4.basic02.xb
* ns2.good-undel-4.basic02.xb
### GOOD-UNDEL-5
Delegation of zone lacks glue. There is a working zone from undelegated data.
* Zone: good-undel-5.basic02.xa
* The name servers in delegation ns1 and ns2.
* There is no glue for ns1 and ns2.
* The undelegated data has the same NS names with glue.
* Else, the zone from undelegated data is set up as default.
* Undelegated data:
* ns1.good-undel-5.basic02.xa/IPv4
* ns1.good-undel-5.basic02.xa/IPv6
* ns2.good-undel-5.basic02.xa/IPv4
* ns2.good-undel-5.basic02.xa/IPv6
### GOOD-UNDEL-6
Zone is delegated to out-of-bailiwick NS, but with no response. There is a
working zone from undelegated data.
* Zone: good-undel-6.basic02.xa
* The name servers in delegation are ns1.good-undel-6.basic02.xb and
ns2.good-undel-6.basic02.xb.
* Normal lookup provides IP addresses for the name server names.
* The servers in delegation do not respond.
* The zone from undelegated data is set up as default.
* Undelegated data:
* ns3.good-undel-6.basic02.xa/IPv4
* ns3.good-undel-6.basic02.xa/IPv6
* ns4.good-undel-6.basic02.xa/IPv4
* ns4.good-undel-6.basic02.xa/IPv6
### GOOD-UNDEL-7
Zone is delegated to out-of-bailiwick NS, but with no IP for NS. There is a
working zone from undelegated data, also out-of-bailiwick.
* Zone: good-undel-7.basic02.xa
* The name servers in delegation are ns1.good-undel-7.basic02.xb and
ns2.good-undel-7.basic02.xb.
* ns1 and ns2 are defined, but with no address records.
* The NS in undelegated data use names that are not defined.
* The zone from undelegated data is set up as default.
* Undelegated data:
* ns3.good-undel-7.basic02.xb/IPv4
* ns3.good-undel-7.basic02.xb/IPv6
* ns4.good-undel-7.basic02.xb/IPv4
* ns5.good-undel-7.basic02.xb/IPv6
### GOOD-UNDEL-8
Zone is delegated, but no response from the NS of delegation. There is a working
zone from undelegated data.
* Zone: good-undel-8.basic02.xa
* The name servers in delegation are dns1 and dns2.
* There is no response from dns1 and dns2.
* The NS in undelegated data use the same NS names with other IP addresses.
* Else, the zone from undelegated data is set up as default.
* Undelegated data:
* dns1.good-undel-8.basic02.xa/IPv4
* dns1.good-undel-8.basic02.xa/IPv6
* dns2.good-undel-8.basic02.xa/IPv4
* dns2.good-undel-8.basic02.xa/IPv6
### GOOD-UNDEL-9
Zone is delegated to out-of-bailiwick NS, but with no response. There is a
working zone from undelegated data.
* Zone: good-undel-9.basic02.xa
* The name servers in delegation are dns1.good-undel-9.basic02.xb and
dns2.good-undel-9.basic02.xb.
* Normal lookup provides IP addresses for the name server names.
* The servers in delegation do not respond.
* The NS in undelegated data use the same NS names with other IP addresses.
* The zone from undelegated data is set up as default.
* Undelegated data:
* dns1.good-undel-9.basic02.xb/IPv4
* dns1.good-undel-9.basic02.xb/IPv6
* dns2.good-undel-9.basic02.xb/IPv4
* dns2.good-undel-9.basic02.xb/IPv6
### GOOD-UNDEL-10
Zone is delegated to out-of-bailiwick NS, but with SERVFAIL or REFUSED response.
There is a working zone from undelegated data, also out-of-bailiwick.
* Zone: good-undel-10.basic02.xa
* The name servers in delegation are ns1.good-undel-10.basic02.xb and
ns2.good-undel-10.basic02.xb.
* Normal lookup provides IP addresses for the name server names.
* The servers in delegation respond with SERVFAIL (ns1) or REFUSED (ns2).
* The NS in undelegated data use other IP addresses.
* The zone from undelegated data is set up as default.
* Undelegated data:
* ns3.good-undel-10.basic02.xb/IPv4
* ns3.good-undel-10.basic02.xb/IPv6
* ns4.good-undel-10.basic02.xb/IPv4
* ns4.good-undel-10.basic02.xb/IPv6
### GOOD-UNDEL-11
Zone is delegated to out-of-bailiwick NS whose names are in a zone that is
not reachable (addresses cannot be looked up). There is a working zone from
undelegated data, also out-of-bailiwick.
* Zone: good-undel-11.basic02.xa
* The name servers in delegation are ns1.delegated.good-undel-11.basic02.xb
and ns2.delegated.good-undel-11.basic02.xb.
* Normal lookup fails to provides IP addresses for the name server names
since zone delegated.good-undel-11.basic02.xb cannot be reached.
* delegated.good-undel-11.basic02.xb is delegated to dns1 and dns2 relative
to that domain.
* There is no actual zone for the delegated data (not needed).
* The zone from undelegated data is set up as default.
* The addresses for the NS for the undelegated zone are found via lookup.
* Undelegated data:
* ns3.good-undel-11.basic02.xb
* ns4.good-undel-11.basic02.xb
### MIXED-1
The zone is delegated to four NS, of which ns1 responds correctly, ns2 does
not respond, ns3 returns SERVFAIL and ns4 is not authoritative.
* Zone: mixed-1.basic02.xa
* The zone is set-up as default, but with four NS (ns1-4).
* ns1 gives correct response.
* ns2 does not respond.
* ns3 returns SERVFAIL on all queries.
* ns4 returns all responses with AA flag unset.
### NO-DELEGATION
There is no delegation for the zone.
* Zone: no-delegation.basic02.xa
* No zone.
* No name servers.
* No delegation.
### NS-BROKEN-1
The servers for the zone do not respond with SOA record on SOA query.
* Zone: ns-broken-1.basic02.xa
* No SOA record in response from ns1 and ns2.
* RCODE is NOERROR and AA bit is set.
### NS-NOT-AUTH-1
The servers for the zone do not give authoritative responses.
* Zone: ns-not-auth-1.basic02.xa
* AA bit is unset in responses from ns1 and ns2.
### NS-NO-IP-1
The delegation is without glue.
* Zone: ns-no-ip-1.basic02.xa
* There is no glue in delegation for ns1 and ns2.
* No zone is set up.
### NS-NO-IP-2
The name server are out-of-bailiwick but have no address records.
* Zone: ns-no-ip-2.basic02.xa
* ns1 and ns2 are out-of-bailiwick.
* ns1 is ns1.ns-no-ip-2.basic02.xb.
* ns2 is ns2.ns-no-ip-2.basic02.xb.
* ns1 and ns2 exist as names, but have no address records.
* No zone is set up.
### NS-NO-IP-3
The name server are out-of-bailiwick but the names are not defined.
* Zone: ns-no-ip-3.basic02.xa
* ns1 and ns2 are out-of-bailiwick.
* ns1 is ns1.ns-no-ip-3.basic02.xb.
* ns2 is ns2.ns-no-ip-3.basic02.xb.
* ns1 and ns2 do not exist as names.
* No zone is set up.
### NS-NO-IP-UNDEL-1
The delegated zone works correctly. The undelegated data has in-bailiwick NS
without glue.
* Zone: ns-no-ip-undel-1.basic02.xa
* ns1 and ns2 serves a working zone.
* The undelegated data uses the same NS names but without glue.
* There is no need for a zone for undelegated data.
* Undelegated data:
* ns1.ns-no-ip-undel-1.basic02.xa
* ns2.ns-no-ip-undel-1.basic02.xa
### NS-NO-IP-UNDEL-2
The delegated zone works correctly. The undelegated data has out-of-bailiwick NS
without glue. The NS names have no address records.
* Zone: ns-no-ip-undel-2.basic02.xa
* ns1 and ns2 serves a working zone.
* The undelegated data uses out-of-bailiwick NS.
* NS names exists.
* NS names do not resolve to address records.
* There is no need for a zone for undelegated data.
* Undelegated data:
* ns1.ns-no-ip-undel-2.basic02.xb
* ns2.ns-no-ip-undel-2.basic02.xb
### NS-NO-RESPONSE-1
The name servers do not respond on the queries.
* Zone: ns-no-response-1.basic02.xa
* ns1 and ns2 do not respond to queries.
* No zone is set up.
### UNEXPECTED-RCODE-1
The name servers respond with NXDOMAIN, REFUSED or SERVFAIL on SOA query.
* Zone: unexpected-rcode-1.basic02.xa
* ns1 responds with NXDOMAIN.
* ns2 responds with REFUSED.
* ns3 responds with SERVFAIL.
* No actual zone exists.
[Basic02]: ../../tests/Basic-TP/basic02.md
[test scenario README file]: ../README.md
[RCODE Name]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6
[Test scenarios and setup of test zones]: #test-scenarios-and-setup-of-test-zones

6
zonemaster/docs/public/specifications/test-zones/Connectivity-TP/README.md Normal file
View File

@@ -0,0 +1,6 @@
# Specification of test scenarios for Connectivity-TP
Test scenario specifications are available for:
* [Connectivity04](connectivity04.md)

301
zonemaster/docs/public/specifications/test-zones/Connectivity-TP/connectivity04.md Normal file
View File

@@ -0,0 +1,301 @@
# Specification of Test Scenarios for Connectivity04
## Table of contents
* [Background](#background)
* [Test Case](#test-case)
* [Test scenarios](#test-scenarios)
* [Test zone names](#test-zone-names)
* [All message tags](#all-message-tags)
* [Test scenarios and message tags](#test-scenarios-and-message-tags)
* [Test scenarios and setup of test zones]
## Background
See the [test scenario README file].
## Test Case
This document specifies defined test scenarios for test case [Connectivity04].
## Test scenarios
The purpose of the test scenarios is to cover all reasonable contexts where
different message tags are outputted when [Connectivity04] is run on a test zone.
The message tags are defined in the test case ([Connectivity04]) and the
scenarios are defined below.
The test scenarios are structured as stated in the [test scenario README file].
## Test zone names
The test zone or zones for each test scenario in this document is a subdomain
(or lower zone) delegated from the base name (`connectivity04.xa`) and that subdomain
having the same name as the scenario. The names of those zones are given in
section "[Test scenarios and setup of test zones]" below.
## All message tags
The test case can output any of these message tags, but not necessarily in any
combination. See [Connectivity04] for the specification of the tags.
* CN04_EMPTY_PREFIX_SET
* CN04_ERROR_PREFIX_DATABASE
* CN04_IPV4_DIFFERENT_PREFIX
* CN04_IPV4_SAME_PREFIX
* CN04_IPV4_SINGLE_PREFIX
* CN04_IPV6_DIFFERENT_PREFIX
* CN04_IPV6_SAME_PREFIX
* CN04_IPV6_SINGLE_PREFIX
## Test scenarios and message tags
If a message tag is not listed for the scenario, its presence or non-presence is
irrelevant to the test scenario and must be ignored.
Scenario name | Mandatory message tag | Forbidden message tags
:------------------------|:----------------------------------------------------------------------------------|:--------------------
GOOD-1 | CN04_IPV4_DIFFERENT_PREFIX, CN04_IPV6_DIFFERENT_PREFIX | 2)
GOOD-2 | CN04_IPV4_DIFFERENT_PREFIX | 2)
GOOD-3 | CN04_IPV6_DIFFERENT_PREFIX | 2)
EMPTY-PREFIX-SET-1 | CN04_EMPTY_PREFIX_SET | 2)
EMPTY-PREFIX-SET-2 | CN04_EMPTY_PREFIX_SET | 2)
ERROR-PREFIX-DATABASE-1 | CN04_ERROR_PREFIX_DATABASE | 2)
ERROR-PREFIX-DATABASE-2 | CN04_ERROR_PREFIX_DATABASE | 2)
ERROR-PREFIX-DATABASE-3 | CN04_ERROR_PREFIX_DATABASE | 2)
ERROR-PREFIX-DATABASE-6 | CN04_IPV4_DIFFERENT_PREFIX, CN04_IPV6_DIFFERENT_PREFIX, CN04_ERROR_PREFIX_DATABASE| 2)
ERROR-PREFIX-DATABASE-7 | CN04_ERROR_PREFIX_DATABASE | 2)
ERROR-PREFIX-DATABASE-8 | CN04_ERROR_PREFIX_DATABASE | 2)
HAS-NON-ASN-TXT-1 | CN04_IPV4_DIFFERENT_PREFIX, CN04_IPV6_DIFFERENT_PREFIX | 2)
HAS-NON-ASN-TXT-2 | CN04_EMPTY_PREFIX_SET | 2)
IPV4-ONE-PREFIX-1 | CN04_IPV4_SAME_PREFIX, CN04_IPV4_SINGLE_PREFIX | 2)
IPV4-TWO-PREFIXES-1 | CN04_IPV4_SAME_PREFIX, CN04_IPV4_DIFFERENT_PREFIX | 2)
IPV6-ONE-PREFIX-1 | CN04_IPV6_SAME_PREFIX, CN04_IPV6_SINGLE_PREFIX | 2)
IPV6-TWO-PREFIXES-1 | CN04_IPV6_SAME_PREFIX, CN04_IPV6_DIFFERENT_PREFIX | 2)
IPV4-SINGLE-NS-1 | CN04_IPV4_SINGLE_PREFIX, CN04_IPV4_DIFFERENT_PREFIX | 2)
IPV6-SINGLE-NS-1 | CN04_IPV6_SINGLE_PREFIX, CN04_IPV6_DIFFERENT_PREFIX | 2)
DOUBLE-PREFIX-1 | CN04_IPV4_DIFFERENT_PREFIX, CN04_IPV6_DIFFERENT_PREFIX | 2)
DOUBLE-PREFIX-2 | CN04_IPV4_DIFFERENT_PREFIX, CN04_IPV6_DIFFERENT_PREFIX | 2)
* (1) All tags except for those specified as "Forbidden message tags" (no instances for these test scenarios)
* (2) All tags except for those specified as "Mandatory message tags"
## Test scenarios and setup of test zones
### Default zone configuration
Unless otherwise specified in the specific scenario specification, the test zone
or zones for the scenario will follow the default setup as stated below. The
`child zone` is the zone to be tested for the scenario.
* The child zone is `SCENARIO.connectivity04.xa`.
* It is delegated to out-of-bailiwick NS, specified per scenario.
* The names of the NS exist in the parent zone.
* The NS for a child will only reply to NS query and do that
consistently.
* The parent zone is `connectivity04.xa`.
* It is served by two in-bailiwick NS (ns1 and ns2).
* ns1 and ns2 have the same zone content.
* ns1 and ns2 have both IPv4 and IPv6 glue.
* The records matching glue in the zone are complete.
* All responses will have the [RCODE Name] "NoError".
### GOOD-1
Everything is fine.
* Zone: good-1.connectivity04.xa
* 2 NS.
* Both with IPv4 and IPv6.
* Each NS IP in different prefixes.
### GOOD-2
Everything is fine. IPv4 only.
* Zone: good-2.connectivity04.xa
* 2 NS.
* IPv4 only.
* Each NS IP in different prefixes.
### GOOD-3
Everything is fine. IPv6 only.
* Zone: good-3.connectivity04.xa
* 2 NS.
* IPv4 only.
* Each NS IP in different prefixes.
### EMPTY-PREFIX-SET-1
No ASN data (NXDOMAIN).
* Zone: empty-prefix-set-1.connectivity04.xa
* 1 NS.
* IPv4 and IPv6 on NS.
* The ASN-lookup returns [RCODE Name] NXDOMAIN.
### EMPTY-PREFIX-SET-2
No ASN data (NODATA).
* Zone: empty-prefix-set-2.connectivity04.xa
* 1 NS.
* IPv4 and IPv6 on NS.
* The ASN-lookup returns no TXT record (NODATA).
### ERROR-PREFIX-DATABASE-1
No ASN data due to SERVFAIL.
* Zone: error-prefix-database-1.connectivity04.xa
* 1 NS.
* IPv4 and IPv6 on NS.
* The ASN-lookup returns SERVFAIL.
### ERROR-PREFIX-DATABASE-2
No ASN data due to REFUSED.
* Zone: error-prefix-database-2.connectivity04.xa
* 1 NS.
* IPv4 and IPv6 on NS.
* The ASN-lookup returns REFUSED.
### ERROR-PREFIX-DATABASE-3
No ASN data, no DNS response at all.
* Zone: error-prefix-database-3.connectivity04.xa
* 1 NS.
* IPv4 and IPv6 on NS.
* The ASN-lookup returns no DNS response (no response at all).
### ERROR-PREFIX-DATABASE-4
(Renamed)
### ERROR-PREFIX-DATABASE-5
(Renamed)
### ERROR-PREFIX-DATABASE-6
Extra ASN lookup TXT record with wrong IP prefix.
* Zone: error-prefix-database-6.connectivity04.xa
* 2 NS.
* Both with IPv4 and IPv6.
* Each NS IP in different prefixes.
* For one NS (both IPs) the ASN lookup returns an extra TXT with an IP prefix
that does not match the IP address.
### ERROR-PREFIX-DATABASE-7
ASN lookup TXT record with wrong IP prefix.
* Zone: error-prefix-database-7.connectivity04.xa
* 1 NS.
* IPv4 and IPv6 on NS.
* The ASN-lookup returns one TXT record for both IP with an IP prefix that
does not match the IP address.
### ERROR-PREFIX-DATABASE-8
ASN lookup gives no TXT-record but a CNAME.
* Zone: error-prefix-database-8.connectivity04.xa
* 1 NS.
* IPv4 and IPv6 on NS.
* The ASN-lookup returns no TXT record for both IP but a CNAME record.
### HAS-NON-ASN-TXT-1
IPv4 and IPv6. Extra non-ASN lookup TXT record.
* Zone: has-non-asn-txt-1.connectivity04.xa
* 2 NS.
* Both NS with IPv4 and IPv6.
* Each NS IP in different prefixes.
* For one NS (both IPs) the ASN lookup returns an extra TXT record with the
text "This is not ASN data".
### HAS-NON-ASN-TXT-2
No ASN data, some other TXT record.
* Zone: has-non-asn-txt-2.connectivity04.xa
* 1 NS.
* IPv4 and IPv6 on NS.
* The ASN-lookup returns one TXT record for both IP with the string
"This is not ASN data".
### IPV4-ONE-PREFIX-1
All NS IPs in the same prefix. IPv4 only.
* Zone: ipv4-one-prefix-1.connectivity04.xa
* 2 NS.
* IPv4 only.
* Both NS in the same prefix.
### IPV4-TWO-PREFIXES-1
Two NS in the same prefix. One NS in its own prefix. IPv4 only.
* Zone: ipv4-two-prefixes-1.connectivity04.xa
* 3 NS.
* IPv4 only.
* Two NS in the same prefix.
* One NS in its own prefix.
### IPV6-ONE-PREFIX-1
All NS IPs in the same prefix. IPv6 only.
* Zone: ipv6-one-prefix-1.connectivity04.xa
* 2 NS.
* Ipv6 only.
* Both NS in the same prefix.
### IPV6-TWO-PREFIXES-1
Two NS in the same prefix. One NS in its own prefix. IPv6 only.
* Zone: ipv6-two-prefixes-1.connectivity04.xa
* 3 NS.
* IPv6 only.
* Two NS in the same prefix.
* One NS in its own prefix.
### IPV4-SINGLE-NS-1
One NS, IPv4 only.
* Zone: ipv4-single-ns-1.connectivity04.xa
* 1 NS.
* IPv4 only.
### IPV6-SINGLE-NS-1
One NS, IPv6 only.
* Zone: ipv6-single-ns-1.connectivity04.xa
* 1 NS.
* IPv6 only.
### DOUBLE-PREFIX-1
The IP addresses of the NS are announced from both a larger prefix and a more
specific one.
* Zone: double-prefix-1.connectivity04.xa
* 2 NS
* IPv4 and IPv6.
* The two IPv4 addresses are announced in one large (less specific) prefix that includes
both NS IP addresses.
* Each NS IP address is also announced in a more specific prefix only including
that IP address.
* Same with IPv6.
### DOUBLE-PREFIX-2
The IP addresses of the NS are announced in a larger (less specific) prefix that
includes both NS IP. The addresses of one NS are also announced in more
specific prefixes.
* Zone: double-prefix-2.connectivity04.xa
* 2 NS
* IPv4 and IPv6.
* The two IPv4 addresses are announced in one large (less specific) prefix that
includes both IP addresses.
* The address of one of the NS is also announced in a more specific prefix.
* Same with IPv6.
[Connectivity04]: ../../tests/Connectivity-TP/connectivity04.md
[RCODE Name]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6
[Test scenario README file]: ../README.md
[Test scenarios and setup of test zones]: #test-scenarios-and-setup-of-test-zones

7
zonemaster/docs/public/specifications/test-zones/Consistency-TP/README.md Normal file
View File

@@ -0,0 +1,7 @@
# Specification of test zones for Consistency-TP
Test zone specifications are available for:
* [CONSISTENCY05](consistency05.md)
* [CONSISTENCY06](consistency06.md)

282
zonemaster/docs/public/specifications/test-zones/Consistency-TP/consistency05.md Normal file
View File

@@ -0,0 +1,282 @@
# Specification of test zones for CONSISTENCY05
## Table of contents
* [Background](#background)
* [Test Case](#test-case)
* [Test scenarios](#test-scenarios)
* [Test zone names](#test-zone-names)
* [Test scenarios and message tags](#test-scenarios-and-message-tags)
* [Zone setup for test scenarios]
## Background
See the [test zone README file].
## Test Case
This document specifies defined test zones for test case [CONSISTENCY05].
## Test scenarios
The purpose of the test scenarios is to cover all reasonable contexts where
different message tags are outputted when [CONSISTENCY05] is run on a test zone.
The message tags are defined in the test case ([CONSISTENCY05]) and the scenarios
are defined below.
The test scenarios are structured as stated in the [test zone README file].
## Test zone names
The test zone for each test scenario in this document is a subdomain delegated
from the base name (`consistency05.xa`) and that subdomain having the same name as the
scenario. The names of those zones are given in section
"[Zone setup for test scenarios]" below.
## Test scenarios and message tags
If a message tag is not listed for the scenario, its presence or non-presence is
irrelevant to the test scenario and must be ignored.
Scenario name | Mandatory message tag | Forbidden message tags
:-------------------------|:---------------------------------|:-------------------------------------------
ADDRESSES-MATCH-1 | ADDRESSES_MATCH | IN_BAILIWICK_ADDR_MISMATCH, OUT_OF_BAILIWICK_ADDR_MISMATCH, EXTRA_ADDRESS_CHILD, CHILD_ZONE_LAME, CHILD_NS_FAILED, NO_RESPONSE
ADDRESSES-MATCH-2 | ADDRESSES_MATCH | IN_BAILIWICK_ADDR_MISMATCH, OUT_OF_BAILIWICK_ADDR_MISMATCH, EXTRA_ADDRESS_CHILD, CHILD_ZONE_LAME, CHILD_NS_FAILED, NO_RESPONSE
ADDRESSES-MATCH-3 | ADDRESSES_MATCH, CHILD_NS_FAILED | IN_BAILIWICK_ADDR_MISMATCH, OUT_OF_BAILIWICK_ADDR_MISMATCH, EXTRA_ADDRESS_CHILD, CHILD_ZONE_LAME, NO_RESPONSE
ADDRESSES-MATCH-4 | ADDRESSES_MATCH, CHILD_NS_FAILED | IN_BAILIWICK_ADDR_MISMATCH, OUT_OF_BAILIWICK_ADDR_MISMATCH, EXTRA_ADDRESS_CHILD, CHILD_ZONE_LAME, NO_RESPONSE
ADDRESSES-MATCH-5 | ADDRESSES_MATCH, NO_RESPONSE | IN_BAILIWICK_ADDR_MISMATCH, OUT_OF_BAILIWICK_ADDR_MISMATCH, EXTRA_ADDRESS_CHILD, CHILD_ZONE_LAME, CHILD_NS_FAILED
ADDRESSES-MATCH-6 | ADDRESSES_MATCH | IN_BAILIWICK_ADDR_MISMATCH, OUT_OF_BAILIWICK_ADDR_MISMATCH, EXTRA_ADDRESS_CHILD, CHILD_ZONE_LAME, CHILD_NS_FAILED, NO_RESPONSE
ADDRESSES-MATCH-7 | ADDRESSES_MATCH | IN_BAILIWICK_ADDR_MISMATCH, OUT_OF_BAILIWICK_ADDR_MISMATCH, EXTRA_ADDRESS_CHILD, CHILD_ZONE_LAME, CHILD_NS_FAILED, NO_RESPONSE
ADDR-MATCH-DEL-UNDEL-1 | ADDRESSES_MATCH | IN_BAILIWICK_ADDR_MISMATCH, OUT_OF_BAILIWICK_ADDR_MISMATCH, EXTRA_ADDRESS_CHILD, CHILD_ZONE_LAME, CHILD_NS_FAILED, NO_RESPONSE
ADDR-MATCH-DEL-UNDEL-2 | ADDRESSES_MATCH | IN_BAILIWICK_ADDR_MISMATCH, OUT_OF_BAILIWICK_ADDR_MISMATCH, EXTRA_ADDRESS_CHILD, CHILD_ZONE_LAME, CHILD_NS_FAILED, NO_RESPONSE
ADDR-MATCH-NO-DEL-UNDEL-1 | ADDRESSES_MATCH | IN_BAILIWICK_ADDR_MISMATCH, OUT_OF_BAILIWICK_ADDR_MISMATCH, EXTRA_ADDRESS_CHILD, CHILD_ZONE_LAME, CHILD_NS_FAILED, NO_RESPONSE
ADDR-MATCH-NO-DEL-UNDEL-2 | ADDRESSES_MATCH | IN_BAILIWICK_ADDR_MISMATCH, OUT_OF_BAILIWICK_ADDR_MISMATCH, EXTRA_ADDRESS_CHILD, CHILD_ZONE_LAME, CHILD_NS_FAILED, NO_RESPONSE
CHILD-ZONE-LAME-1 | CHILD_ZONE_LAME, NO_RESPONSE | IN_BAILIWICK_ADDR_MISMATCH, OUT_OF_BAILIWICK_ADDR_MISMATCH, EXTRA_ADDRESS_CHILD, CHILD_NS_FAILED, ADDRESSES_MATCH
CHILD-ZONE-LAME-2 | CHILD_ZONE_LAME, CHILD_NS_FAILED | IN_BAILIWICK_ADDR_MISMATCH, OUT_OF_BAILIWICK_ADDR_MISMATCH, EXTRA_ADDRESS_CHILD, ADDRESSES_MATCH, NO_RESPONSE
IB-ADDR-MISMATCH-1 | IN_BAILIWICK_ADDR_MISMATCH, EXTRA_ADDRESS_CHILD | OUT_OF_BAILIWICK_ADDR_MISMATCH, CHILD_ZONE_LAME, CHILD_NS_FAILED, NO_RESPONSE, ADDRESSES_MATCH
IB-ADDR-MISMATCH-2 | IN_BAILIWICK_ADDR_MISMATCH | OUT_OF_BAILIWICK_ADDR_MISMATCH, EXTRA_ADDRESS_CHILD, CHILD_ZONE_LAME, CHILD_NS_FAILED, NO_RESPONSE, ADDRESSES_MATCH
IB-ADDR-MISMATCH-3 | IN_BAILIWICK_ADDR_MISMATCH, NO_RESPONSE | OUT_OF_BAILIWICK_ADDR_MISMATCH, EXTRA_ADDRESS_CHILD, CHILD_ZONE_LAME, CHILD_NS_FAILED, NO_RESPONSE, ADDRESSES_MATCH
IB-ADDR-MISMATCH-4 | IN_BAILIWICK_ADDR_MISMATCH | OUT_OF_BAILIWICK_ADDR_MISMATCH, EXTRA_ADDRESS_CHILD, CHILD_ZONE_LAME, CHILD_NS_FAILED, NO_RESPONSE, ADDRESSES_MATCH
EXTRA-ADDRESS-CHILD | EXTRA_ADDRESS_CHILD | IN_BAILIWICK_ADDR_MISMATCH, OUT_OF_BAILIWICK_ADDR_MISMATCH, CHILD_ZONE_LAME, CHILD_NS_FAILED, NO_RESPONSE, ADDRESSES_MATCH
OOB-ADDR-MISMATCH | OUT_OF_BAILIWICK_ADDR_MISMATCH | IN_BAILIWICK_ADDR_MISMATCH, EXTRA_ADDRESS_CHILD, CHILD_ZONE_LAME, CHILD_NS_FAILED, NO_RESPONSE, ADDRESSES_MATCH
## Zone setup for test scenarios
Assumptions for the scenario specifications unless otherwise specified for
the specific scenario:
* For each scenario zone there are two name servers configured.
* Both NS (ns1 and ns2) are equal in delegation and in zone.
* Both NS are in-bailiwick
* Both NS have both IPv4 and IPv6 addresses
* All required glue are present in the delegation.
* All glue exactly matches the authoritative address records in correct
zone (not more and not less records).
* All NS IP addresses respond with identical zone content.
* Responds with a A record for the zone on query for A.
* Responds with a AAAA record for the zone on query for AAAA.
* All responses are authoritative with [RCODE Name] "NoError"
* EDNS, version 0, is included in all responses on queries with EDNS.
* EDNS is not included in responses on queries without EDNS.
* In undelegated data, `IPv4` and `IPv6`, respectively, are placeholders for the
actual IP addresses used for the scenario. They are to be found where the data
is specified.
* If no placeholder is given with the name server name, then no IP address is
given and might be looked up.
* The format for undelegated data follow the format used for `zonemaster-cli`
(after `--ns`).
### ADDRESSES-MATCH-1
The "happy path". Everything is fine.
* Zone: addresses-match-1.consistency05.xa
### ADDRESSES-MATCH-2
Also the "happy path". Out-of-bailiwick NS this time. And no glue.
* Zone: addresses-match-2.consistency05.xa
* Both ns1 and ns2 are out-of-bailiwick under the xb tree.
* ns1 is "ns1.addresses-match-2.consistency05.xb"
* ns2 is "ns2.addresses-match-2.consistency05.xb"
* Delegation is without glue.
* The zone has no address records for the NS names
* The "addresses-match-2.consistency05.xb" zone has a full set of the
address records for ns1 and ns2.
### ADDRESSES-MATCH-3
One NS does not give AA answer, but else fine.
* Zone: addresses-match-3.consistency05.xa
* ns1 responds with AA flag unset.
### ADDRESSES-MATCH-4
One NS does give SERVFAIL response, but else fine.
* Zone: addresses-match-4.consistency05.xa
* ns1 responds with [RCODE Name] "ServFail".
### ADDRESSES-MATCH-5
One NS does not respond, but else fine.
* Zone: addresses-match-5.consistency05.xa
* ns1 gives no response at all.
### ADDRESSES-MATCH-6
Also "happy path". Out-of-bailiwick NS, but with glue.
* Zone: child.addresses-match-6.consistency05.xa
* Both ns1 and ns2 are out-of-bailiwick
* ns1 is "ns1.sibbling.addresses-match-6.consistency05.xa"
* ns2 is "ns2.sibbling.addresses-match-6.consistency05.xa"
* Delegation is with glue.
* The test zone ("child") has no address records for the NS names, but the
"sibbling" zone has full set of address records.
### ADDRESSES-MATCH-7
Also "happy path". NS in subdomain.
* Zone: addresses-match-7.consistency05.xa
* ns1 is "ns1.subdomain.addresses-match-7.consistency05.xa."
* ns2 is "ns2.subdomain.addresses-match-7.consistency05.xa."
* Delegation is with glue.
* "subdomain.addresses-match-7.consistency05.xa" is delegated to the same
ns1 and ns2.
* ns1 and ns2 are defined with address records in the "subdomain" zone.
### ADDR-MATCH-DEL-UNDEL-1
Also the "happy path". But there is an undelegated zone to be tested.
* Zone: addr-match-del-undel-1.consistency05.xa
* Delegated zone on ns1 and ns2.
* Undelegated zone on ns3 and ns4.
* Delegated zone has neither ns1, ns2, ns3 nor ns4 as address records.
* Undelegated zone has neither ns1 nor ns2 as an address record, but it
has both ns3 and ns4 as address records.
* Undelgated data:
* ns3.addr-match-del-undel-1.consistency05.xa/IPv4
* ns3.addr-match-del-undel-1.consistency05.xa/IPv6
* ns4.addr-match-del-undel-1.consistency05.xa/IPv4
* ns4.addr-match-del-undel-1.consistency05.xa/IPv6
### ADDR-MATCH-DEL-UNDEL-2
Also the "happy path". But there is an undelegated zone to be tested, and its
NS are out-of-bailiwick.
* Zone: addr-match-del-undel-2.consistency05.xa
* Delegated zone on ns1 and ns2.
* Undelegated zone on "ns3.addr-match-del-undel-2.consistency05.xb" and
"ns4.addr-match-del-undel-2.consistency05.xb".
* Delegated and undelegated zone, respectively, do not have neither ns1 nor ns2
as an address record.
* Undelegated data:
* ns3.addr-match-del-undel-2.consistency05.xb
* ns4.addr-match-del-undel-2.consistency05.xb
### ADDR-MATCH-NO-DEL-UNDEL-1
Also the "happy path". No delegation but there is an undelegated zone to be
tested.
* Zone: addr-match-no-del-undel-1.consistency05.xa
* No delegated zone.
* Undelegated zone on ns1 and ns2.
* Undelegated data:
* ns1.addr-match-no-del-undel-1.consistency05.xa/IPv4
* ns1.addr-match-no-del-undel-1.consistency05.xa/IPv6
* ns2.addr-match-no-del-undel-1.consistency05.xa/IPv4
* ns2.addr-match-no-del-undel-1.consistency05.xa/IPv6
### ADDR-MATCH-NO-DEL-UNDEL-2
Also the "happy path". No delegation but there is an undelegated zone to be
tested. NS are out-of-bailiwick.
* Zone: addr-match-no-del-undel-2.consistency05.xa
* No delegated zone.
* Undelegated zone on "ns3.addr-match-no-del-undel-2.consistency05.xb" and
"ns4.addr-match-no-del-undel-2.consistency05.xb".
* Undelegated data:
* ns3.addr-match-no-del-undel-2.consistency05.xb
* ns4.addr-match-no-del-undel-2.consistency05.xb
### CHILD-ZONE-LAME-1
Lame. No NS responds.
* Zone: child-zone-lame-1.consistency05.xa
* ns1 and ns2 do not respond.
### CHILD-ZONE-LAME-2
Lame. One NS non-AA and one NS SERVFAIL.
* Zone: child-zone-lame-2.consistency05.xa
* ns1 responses with AA bit unset.
* ns2 responds with [RCODE Name] "ServFail".
### IB-ADDR-MISMATCH-1
For one NS (in-bailiwick), the addresses in the glue do not match those in the
authoritative data from the zone.
* Zone: ib-addr-mismatch-1.consistency05.xa
* ns2 is defined in the zone, but with different addresses (IPv4 and IPv6),
i.e. not the same as in glue.
* Both ns2 servers (IP address sets from glue and child, respectively) must
give identical DNS responses.
### IB-ADDR-MISMATCH-2
For one NS (in-bailiwick), address records exist in the glue, but not in the
authoritative data for the zone.
* Zone: ib-addr-mismatch-2.consistency05.xa
* ns2 is not defined in the zone, i.e. there are no address records for ns2
(IPv4 or IPv6) in the zone.
### IB-ADDR-MISMATCH-3
For ns2 (in-bailiwick), there is no NS for ns2 and the glue does not match any
address records in the zone. Furthermore, ns2 does not respond.
* Zone: ib-addr-mismatch-3.consistency05.xa
* There is no NS record with ns2 in RDATA.
* ns2 is not defined in the zone, i.e. there are no address records for ns2
(IPv4 or IPv6) in the zone.
* ns2 does not respond (but it is in the delegation)
### IB-ADDR-MISMATCH-4
Both NS are in-bailiwick and exist with correct glue in the delegation, but there
are no address records in the zone matching the glue records.
* Zone: ib-addr-mismatch-4.consistency05.xa
* Neither ns1 nor ns2 are defined in the zone as address records.
* The correct NS records are in the zone.
### EXTRA-ADDRESS-CHILD
Child zone has one extra address record on the NS name.
* Zone: extra-address-child.consistency05.xa
* The zone has address records for ns2 that match glue, but in addition
the zone has extra A and AAAA records for ns2.
* Both ns2 servers (both sets of IP addresses from child) must give identical
DNS responses.
### OOB-ADDR-MISMATCH
For one NS (out-of-bailiwick, but with glue) glue does not match AA address
response.
* Zone: child.oob-addr-mismatch.consistency05.xa
* Both ns1 and ns2 are out-of-bailiwick
* ns1 is "ns1.sibbling.oob-addr-mismatch.consistency05.xa"
* ns2 is "ns2.sibbling.oob-addr-mismatch.consistency05.xa"
* Delegation is with glue.
* The test zone ("child") has no address records for the NS names.
* The "sibling" zone has full set of address records
* ns1 in the "sibling" zone matches the addresses of glue.
* ns2 in the "sibling" zone does not match the addresses of glue.
* All IP addresses of ns1 and ns2 must serve identical versions of the zone.
[CONSISTENCY05]: ../../tests/Consistency-TP/consistency05.md
[RCODE Name]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6
[Test zone README file]: ../README.md
[Zone setup for test scenarios]: #zone-setup-for-test-scenarios

162
zonemaster/docs/public/specifications/test-zones/Consistency-TP/consistency06.md Normal file
View File

@@ -0,0 +1,162 @@
# Specification of test zones for CONSISTENCY06
## Table of contents
* [Background](#background)
* [Test Case](#test-case)
* [Test scenarios](#test-scenarios)
* [Test zone names](#test-zone-names)
* [Test scenarios and message tags](#test-scenarios-and-message-tags)
* [Zone setup for test scenarios]
## Background
See the [test zone README file].
## Test Case
This document specifies defined test zones for test case [CONSISTENCY06].
## Test scenarios
The purpose of the test scenarios is to cover all reasonable contexts where
different message tags are outputted when [CONSISTENCY06] is run on a test zone.
The message tags are defined in the test case ([CONSISTENCY06]) and the scenarios
are defined below.
The test scenarios are structured as stated in the [test zone README file].
## Test zone names
The test zone for each test scenario in this document is a subdomain delegated
from the base name (`consistency06.xa`) and that subdomain having the same name as the
scenario. The names of those zones are given in section
"[Zone setup for test scenarios]" below.
## Test scenarios and message tags
If a message tag is not listed for the scenario, its presence or non-presence is
irrelevant to the test scenario and must be ignored.
Scenario name | Mandatory message tag | Forbidden message tags
:------------------------------|:-------------------------------------|:-------------------------------------------
ONE-SOA-MNAME-1 | ONE_SOA_MNAME | NO_RESPONSE, NO_RESPONSE_SOA_QUERY, MULTIPLE_SOA_MNAMES
ONE-SOA-MNAME-2 | ONE_SOA_MNAME, NO_RESPONSE | NO_RESPONSE_SOA_QUERY, MULTIPLE_SOA_MNAMES
ONE-SOA-MNAME-3 | ONE_SOA_MNAME, NO_RESPONSE_SOA_QUERY | NO_RESPONSE, MULTIPLE_SOA_MNAMES
ONE-SOA-MNAME-4 | ONE_SOA_MNAME, NO_RESPONSE | NO_RESPONSE_SOA_QUERY, MULTIPLE_SOA_MNAMES
MULTIPLE-SOA-MNAMES-1 | MULTIPLE_SOA_MNAMES | NO_RESPONSE, NO_RESPONSE_SOA_QUERY, ONE_SOA_MNAME
MULTIPLE-SOA-MNAMES-2 | MULTIPLE_SOA_MNAMES,NO_RESPONSE | NO_RESPONSE_SOA_QUERY, ONE_SOA_MNAME
MULT-SOA-MNAMES-NO-DEL-UNDEL-1 | MULTIPLE_SOA_MNAMES | NO_RESPONSE, NO_RESPONSE_SOA_QUERY, ONE_SOA_MNAME
MULT-SOA-MNAMES-NO-DEL-UNDEL-2 | MULTIPLE_SOA_MNAMES | NO_RESPONSE, NO_RESPONSE_SOA_QUERY, ONE_SOA_MNAME
NO-RESPONSE | NO_RESPONSE | NO_RESPONSE_SOA_QUERY, MULTIPLE_SOA_MNAMES, ONE_SOA_MNAME
## Zone setup for test scenarios
Assumptions for the scenario specifications unless otherwise specified for
the specific scenario:
* For each scenario zone there are two name servers configured.
* Both NS (ns1 and ns2) are equal in delegation and in zone.
* Both NS are in-bailiwick
* Both NS have both IPv4 and IPv6 addresses
* All required glue are present in the delegation.
* All NS IP addresses respond with identical zone content.
* All queries for SOA are responded with a SOA record in an
authoritative answer.
* ns1 and ns2 respond with identical SOA records.
* All responses, to zone content, are authoritative with
[RCODE Name] "NoError"
* EDNS, version 0, is included in all responses on queries with EDNS.
* EDNS is not included in responses on queries without EDNS.
* In undelegated data, `IPv4` and `IPv6`, respectively, are placeholders for the
actual IP addresses used for the scenario. They are to be found where the data
is specified.
* If no placeholder is given with the name server name, then no IP address is
given and might be looked up.
* The format for undelegated data follow the format used for `zonemaster-cli`
(after `--ns`).
### ONE-SOA-MNAME-1
The "happy path". Everything is fine.
* Zone: one-soa-mname-1.consistency06.xa.
### ONE-SOA-MNAME-2
Not so "happy path". One name server does not respond.
* Zone: one-soa-mname-2.consistency06.xa.
* ns1 gives no response at all.
### ONE-SOA-MNAME-3
Not so "happy path". One name server responds without SOA
* Zone: one-soa-mname-3.consistency06.xa.
* ns1 responds, but with no SOA record in the answer section
(maybe answering but not having the zone).
### ONE-SOA-MNAME-4
Not so "happy path". One name server does not respond. That ns is also missing in
the zone.
* Zone: one-soa-mname-4.consistency06.xa.
* ns2 gives no response at all.
* ns2 is missing in the zone (but available in the delegation)
### MULTIPLE-SOA-MNAMES-1
Different SOA MNAME on the servers
* Zone: multiple-soa-mnames-1.consistency06.xa.
* MNAME in SOA on ns1 equal to ns1
* MNAME in SOA on ns2 equal to ns2
### MULTIPLE-SOA-MNAMES-2
Different SOA MNAME on two servers and a third not responding server
* Zone: multiple-soa-mnames-2.consistency06.xa.
* MNAME in SOA on ns1 equal to ns1
* MNAME in SOA on ns2 equal to ns2
* Also delegated to ns3, for which there is no response.
### MULT-SOA-MNAMES-NO-DEL-UNDEL-1
Zone not delegated, but there is an undelegated version. Different SOA MNAME on
the servers.
* Zone: mult-soa-mnames-no-del-undel-1.consistency06.xa.
* MNAME in SOA on ns1 equal to ns1
* MNAME in SOA on ns2 equal to ns2
* Undelegated data:
* ns1.mult-soa-mnames-no-del-undel-1.consistency06.xa/IPv4
* ns1.mult-soa-mnames-no-del-undel-1.consistency06.xa/IPv6
* ns2.mult-soa-mnames-no-del-undel-1.consistency06.xa/IPv4
* ns2.mult-soa-mnames-no-del-undel-1.consistency06.xa/IPv6
### MULT-SOA-MNAMES-NO-DEL-UNDEL-2
Zone not delegated, but there is an undelegated version. Different SOA MNAME on
the servers. NS are out-of-bailiwick.
* Zone: mult-soa-mnames-no-del-undel-2.consistency06.xa.
* NS are out-of-bailiwick, "ns3.mult-soa-mnames-no-del-undel-2.consistency06.xb"
and "ns4.mult-soa-mnames-no-del-undel-2.consistency06.xb".
* MNAME in SOA on ns3 equal to ns3
* MNAME in SOA on ns4 equal to ns4
* Undelegated data:
* ns3.mult-soa-mnames-no-del-undel-2.consistency06.xb
* ns4.mult-soa-mnames-no-del-undel-2.consistency06.xb
### NO-RESPONSE
No name server responds.
* Zone: no-response.consistency06.xa.
* ns1 gives no response at all.
* ns2 gives no response at all.
[CONSISTENCY06]: ../../tests/Consistency-TP/consistency06.md
[RCODE Name]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6
[Test zone README file]: ../README.md
[Zone setup for test scenarios]: #zone-setup-for-test-scenarios

11
zonemaster/docs/public/specifications/test-zones/DNSSEC-TP/README.md Normal file
View File

@@ -0,0 +1,11 @@
# Specification of test scenarios for DNSSEC-TP
Test scenario specifications are available for:
* [DNSSEC01](dnssec01.md)
* [DNSSEC03](dnssec03.md)
* [DNSSEC05](dnssec05.md)
* [DNSSEC07](dnssec07.md)
* [DNSSEC10](dnssec10.md)
* [DNSSEC16](dnssec16.md)

311
zonemaster/docs/public/specifications/test-zones/DNSSEC-TP/dnssec01.md Normal file
View File

@@ -0,0 +1,311 @@
# Specification of Test Scenarios for DNSSEC01
## Table of contents
* [Background](#background)
* [Test Case](#test-case)
* [Test scenarios](#test-scenarios)
* [Test zone names](#test-zone-names)
* [All message tags](#all-message-tags)
* [Test scenarios and message tags](#test-scenarios-and-message-tags)
* [Test scenarios and setup of test zones]
## Background
See the [test scenario README file].
## Test Case
This document specifies defined test scenarios for test case [DNSSEC01].
## Test scenarios
The purpose of the test scenarios is to cover all reasonable contexts where
different message tags are outputted when [DNSSEC01] is run on a test zone. The
message tags are defined in the test case ([DNSSEC01]) and the scenarios are
defined below.
The test scenarios are structured as stated in the [test scenario README file].
## Test zone names
The test zone or zones for each test scenario in this document is a subdomain
(or lower zone) delegated from the base name (`dnssec01.xa`) and that subdomain
having the same name as the scenario. The names of those zones are given in
section "[Test scenarios and setup of test zones]" below.
## All message tags
The test case can output any of these message tags, but not necessarily in any
combination. See [DNSSEC01] for the specification of the tags.
* DS01_DS_ALGO_2_MISSING
* DS01_DS_ALGO_DEPRECATED
* DS01_DS_ALGO_NOT_DS
* DS01_DS_ALGO_OK
* DS01_DS_ALGO_PRIVATE
* DS01_DS_ALGO_RESERVED
* DS01_DS_ALGO_UNASSIGNED
* DS01_NO_RESPONSE
* DS01_PARENT_SERVER_NO_DS
* DS01_PARENT_ZONE_NO_DS
* DS01_ROOT_N_NO_UNDEL_DS
* DS01_UNDEL_N_NO_UNDEL_DS
## Test scenarios and message tags
If a message tag is not listed for the scenario, its presence or non-presence is
irrelevant to the test scenario and must be ignored.
| Scenario name | Mandatory tags | Forbidden tags |
|:----------------------|:---------------------------------------------------------------|:---------------|
| ALGO-DEPRECATED-1 | DS01_DS_ALGO_DEPRECATED, DS01_DS_ALGO_2_MISSING | 2) |
| ALGO-DEPRECATED-3 | DS01_DS_ALGO_DEPRECATED, DS01_DS_ALGO_2_MISSING | 2) |
| ALGO-NOT-DS-0 | DS01_DS_ALGO_NOT_DS, DS01_DS_ALGO_2_MISSING | 2) |
| ALGO-OK-2 | DS01_DS_ALGO_OK | 2) |
| ALGO-OK-4 | DS01_DS_ALGO_OK, DS01_DS_ALGO_2_MISSING | 2) |
| ALGO-OK-5 | DS01_DS_ALGO_OK, DS01_DS_ALGO_2_MISSING | 2) |
| ALGO-OK-6 | DS01_DS_ALGO_OK, DS01_DS_ALGO_2_MISSING | 2) |
| ALGO-PRIVATE-253 | DS01_DS_ALGO_PRIVATE, DS01_DS_ALGO_2_MISSING | 2) |
| ALGO-PRIVATE-254 | DS01_DS_ALGO_PRIVATE, DS01_DS_ALGO_2_MISSING | 2) |
| ALGO-RESERVED-128 | DS01_DS_ALGO_RESERVED, DS01_DS_ALGO_2_MISSING | 2) |
| ALGO-RESERVED-188 | DS01_DS_ALGO_RESERVED, DS01_DS_ALGO_2_MISSING | 2) |
| ALGO-RESERVED-252 | DS01_DS_ALGO_RESERVED, DS01_DS_ALGO_2_MISSING | 2) |
| ALGO-UNASSIGNED-7 | DS01_DS_ALGO_UNASSIGNED, DS01_DS_ALGO_2_MISSING | 2) |
| ALGO-UNASSIGNED-67 | DS01_DS_ALGO_UNASSIGNED, DS01_DS_ALGO_2_MISSING | 2) |
| ALGO-UNASSIGNED-127 | DS01_DS_ALGO_UNASSIGNED, DS01_DS_ALGO_2_MISSING | 2) |
| MIXED-ALGO-1 | DS01_DS_ALGO_DEPRECATED, DS01_DS_ALGO_PRIVATE, DS01_DS_ALGO_OK | 2) |
| SHARED-IP-1 | DS01_DS_ALGO_OK | 2) |
| SHARED-IP-2 | DS01_DS_ALGO_OK | 2) |
| NO-RESPONSE-1 | DS01_NO_RESPONSE | 2) |
| NO-VALID-RESPONSE-1 | DS01_NO_RESPONSE | 2) |
| PARENT-SERVER-NO-DS-1 | DS01_PARENT_SERVER_NO_DS, DS01_DS_ALGO_OK | 2) |
| PARENT-ZONE-NO-DS-1 | DS01_PARENT_ZONE_NO_DS | 2) |
| UNDEL-NO-UNDEL-DS-1 | DS01_UNDEL_N_NO_UNDEL_DS | 2) |
| UNDEL-WITH-UNDEL-DS-1 | DS01_DS_ALGO_OK | 2) |
| ROOT-NO-UNDEL-DS-1 | DS01_ROOT_N_NO_UNDEL_DS | 2) |
| ROOT-WITH-UNDEL-DS-1 | DS01_DS_ALGO_OK | 2) |
* (1) All tags except for those specified as "Forbidden tags" (no instances for these test scenarios)
* (2) All tags except for those specified as "Mandatory tags"
## Test scenarios and setup of test zones
### Default zone configuration
Unless otherwise specified in the specific scenario specification, the test zone
or zones for the scenario will follow the default setup as stated below. The
`child zone` is the zone to be tested for the scenario.
* The child zone is `SCENARIO.dnssec01.xa`.
* It is delegated to two name servers, `ns1.SCENARIO.dnssec01.xa`
and `ns2.SCENARIO.dnssec01.xa`.
* The name server names have A and AAAA records to avoid non-relevant error
messages.
* The delegation of the child zone is to an OOB NS.
* NS can be resolved through the `dnssec01.xa` zone.
* There is a zone file for the child zone.
* All child zone servers give the same response.
* The only responses that can be assumed are queries for
* NS
* SOA
* The parent zone will respond with one DS record per child zone.
* The parent zone is `dnssec01.xa`.
* It is served by two in-bailiwick NS (ns1 and ns2).
* ns1 and ns2 have the same zone content.
* ns1 and ns2 have both IPv4 and IPv6 glue.
* The records matching glue in the zone are complete.
* All responses will have the AA bit set.
* All responses will have the [RCODE Name] "NoError".
* The DS digest algorithm is 2 unless specified for the scenario.
* The DS record can be technically invalid. Only the format is valid and
only the digest algorithm value is checked.
* The zone is not signed.
### ALGO-DEPRECATED-1
The DS digest algorithm number is 1
* Zone: algo-deprecated-1.dnssec01.xa.
* The algorithm of the DS digest in the response is 1.
### ALGO-DEPRECATED-3
The DS digest algorithm number is 3
* Zone: algo-deprecated-3.dnssec01.xa.
* The algorithm of the DS digest in the response is 3.
### ALGO-RESERVED-128
The DS digest algorithm number is 128
* Zone: algo-reserved-128.dnssec01.xa.
* The algorithm of the DS digest in the response is 128.
### ALGO-RESERVED-188
The DS digest algorithm number is 188
* Zone: algo-reserved-188.dnssec01.xa.
* The algorithm of the DS digest in the response is 188.
### ALGO-RESERVED-252
The DS digest algorithm number is 252
* Zone: algo-reserved-252.dnssec01.xa.
* The algorithm of the DS digest in the response is 252.
### ALGO-UNASSIGNED-7
The DS digest algorithm number is 7
* Zone: algo-unassigned-7.dnssec01.xa.
* The algorithm of the DS digest in the response is 7.
### ALGO-UNASSIGNED-67
The DS digest algorithm number is 67
* Zone: algo-unassigned-67.dnssec01.xa.
* The algorithm of the DS digest in the response is 67.
### ALGO-UNASSIGNED-127
The DS digest algorithm number is 127
* Zone: algo-unassigned-127.dnssec01.xa.
* The algorithm of the DS digest in the response is 127.
### ALGO-PRIVATE-253
The DS digest algorithm number is 253
* Zone: algo-private-253.dnssec01.xa.
* The algorithm of the DS digest in the response is 253.
### ALGO-PRIVATE-254
The DS digest algorithm number is 254
* Zone: algo-private-254.dnssec01.xa.
* The algorithm of the DS digest in the response is 254.
### ALGO-NOT-DS-0
The DS digest algorithm number is 0
* Zone: algo-not-ds-0.dnssec01.xa.
* The algorithm of the DS digest in the response is 0.
### ALGO-OK-2
The DS digest algorithm number is 2
* Zone: algo-ok-2.dnssec01.xa.
* The algorithm of the DS digest in the response is 2.
### ALGO-OK-4
The DS digest algorithm number is 4
* Zone: algo-ok-4.dnssec01.xa.
* The algorithm of the DS digest in the response is 4.
### ALGO-OK-5
The DS digest algorithm number is 5
* Zone: algo-ok-5.dnssec01.xa.
* The algorithm of the DS digest in the response is 5.
### ALGO-OK-6
The DS digest algorithm number is 6
* Zone: algo-ok-6.dnssec01.xa.
* The algorithm of the DS digest in the response is 6.
### MIXED-ALGO-1
Three DS with different algorithms.
* Zone: mixed-algo-1.dnssec01.xa.
* The response has three DS with different algorithms:
* 1
* 2
* 253
### SHARED-IP-1
Two parent name servers resolv to the same IP address.
* Zone: child.shared-ip-1.dnssec01.xa.
* The parent zone is "shared-ip-1.dnssec01.xa" and the grandparent zone is
"dnssec01.xa".
* The parent is delegated to IB ns1a and ns1b with the same IPv4 and IPv6
addresses.
### SHARED-IP-2
Delegation of parent does not use the same name server name as parent zone.
* Zone: child.shared-ip-2.dnssec01.xa.
* The parent zone is "shared-ip-2.dnssec01.xa" and the grandparent zone is
"dnssec01.xa".
* The parent is delegated to IB ns1 and ns2, but in the parent zone the names
are dns1 and dns2.
* ns1 and dns1 resolve to the same IP addresses.
* ns2 and dns2 resolve to the same IP addresses.
### NO-RESPONSE-1
No response from any of the servers on the DS query.
* Zone: child.no-response-1.dnssec01.xa.
* No response at all from parent ns1 and ns2.
### NO-VALID-RESPONSE-1
No valid response from any of the servers on the DS query.
* Zone: child.no-valid-response-1.dnssec01.xa.
* Response from parent ns1 has RCODE SERVFAIL.
* Response from parent ns2 has RCODE REFUSED.
* Child zone does not exist
### PARENT-SERVER-NO-DS-1
No DS from parent ns1.
* Zone: child.parent-server-no-ds-1.dnssec01.xa.
* Response from parent ns1 is NODATA (no DS).
* Response from parent ns2 is normal.
### PARENT-ZONE-NO-DS-1
No DS from neither parent ns1 nor parent ns2.
* Zone: parent-zone-no-ds-1.dnssec01.xa.
* Responses from parent ns1 and parent ns2 are NODATA (no DS).
### UNDEL-NO-UNDEL-DS-1
Zone is not delegated, but undelegated data is provided. No DS.
* Zone: undel-no-undel-ds-1.dnssec01.xa.
* The zone is not delegated, but there is undelegated data.
* ns1 and ns2 are OOB.
* No undelegated DS is provided.
### UNDEL-WITH-UNDEL-DS-1
Zone is not delegated, but undelegated data is provided with DS.
* Zone: undel-with-undel-ds-1.dnssec01.xa.
* The zone is not delegated, but there is undelegated data.
* ns1 and ns2 are OOB.
* Undelegated DS is provided.
### ROOT-NO-UNDEL-DS-1
Zone is the root zone, and no undelegated DS is provided.
* Zone: "."
* ns1 and ns2 are IB.
* The zone exists.
### ROOT-WITH-UNDEL-DS-1
Zone is the root zone, and undelegated DS is provided.
* Zone: "."
* ns1 and ns2 are IB.
* The zone exists.
[DNSSEC01]: ../../tests/DNSSEC-TP/dnssec01.md
[RCODE Name]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6
[Test scenario README file]: ../README.md
[Test scenarios and setup of test zones]: #test-scenarios-and-setup-of-test-zones

197
zonemaster/docs/public/specifications/test-zones/DNSSEC-TP/dnssec03.md Normal file
View File

@@ -0,0 +1,197 @@
# Specification of test zones for DNSSEC03
## Table of contents
* [Background](#background)
* [Test Case](#test-case)
* [Test scenarios](#test-scenarios)
* [Test zone names](#test-zone-names)
* [Test scenarios and message tags](#test-scenarios-and-message-tags)
* [Zone setup for test scenarios]
* [Terminology](#terminology)
## Background
See the [test zone README file].
## Test Case
This document specifies defined test zones for test case [DNSSEC03].
## Test scenarios
The purpose of the test scenarios is to cover all reasonable contexts where
different message tags are outputted when [DNSSEC03] is run on a test zone. The
message tags are defined in the test case ([DNSSEC03]) and the scenarios are
defined below.
The test scenarios are structured as stated in the [test zone README file].
## Test zone names
The test zone for each test scenario in this document is a subdomain delegated
from the base name (`dnssec03.xa`) and that subdomain having the same name as the
scenario except where the test domain must be the root zone, a TLD or a domain
under `.arpa`. The names of those zones are given in section
"[Zone setup for test scenarios]" below.
## Test scenarios and message tags
If a message tag is not listed for the scenario, its presence or non-presence is
irrelevant to the test scenario and must be ignored.
Scenario name | Mandatory message tags | Forbidden message tags
:----------------------------|:--------------------------------------------------|:-------------------------------------------
NO-DNSSEC-SUPPORT | DS03_NO_DNSSEC_SUPPORT | DS03_ERR_MULT_NSEC3, DS03_ILLEGAL_HASH_ALGO, DS03_ILLEGAL_ITERATION_VALUE, DS03_ILLEGAL_SALT_LENGTH, DS03_INCONSISTENT_HASH_ALGO, DS03_INCONSISTENT_ITERATION, DS03_INCONSISTENT_NSEC3_FLAGS, DS03_INCONSISTENT_SALT_LENGTH, DS03_LEGAL_EMPTY_SALT, DS03_LEGAL_HASH_ALGO, DS03_LEGAL_ITERATION_VALUE, DS03_NO_NSEC3, DS03_NSEC3_OPT_OUT_DISABLED, DS03_NSEC3_OPT_OUT_ENABLED_NON_TLD, DS03_NSEC3_OPT_OUT_ENABLED_TLD, DS03_SERVER_NO_DNSSEC_SUPPORT, DS03_SERVER_NO_NSEC3, DS03_UNASSIGNED_FLAG_USED, DS03_ERROR_RESPONSE_NSEC_QUERY, DS03_NO_RESPONSE_NSEC_QUERY
NO-NSEC3 | DS03_NO_NSEC3 | DS03_ERR_MULT_NSEC3, DS03_ILLEGAL_HASH_ALGO, DS03_ILLEGAL_ITERATION_VALUE, DS03_ILLEGAL_SALT_LENGTH, DS03_INCONSISTENT_HASH_ALGO, DS03_INCONSISTENT_ITERATION, DS03_INCONSISTENT_NSEC3_FLAGS, DS03_INCONSISTENT_SALT_LENGTH, DS03_LEGAL_EMPTY_SALT, DS03_LEGAL_HASH_ALGO, DS03_LEGAL_ITERATION_VALUE, DS03_NO_DNSSEC_SUPPORT, DS03_NSEC3_OPT_OUT_DISABLED, DS03_NSEC3_OPT_OUT_ENABLED_NON_TLD, DS03_NSEC3_OPT_OUT_ENABLED_TLD, DS03_SERVER_NO_DNSSEC_SUPPORT, DS03_SERVER_NO_NSEC3, DS03_UNASSIGNED_FLAG_USED, DS03_ERROR_RESPONSE_NSEC_QUERY, DS03_NO_RESPONSE_NSEC_QUERY
GOOD-VALUES | DS03_LEGAL_EMPTY_SALT, DS03_LEGAL_HASH_ALGO, DS03_LEGAL_ITERATION_VALUE, DS03_NSEC3_OPT_OUT_DISABLED | DS03_ERR_MULT_NSEC3, DS03_ILLEGAL_HASH_ALGO, DS03_ILLEGAL_ITERATION_VALUE, DS03_ILLEGAL_SALT_LENGTH, DS03_INCONSISTENT_HASH_ALGO, DS03_INCONSISTENT_ITERATION, DS03_INCONSISTENT_NSEC3_FLAGS, DS03_INCONSISTENT_SALT_LENGTH, DS03_NO_DNSSEC_SUPPORT, DS03_NO_NSEC3, DS03_NSEC3_OPT_OUT_ENABLED_NON_TLD, DS03_NSEC3_OPT_OUT_ENABLED_TLD, DS03_SERVER_NO_DNSSEC_SUPPORT, DS03_SERVER_NO_NSEC3, DS03_UNASSIGNED_FLAG_USED, DS03_ERROR_RESPONSE_NSEC_QUERY, DS03_NO_RESPONSE_NSEC_QUERY
ERR-MULT-NSEC3 | DS03_ERR_MULT_NSEC3, DS03_LEGAL_EMPTY_SALT, DS03_LEGAL_HASH_ALGO, DS03_LEGAL_ITERATION_VALUE, DS03_NSEC3_OPT_OUT_DISABLED | DS03_ILLEGAL_HASH_ALGO, DS03_ILLEGAL_ITERATION_VALUE, DS03_ILLEGAL_SALT_LENGTH, DS03_INCONSISTENT_HASH_ALGO, DS03_INCONSISTENT_ITERATION, DS03_INCONSISTENT_NSEC3_FLAGS, DS03_INCONSISTENT_SALT_LENGTH, DS03_NO_DNSSEC_SUPPORT, DS03_NO_NSEC3, DS03_NSEC3_OPT_OUT_ENABLED_NON_TLD, DS03_NSEC3_OPT_OUT_ENABLED_TLD, DS03_SERVER_NO_DNSSEC_SUPPORT, DS03_SERVER_NO_NSEC3, DS03_UNASSIGNED_FLAG_USED, DS03_ERROR_RESPONSE_NSEC_QUERY, DS03_NO_RESPONSE_NSEC_QUERY
BAD-VALUES | DS03_ILLEGAL_HASH_ALGO, DS03_ILLEGAL_ITERATION_VALUE, DS03_ILLEGAL_SALT_LENGTH, DS03_NSEC3_OPT_OUT_ENABLED_NON_TLD | DS03_ERR_MULT_NSEC3, DS03_INCONSISTENT_HASH_ALGO, DS03_INCONSISTENT_ITERATION, DS03_INCONSISTENT_NSEC3_FLAGS, DS03_INCONSISTENT_SALT_LENGTH, DS03_LEGAL_EMPTY_SALT, DS03_LEGAL_HASH_ALGO, DS03_LEGAL_ITERATION_VALUE, DS03_NO_DNSSEC_SUPPORT, DS03_NO_NSEC3, DS03_NSEC3_OPT_OUT_DISABLED, DS03_NSEC3_OPT_OUT_ENABLED_TLD, DS03_SERVER_NO_DNSSEC_SUPPORT, DS03_SERVER_NO_NSEC3, DS03_UNASSIGNED_FLAG_USED, DS03_ERROR_RESPONSE_NSEC_QUERY, DS03_NO_RESPONSE_NSEC_QUERY
INCONSISTENT-VALUES | DS03_ILLEGAL_HASH_ALGO, DS03_ILLEGAL_ITERATION_VALUE, DS03_ILLEGAL_SALT_LENGTH, DS03_INCONSISTENT_HASH_ALGO, DS03_INCONSISTENT_ITERATION, DS03_INCONSISTENT_NSEC3_FLAGS, DS03_INCONSISTENT_SALT_LENGTH, DS03_LEGAL_EMPTY_SALT, DS03_LEGAL_HASH_ALGO, DS03_LEGAL_ITERATION_VALUE, DS03_NSEC3_OPT_OUT_DISABLED, DS03_NSEC3_OPT_OUT_ENABLED_NON_TLD | DS03_ERR_MULT_NSEC3, DS03_NO_DNSSEC_SUPPORT, DS03_NO_NSEC3, DS03_NSEC3_OPT_OUT_ENABLED_TLD, DS03_SERVER_NO_DNSSEC_SUPPORT, DS03_SERVER_NO_NSEC3, DS03_UNASSIGNED_FLAG_USED, DS03_ERROR_RESPONSE_NSEC_QUERY, DS03_NO_RESPONSE_NSEC_QUERY
NSEC3-OPT-OUT-ENABLED-TLD | DS03_NSEC3_OPT_OUT_ENABLED_TLD, DS03_LEGAL_EMPTY_SALT, DS03_LEGAL_HASH_ALGO, DS03_LEGAL_ITERATION_VALUE | DS03_ERR_MULT_NSEC3, DS03_ILLEGAL_HASH_ALGO, DS03_ILLEGAL_ITERATION_VALUE, DS03_ILLEGAL_SALT_LENGTH, DS03_INCONSISTENT_HASH_ALGO, DS03_INCONSISTENT_ITERATION, DS03_INCONSISTENT_NSEC3_FLAGS, DS03_INCONSISTENT_SALT_LENGTH, DS03_NO_DNSSEC_SUPPORT, DS03_NO_NSEC3, DS03_NSEC3_OPT_OUT_DISABLED, DS03_NSEC3_OPT_OUT_ENABLED_NON_TLD, DS03_SERVER_NO_DNSSEC_SUPPORT, DS03_SERVER_NO_NSEC3, DS03_UNASSIGNED_FLAG_USED, DS03_ERROR_RESPONSE_NSEC_QUERY, DS03_NO_RESPONSE_NSEC_QUERY
SERVER-NO-DNSSEC-SUPPORT | DS03_SERVER_NO_DNSSEC_SUPPORT, DS03_LEGAL_EMPTY_SALT, DS03_LEGAL_HASH_ALGO, DS03_LEGAL_ITERATION_VALUE, DS03_NSEC3_OPT_OUT_DISABLED | DS03_ERR_MULT_NSEC3, DS03_ILLEGAL_HASH_ALGO, DS03_ILLEGAL_ITERATION_VALUE, DS03_ILLEGAL_SALT_LENGTH, DS03_INCONSISTENT_HASH_ALGO, DS03_INCONSISTENT_ITERATION, DS03_INCONSISTENT_NSEC3_FLAGS, DS03_INCONSISTENT_SALT_LENGTH, DS03_NO_DNSSEC_SUPPORT, DS03_NO_NSEC3, DS03_NSEC3_OPT_OUT_ENABLED_NON_TLD, DS03_NSEC3_OPT_OUT_ENABLED_TLD, DS03_SERVER_NO_NSEC3, DS03_UNASSIGNED_FLAG_USED, DS03_ERROR_RESPONSE_NSEC_QUERY, DS03_NO_RESPONSE_NSEC_QUERY
SERVER-NO-NSEC3 | DS03_SERVER_NO_NSEC3, DS03_LEGAL_EMPTY_SALT, DS03_LEGAL_HASH_ALGO, DS03_LEGAL_ITERATION_VALUE, DS03_NSEC3_OPT_OUT_DISABLED | DS03_ERR_MULT_NSEC3, DS03_ILLEGAL_HASH_ALGO, DS03_ILLEGAL_ITERATION_VALUE, DS03_ILLEGAL_SALT_LENGTH, DS03_INCONSISTENT_HASH_ALGO, DS03_INCONSISTENT_ITERATION, DS03_INCONSISTENT_NSEC3_FLAGS, DS03_INCONSISTENT_SALT_LENGTH, DS03_NO_DNSSEC_SUPPORT, DS03_NO_NSEC3, DS03_NSEC3_OPT_OUT_ENABLED_NON_TLD, DS03_NSEC3_OPT_OUT_ENABLED_TLD, DS03_SERVER_NO_DNSSEC_SUPPORT, DS03_UNASSIGNED_FLAG_USED, DS03_ERROR_RESPONSE_NSEC_QUERY, DS03_NO_RESPONSE_NSEC_QUERY
UNASSIGNED-FLAG-USED | DS03_UNASSIGNED_FLAG_USED, DS03_LEGAL_EMPTY_SALT, DS03_LEGAL_HASH_ALGO, DS03_LEGAL_ITERATION_VALUE, DS03_NSEC3_OPT_OUT_DISABLED | DS03_ERR_MULT_NSEC3, DS03_ILLEGAL_HASH_ALGO, DS03_ILLEGAL_ITERATION_VALUE, DS03_ILLEGAL_SALT_LENGTH, DS03_INCONSISTENT_HASH_ALGO, DS03_INCONSISTENT_ITERATION, DS03_INCONSISTENT_NSEC3_FLAGS, DS03_INCONSISTENT_SALT_LENGTH, DS03_NO_DNSSEC_SUPPORT, DS03_NO_NSEC3, DS03_NSEC3_OPT_OUT_ENABLED_NON_TLD, DS03_NSEC3_OPT_OUT_ENABLED_TLD, DS03_SERVER_NO_DNSSEC_SUPPORT, DS03_SERVER_NO_NSEC3, DS03_ERROR_RESPONSE_NSEC_QUERY, DS03_NO_RESPONSE_NSEC_QUERY
ERROR-RESPONSE-NSEC-QUERY | DS03_LEGAL_EMPTY_SALT, DS03_LEGAL_HASH_ALGO, DS03_LEGAL_ITERATION_VALUE, DS03_NSEC3_OPT_OUT_DISABLED, DS03_ERROR_RESPONSE_NSEC_QUERY | DS03_ERR_MULT_NSEC3, DS03_ILLEGAL_HASH_ALGO, DS03_ILLEGAL_ITERATION_VALUE, DS03_ILLEGAL_SALT_LENGTH, DS03_INCONSISTENT_HASH_ALGO, DS03_INCONSISTENT_ITERATION, DS03_INCONSISTENT_NSEC3_FLAGS, DS03_INCONSISTENT_SALT_LENGTH, DS03_NO_DNSSEC_SUPPORT, DS03_NO_NSEC3, DS03_NSEC3_OPT_OUT_ENABLED_NON_TLD, DS03_NSEC3_OPT_OUT_ENABLED_TLD, DS03_SERVER_NO_DNSSEC_SUPPORT, DS03_SERVER_NO_NSEC3, DS03_UNASSIGNED_FLAG_USED, DS03_NO_RESPONSE_NSEC_QUERY
NO-RESPONSE-NSEC-QUERY | DS03_LEGAL_EMPTY_SALT, DS03_LEGAL_HASH_ALGO, DS03_LEGAL_ITERATION_VALUE, DS03_NSEC3_OPT_OUT_DISABLED, DS03_NO_RESPONSE_NSEC_QUERY | DS03_ERR_MULT_NSEC3, DS03_ILLEGAL_HASH_ALGO, DS03_ILLEGAL_ITERATION_VALUE, DS03_ILLEGAL_SALT_LENGTH, DS03_INCONSISTENT_HASH_ALGO, DS03_INCONSISTENT_ITERATION, DS03_INCONSISTENT_NSEC3_FLAGS, DS03_INCONSISTENT_SALT_LENGTH, DS03_NO_DNSSEC_SUPPORT, DS03_NO_NSEC3, DS03_NSEC3_OPT_OUT_ENABLED_NON_TLD, DS03_NSEC3_OPT_OUT_ENABLED_TLD, DS03_SERVER_NO_DNSSEC_SUPPORT, DS03_SERVER_NO_NSEC3, DS03_UNASSIGNED_FLAG_USED, DS03_ERROR_RESPONSE_NSEC_QUERY
ERROR-NSEC-QUERY | DS03_ERROR_RESPONSE_NSEC_QUERY, DS03_NO_RESPONSE_NSEC_QUERY | DS03_ERR_MULT_NSEC3, DS03_ILLEGAL_HASH_ALGO, DS03_ILLEGAL_ITERATION_VALUE, DS03_ILLEGAL_SALT_LENGTH, DS03_INCONSISTENT_HASH_ALGO, DS03_INCONSISTENT_ITERATION, DS03_INCONSISTENT_NSEC3_FLAGS, DS03_INCONSISTENT_SALT_LENGTH, DS03_LEGAL_EMPTY_SALT, DS03_LEGAL_HASH_ALGO, DS03_LEGAL_ITERATION_VALUE, DS03_NO_DNSSEC_SUPPORT, DS03_NO_NSEC3, DS03_NSEC3_OPT_OUT_DISABLED, DS03_NSEC3_OPT_OUT_ENABLED_NON_TLD, DS03_NSEC3_OPT_OUT_ENABLED_TLD, DS03_SERVER_NO_DNSSEC_SUPPORT, DS03_SERVER_NO_NSEC3, DS03_UNASSIGNED_FLAG_USED
## Zone setup for test scenarios
Assumptions for the scenario specifications, unless stated otherwise for the
specific scenario:
1. Each zone is hosted by two NS, ns1 and ns2.
2. Both ns have equal hosting.
3. NS in delegation is equal to NS in zone.
4. All responses are authoritative.
5. RRSIG in responses are disregarded.
6. The actual owner name of the NSEC3 record will not be verified.
7. The record type list of the NSEC3 record will not be verified.
8. The zone is to respond with one SOA record with the zone name as owner name
on SOA query.
9. The zone is to respond with one DNSKEY record with the zone name as owner
name on DNSKEY query.
10. The zone is to respond with one NSEC3 record with a hash owner name in
authority section on NSEC query (note, NSEC not NSEC3). NODATA response.
11. The NSEC3 record is to have the following settings:
* Hash algo = 1
* Flags = 0
* Iteration = 0
* Salt = "-" (no salt)
### NO-DNSSEC-SUPPORT
No DNSSEC support in the zone.
* Zone: "no-dnssec-support.dnssec03.xa."
* No DNSKEY in query for DNSKEY (9).
### NO-NSEC3
No NSEC3 support in the zone.
* Zone: "no-nsec3.dnssec03.xa."
* No NSEC3 in query for NSEC (10).
### GOOD-VALUES
Happy path
* Zone: "good-values.dnssec03.xa."
### ERR-MULT-NSEC3
Strange response with two NSEC3 records.
* Zone: "err-mult-nsec3.dnssec03.xa."
* Two NSEC3 records, with different hash owner name are to be included in the
response. RDATA can be identical. (10)
### BAD-VALUES
The NSEC3 record has values no permitted by RFC 9276, see the specification of
test case [DNSSEC03].
* Zone: "bad-values.dnssec03.xa."
* The following values in NSEC3 (11):
* Hash algo = 2
* Flags = 1
* Iteration = 1
* Salt = "8104"
### INCONSISTENT-VALUES
The NSEC3 records returned from the two NS are not equal.
* Zone: "inconsistent-values.dnssec03.xa."
* Both NS give the same owner name of the NSEC3 record, but
ns1 gives standard values, whereas ns2 responds with an NSEC3 record with
the following values: (2, 11)
* Hash algo = 2
* Flags = 1
* Iteration = 1
* Salt = "8104"
### NSEC3-OPT-OUT-ENABLED-TLD
On a TLD, opt-out just gives an INFO message.
* Zone: "nsec3-opt-out-enabled-tld-dnssec03." (TLD)
* NSEC3 record with the following value: (11)
* Flags = 1
### SERVER-NO-DNSSEC-SUPPORT
One NS of two does not support DNSSEC (no DNSKEY)
* Zone: "server-no-dnssec-support.dnssec03.xa"
* ns2 does not return any DNSKEY record on DNSKEY query (2, 9)
### SERVER-NO-NSEC3
One NS of two does not have NSEC3
* Zone: "server-no-nsec3.dnssec03.xa"
* ns2 does not return any NSEC3 record on NSEC query (2, 10)
### UNASSIGNED-FLAG-USED
Unassigned flag used.
* Zone: "unassigned-flag-used.dnssec03.xa"
* NSEC3 record with the following value: (11)
* Flags = 2
### ERROR-RESPONSE-NSEC-QUERY
Error in response from one NS on NSEC query.
* Zone: "error-response-nsec-query.dnssec03.xa"
* Normal response on DNSKEY query from ns1.
* RCODE name SERVFAIL on NSEC query from ns1.
* Normal responses from ns2.
### NO-RESPONSE-NSEC-QUERY
No response from one NS on NSEC query.
* Zone: "no-response-nsec-query.dnssec03.xa"
* Normal responses from ns1.
* Normal response on DNSKEY query from ns2.
* No response on NSEC query from ns2.
### ERROR-NSEC-QUERY
No response and error in response on NSEC query, respectively, from two NS.
* Zone: "error-nsec-query.dnssec03.xa"
* Normal response on DNSKEY query from ns1 and ns2.
* RCODE name SERVFAIL on NSEC query from ns1.
* No response on NSEC query from ns2.
[DNSSEC03]: ../../tests/DNSSEC-TP/dnssec03.md
[RCODE Name]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6
[Test zone README file]: ../README.md
[Well Formed CDS Record]: #terminology
[Well Formed DNSKEY Record]: #terminology
[Zone setup for test scenarios]: #zone-setup-for-test-scenarios

350
zonemaster/docs/public/specifications/test-zones/DNSSEC-TP/dnssec05.md Normal file
View File

@@ -0,0 +1,350 @@
# Specification of Test Scenarios for DNSSEC05
## Table of contents
* [Background](#background)
* [Test Case](#test-case)
* [Test scenarios](#test-scenarios)
* [Test zone names](#test-zone-names)
* [All message tags](#all-message-tags)
* [Test scenarios and message tags](#test-scenarios-and-message-tags)
* [Test scenarios and setup of test zones]
## Background
See the [test scenario README file].
## Test Case
This document specifies defined test scenarios for test case [DNSSEC05].
## Test scenarios
The purpose of the test scenarios is to cover all reasonable contexts where
different message tags are outputted when [DNSSEC05] is run on a test zone. The
message tags are defined in the test case ([DNSSEC05]) and the scenarios are
defined below.
The test scenarios are structured as stated in the [test scenario README file].
## Test zone names
The test zone or zones for each test scenario in this document is a subdomain
(or lower zone) delegated from the base name (`dnssec05.xa`) and that subdomain
having the same name as the scenario. The names of those zones are given in
section "[Test scenarios and setup of test zones]" below.
## All message tags
The test case can output any of these message tags, but not necessarily in any
combination. See [DNSSEC05] for the specification of the tags.
* DS05_ALGO_DEPRECATED
* DS05_ALGO_NOT_RECOMMENDED
* DS05_ALGO_NOT_ZONE_SIGN
* DS05_ALGO_OK
* DS05_ALGO_PRIVATE
* DS05_ALGO_RESERVED
* DS05_ALGO_UNASSIGNED
* DS05_NO_RESPONSE
* DS05_SERVER_NO_DNSSEC
* DS05_ZONE_NO_DNSSEC
## Test scenarios and message tags
If a message tag is not listed for the scenario, its presence or non-presence is
irrelevant to the test scenario and must be ignored.
| Scenario name | Mandatory message tags | Forbidden message tags |
|:------------------------|:--------------------------------------------------------------|:-----------------------|
| ALGO-DEPRECATED-1 | DS05_ALGO_DEPRECATED | 2) |
| ALGO-DEPRECATED-3 | DS05_ALGO_DEPRECATED | 2) |
| ALGO-DEPRECATED-5 | DS05_ALGO_DEPRECATED | 2) |
| ALGO-DEPRECATED-6 | DS05_ALGO_DEPRECATED | 2) |
| ALGO-DEPRECATED-7 | DS05_ALGO_DEPRECATED | 2) |
| ALGO-DEPRECATED-12 | DS05_ALGO_DEPRECATED | 2) |
| ALGO-NOT-RECOMMENDED-10 | DS05_ALGO_NOT_RECOMMENDED | 2) |
| ALGO-NOT-ZONE-SIGN-0 | DS05_ALGO_NOT_ZONE_SIGN | 2) |
| ALGO-NOT-ZONE-SIGN-2 | DS05_ALGO_NOT_ZONE_SIGN | 2) |
| ALGO-NOT-ZONE-SIGN-252 | DS05_ALGO_NOT_ZONE_SIGN | 2) |
| ALGO-OK-8 | DS05_ALGO_OK | 2) |
| ALGO-OK-13 | DS05_ALGO_OK | 2) |
| ALGO-OK-14 | DS05_ALGO_OK | 2) |
| ALGO-OK-15 | DS05_ALGO_OK | 2) |
| ALGO-OK-16 | DS05_ALGO_OK | 2) |
| ALGO-OK-17 | DS05_ALGO_OK | 2) |
| ALGO-OK-23 | DS05_ALGO_OK | 2) |
| ALGO-PRIVATE-253 | DS05_ALGO_PRIVATE | 2) |
| ALGO-PRIVATE-254 | DS05_ALGO_PRIVATE | 2) |
| ALGO-RESERVED-4 | DS05_ALGO_RESERVED | 2) |
| ALGO-RESERVED-9 | DS05_ALGO_RESERVED | 2) |
| ALGO-RESERVED-11 | DS05_ALGO_RESERVED | 2) |
| ALGO-RESERVED-123 | DS05_ALGO_RESERVED | 2) |
| ALGO-RESERVED-251 | DS05_ALGO_RESERVED | 2) |
| ALGO-RESERVED-255 | DS05_ALGO_RESERVED | 2) |
| ALGO-UNASSIGNED-20 | DS05_ALGO_UNASSIGNED | 2) |
| ALGO-UNASSIGNED-122 | DS05_ALGO_UNASSIGNED | 2) |
| MIXED-ALGO-1 | DS05_ALGO_DEPRECATED, DS05_ALGO_NOT_RECOMMENDED, DS05_ALGO_OK | 2) |
| NO-RESPONSE-1 | DS05_NO_RESPONSE | 2) |
| NO-RESPONSE-2 | DS05_NO_RESPONSE | 2) |
| SERVER-NO-DNSSEC-1 | DS05_SERVER_NO_DNSSEC, DS05_ALGO_OK | 2) |
| SHARED-IP-1 | DS05_ALGO_OK | 2) |
| ZONE-NO-DNSSEC-1 | DS05_ZONE_NO_DNSSEC | 2) |
* (1) All tags except for those specified as "Forbidden message tags" (no instances for these test scenarios)
* (2) All tags except for those specified as "Mandatory message tags"
## Test scenarios and setup of test zones
### Default zone configuration
Unless otherwise specified in the specific scenario specification, the test zone
or zones for the scenario will follow the default setup as stated below. The
`child zone` is the zone to be tested for the scenario.
* The child zone is `SCENARIO.dnssec05.xa`.
* It is delegated to two name servers, `ns1.SCENARIO.dnssec05.xa`
and `ns2.SCENARIO.dnssec05.xa`.
* The name server names have A and AAAA records to avoid non-relevant error
messages.
* The delegation of the child zone is to an OOB NS.
* NS can be resolved through the `dnssec05.xa` zone.
* There is a zone file for the child zone.
* All child zone servers give the same response.
* The only responses that can be assumed are queries for
* DNSKEY
* NS
* SOA
* The zone will respond with one DNSKEY record.
* The parent zone is `dnssec05.xa`.
* It is served by two in-bailiwick NS (ns1 and ns2).
* ns1 and ns2 have the same zone content.
* ns1 and ns2 have both IPv4 and IPv6 glue.
* The records matching glue in the zone are complete.
* All responses will have the AA bit set.
* All responses will have the [RCODE Name] "NoError".
* The DNSKEY algorithm is 13 unless specified for the scenario.
* The DNSKEY record can be technically invalid. Only the format is valid and
only the algorithm value is checked.
* The zone is not signed.
### ALGO-DEPRECATED-1
The DNSKEY algo is 1
* Zone: "algo-deprecated-1.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 1.
### ALGO-DEPRECATED-3
The DNSKEY algo is 3
* Zone: "algo-deprecated-3.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 3.
### ALGO-DEPRECATED-5
The DNSKEY algo is 5
* Zone: "algo-deprecated-5.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 5.
### ALGO-DEPRECATED-6
The DNSKEY algo is 6
* Zone: "algo-deprecated-6.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 6.
### ALGO-DEPRECATED-7
The DNSKEY algo is 7
* Zone: "algo-deprecated-7.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 7.
### ALGO-DEPRECATED-12
The DNSKEY algo is 12
* Zone: "algo-deprecated-12.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 12.
### ALGO-RESERVED-4
The DNSKEY algo is 4
* Zone: "algo-reserved-4.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 4.
### ALGO-RESERVED-9
The DNSKEY algo is 9
* Zone: "algo-reserved-9.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 9.
### ALGO-RESERVED-11
The DNSKEY algo is 11
* Zone: "algo-reserved-11.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 11.
### ALGO-RESERVED-123
The DNSKEY algo is 123
* Zone: "algo-reserved-123.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 123.
### ALGO-RESERVED-251
The DNSKEY algo is 251
* Zone: "algo-reserved-251.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 251.
### ALGO-RESERVED-255
The DNSKEY algo is 255
* Zone: "algo-reserved-255.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 255.
### ALGO-UNASSIGNED-20
The DNSKEY algo is 20
* Zone: "algo-unassigned-17.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 17.
### ALGO-UNASSIGNED-122
The DNSKEY algo is 122
* Zone: "algo-unassigned-122.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 122.
### ALGO-PRIVATE-253
The DNSKEY algo is 253
* Zone: "algo-private-253.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 253.
### ALGO-PRIVATE-254
The DNSKEY algo is 254
* Zone: "algo-private-254.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 254.
### ALGO-NOT-ZONE-SIGN-0
The DNSKEY algo is 0
* Zone: "algo-not-zone-sign-0.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 0.
### ALGO-NOT-ZONE-SIGN-2
The DNSKEY algo is 2
* Zone: "algo-not-zone-sign-2.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 2.
### ALGO-NOT-ZONE-SIGN-252
The DNSKEY algo is 252
* Zone: "algo-not-zone-sign-252.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 252.
### ALGO-NOT-RECOMMENDED-10
The DNSKEY algo is 10
* Zone: "algo-not-recommended-10.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 10.
### ALGO-OK-8
The DNSKEY algo is 8
* Zone: "algo-ok-8.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 8.
### ALGO-OK-13
The DNSKEY algo is 13
* Zone: "algo-ok-13.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 13.
### ALGO-OK-14
The DNSKEY algo is 14
* Zone: "algo-ok-14.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 14.
### ALGO-OK-15
The DNSKEY algo is 15
* Zone: "algo-ok-15.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 15.
### ALGO-OK-16
The DNSKEY algo is 16
* Zone: "algo-ok-16.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 16.
### ALGO-OK-17
The DNSKEY algo is 17
* Zone: "algorithm-ok-17.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 17.
### ALGO-OK-23
The DNSKEY algo is 23
* Zone: "algorithm-ok-23.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 23.
## MIXED-ALGO-1
Three DNSKEY with different algorithms.
* Zone: "mixed-algo-1.dnssec05.xa."
* The response has three DNSKEY with different algorithms:
* 7
* 10
* 13
### NO-RESPONSE-1
No valid response from any of the servers.
* Zone: "no-response-1.dnssec05.xa."
* No response at all from ns1.
* Response from ns2 does not have the AA bit set.
### NO-RESPONSE-2
No valid response from any of the servers.
* Zone: "no-response-2.dnssec05.xa."
* Response from ns1 has RCODE SERVFAIL.
* Response from ns2 has RCODE REFUSED.
### SERVER-NO-DNSSEC-1
No DNSKEY from ns1.
* Zone: "server-no-dnssec-1.dnssec05.xa."
* Response from ns1 is NODATA (no DNSKEY).
* Response from ns2 is normal.
### SHARED-IP-1
Two NS names, but only one IP. IPv4 only.
* Zone: "shared-ip-1.dnssec05.xa."
* ns1a and ns1b are in bailiwick, but use the same IP.
* IPv4 only.
* The message should list both name server names, both with the same IP.
### ZONE-NO-DNSSEC-1
No DNSKEY from neither ns1 nor ns2.
* Zone: "zone-no-dnssec-1.dnssec05.xa."
* Responses from ns1 and ns2 are NODATA (no DNSKEY).
[DNSSEC05]: ../../tests/DNSSEC-TP/dnssec05.md
[RCODE Name]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6
[Test scenario README file]: ../README.md
[Test scenarios and setup of test zones]: #test-scenarios-and-setup-of-test-zones
[Zone setup for test scenarios]: #zone-setup-for-test-scenarios

204
zonemaster/docs/public/specifications/test-zones/DNSSEC-TP/dnssec07.md Normal file
View File

@@ -0,0 +1,204 @@
# Specification of Test Scenarios for DNSSEC07
## Table of contents
* [Background](#background)
* [Test Case](#test-case)
* [Test scenarios](#test-scenarios)
* [Test zone names](#test-zone-names)
* [All message tags](#all-message-tags)
* [Test scenarios and message tags](#test-scenarios-and-message-tags)
* [Test scenarios and setup of test zones]
## Background
See the [test scenario README file].
## Test Case
This document specifies defined test scenarios for test case [DNSSEC07].
## Test scenarios
The purpose of the test scenarios is to cover all reasonable contexts where
different message tags are outputted when [DNSSEC07] is run on a test zone. The
message tags are defined in the test case ([DNSSEC07]) and the scenarios are
defined below.
The test scenarios are structured as stated in the [test scenario README file].
## Test zone names
The test zone or zones for each test scenario in this document is a subdomain
(or lower zone) delegated from the base name (`dnssec07.xa`) and that subdomain
having the same name as the scenario. The names of those zones are given in
section "[Test scenarios and setup of test zones]" below.
## All message tags
The test case can output any of these message tags, but not necessarily in any
combination. See [DNSSEC07] for the specification of the tags.
* DS07_DS_FOR_SIGNED_ZONE
* DS07_DS_ON_PARENT_SERVER
* DS07_INCONSISTENT_DS
* DS07_INCONSISTENT_SIGNED
* DS07_NON_AUTH_RESPONSE_DNSKEY
* DS07_NOT_SIGNED
* DS07_NOT_SIGNED_ON_SERVER
* DS07_NO_DS_ON_PARENT_SERVER
* DS07_NO_DS_FOR_SIGNED_ZONE
* DS07_NO_RESPONSE_DNSKEY
* DS07_SIGNED
* DS07_SIGNED_ON_SERVER
* DS07_UNEXP_RCODE_RESP_DNSKEY
## Test scenarios and message tags
If a message tag is not listed for the scenario, its presence or non-presence is
irrelevant to the test scenario and must be ignored.
| Scenario name | Mandatory tags | Forbidden tags |
|:---------------------------|:---------------------------------------------------------------------------------------------------------------------|:---------------|
| SIGNED-AND-DS-1 | DS07_DS_FOR_SIGNED_ZONE, DS07_DS_ON_PARENT_SERVER, DS07_SIGNED, DS07_SIGNED_ON_SERVER | 2) |
| SIGNED-NO-DS-1 | DS07_NO_DS_ON_PARENT_SERVER, DS07_NO_DS_FOR_SIGNED_ZONE, DS07_SIGNED, DS07_SIGNED_ON_SERVER | 2) |
| INCONSIST-SIGNED-AND-DS-1 | DS07_DS_ON_PARENT_SERVER, DS07_INCONSISTENT_SIGNED, DS07_NOT_SIGNED_ON_SERVER, DS07_SIGNED_ON_SERVER | 2) |
| INCONSIST-SIGNED-NO-DS-1 | DS07_INCONSISTENT_SIGNED, DS07_NOT_SIGNED_ON_SERVER, DS07_NO_DS_ON_PARENT_SERVER, DS07_SIGNED_ON_SERVER | 2) |
| SIGNED-AND-INCONSIST-DS-1 | DS07_DS_ON_PARENT_SERVER, DS07_INCONSISTENT_DS, DS07_NO_DS_ON_PARENT_SERVER, DS07_SIGNED, DS07_SIGNED_ON_SERVER | 2) |
| UNSIGNED-AND-DS-1 | DS07_NOT_SIGNED, DS07_NOT_SIGNED_ON_SERVER | 2) |
| UNSIGNED-NO-DS-1 | DS07_NOT_SIGNED, DS07_NOT_SIGNED_ON_SERVER | 2) |
| NON-AUTH-RESPONSE-DNSKEY-1 | DS07_NON_AUTH_RESPONSE_DNSKEY, DS07_SIGNED, DS07_SIGNED_ON_SERVER, DS07_DS_ON_PARENT_SERVER, DS07_DS_FOR_SIGNED_ZONE | 2) |
| NO-RESPONSE-DNSKEY-1 | DS07_SIGNED, DS07_SIGNED_ON_SERVER, DS07_NO_RESPONSE_DNSKEY, DS07_DS_ON_PARENT_SERVER, DS07_DS_FOR_SIGNED_ZONE | 2) |
| UNEXP-RCODE-RESP-DNSKEY-1 | DS07_SIGNED, DS07_SIGNED_ON_SERVER, DS07_UNEXP_RCODE_RESP_DNSKEY, DS07_DS_ON_PARENT_SERVER, DS07_DS_FOR_SIGNED_ZONE | 2) |
* (1) All tags except for those specified as "Forbidden tags" (no instances for these test scenarios)
* (2) All tags except for those specified as "Mandatory tags"
## Test scenarios and setup of test zones
### Default zone configuration
Unless otherwise specified in the specific scenario specification, the test zone
or zones for the scenario will follow the default setup as stated below. The
`child zone` is the zone to be tested for the scenario.
* The child zone is `SCENARIO.dnssec07.xa`.
* It is delegated to two name servers, `ns1.SCENARIO.dnssec07.xa`
and `ns2.SCENARIO.dnssec07.xa`.
* The name server names have A and AAAA records to avoid non-relevant error
messages.
* The delegation of the child zone is to an IB NS.
* There is a zone file for the child zone.
* All child zone servers give the same response.
* The only responses, with data queried for, to the child zone that can be assumed are queries for
* NS
* SOA
* DNSKEY
* Response on DNSKEY query will include RRSIG, others will not.
* The parent zone is `dnssec07.xa`.
* It is served by two in-bailiwick NS (ns1 and ns2).
* ns1 and ns2 have the same zone content.
* ns1 and ns2 have both IPv4 and IPv6 glue.
* The records matching glue in the zone are complete.
* The parent zone will respond with one DS record per child zone.
* The only responses to the parent zone that can be assumed are queries for
* NS
* SOA
* DNSKEY
* delegation of the child
* DS for child
* Response on DS query will include RRSIG, others will not.
* All responses will have the AA bit set.
* All responses will have the [RCODE Name] "NoError".
* The DS digest algorithm is 2.
* The DS will not correctly match DNSKEY.
* The zones are not signed.
### SIGNED-AND-DS-1
All is good with signed zone and DS record in parent.
* Zone: signed-and-ds-1.dnssec07.xa.
* All default settings.
### SIGNED-NO-DS-1
The child zone is signed, but no DS in parent.
* Zone: signed-no-ds-1.dnssec07.xa.
* The child zone has default settings.
* The parent zone has no DS for the child zone.
### INCONSIST-SIGNED-AND-DS-1
The child is signed on ns1 but not on ns2.
* Zone: inconsist-signed-and-ds-1.dnssec07.xa.
* Response from ns1 with DNSKEY.
* Response from ns2 without DNSKEY.
### INCONSIST-SIGNED-NO-DS-1
The child is signed on ns1 but not on ns2.
* Zone: inconsist-signed-no-ds-1.dnssec07.xa.
* Response from ns1 with DNSKEY.
* Response from ns2 without DNSKEY.
* Parent provides no DS.
### SIGNED-AND-INCONSIST-DS-1
Parent provides DS on one server, but not the other.
* Zone: child.signed-and-inconsist-ds-1.dnssec07.xa.
* Grandparent zone is dnssec07.xa.
* Parent zone is signed-and-inconsist-ds-1.dnssec07.xa.
* ns1 provides DS, ns2 does not.
* Child zone is child.signed-and-inconsist-ds-1.dnssec07.xa.
* Child zone is signed.
### UNSIGNED-AND-DS-1
Both NS respond with no DNSKEY. Parent has NS but it is disregarded.
* Zone: unsigned-and-ds-1.dnssec07.xa.
* ns1 and ns2 respond with NO DATA on DNSKEY query.
* Parent provides DS record, but it is not expected to be queried for.
### UNSIGNED-NO-DS-1
Both NS respond with no DNSKEY. Parent has NS but it is disregarded.
* Zone: unsigned-no-ds-1.dnssec07.xa.
* ns1 and ns2 respond with NODATA on DNSKEY query.
* Parent provides no DS record, but it is not expected to be queried for.
### NON-AUTH-RESPONSE-DNSKEY-1
One server responds with non-authoritative DNSKEY response.
* Zone: non-auth-response-dnskey-1.dnssec07.xa.
* ns1 responds with AA bit unset on DNSKEY query.
* Other queries have normal responses.
* Normal responses from ns2.
### NO-RESPONSE-DNSKEY-1
One server does not respond on DNSKEY query.
* Zone: no-response-dnskey-1.dnssec07.xa.
* ns1 does not respond on the DNSKEY query.
* Other queries have normal responses.
* Normal responses from ns2.
### UNEXP-RCODE-RESP-DNSKEY-1
One server give unexpected RCODE in response on DNSKEY query.
* Zone: unexp-rcode-resp-dnskey-1.dnssec07.xa.
* ns1 responds with RCODE REFUSED on the DNSKEY query.
* Other queries have normal responses.
* Normal responses from ns2.
[DNSSEC07]: ../../tests/DNSSEC-TP/dnssec07.md
[RCODE Name]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6
[Test scenario README file]: ../README.md
[Test scenarios and setup of test zones]: #test-scenarios-and-setup-of-test-zones

634
zonemaster/docs/public/specifications/test-zones/DNSSEC-TP/dnssec10.md Normal file
View File

@@ -0,0 +1,634 @@
# Specification of Test Scenarios for DNSSEC10
## Table of contents
* [Background](#background)
* [Test Case](#test-case)
* [Test scenarios](#test-scenarios)
* [Test zone names](#test-zone-names)
* [All message tags](#all-message-tags)
* [Test scenarios and message tags](#test-scenarios-and-message-tags)
* [Test scenarios and setup of test zones]
## Background
See the [test scenario README file].
## Test Case
This document specifies defined test scenarios for test case [DNSSEC10].
## Test scenarios
The purpose of the test scenarios is to cover all reasonable contexts where
different message tags are outputted when [DNSSEC10] is run on a test zone.
The message tags are defined in the test case ([DNSSEC10]) and the scenarios
are defined below.
The test scenarios are structured as stated in the [test scenario README file].
## Test zone names
The test zone or zones for each test scenario in this document is a subdomain
(or lower zone) delegated from the base name (`dnssec10.xa`) and that subdomain
having the same name as the scenario. The names of those zones are given in
section "[Test scenarios and setup of test zones]" below.
## All message tags
The test case can output any of these message tags, but not necessarily in any
combination. See [DNSSEC10] for the specification of the tags.
* DS10_ALGO_NOT_SUPPORTED_BY_ZM
* DS10_ERR_MULT_NSEC
* DS10_ERR_MULT_NSEC3
* DS10_ERR_MULT_NSEC3PARAM
* DS10_EXPECTED_NSEC_NSEC3_MISSING
* DS10_HAS_NSEC
* DS10_HAS_NSEC3
* DS10_INCONSISTENT_NSEC
* DS10_INCONSISTENT_NSEC3
* DS10_INCONSISTENT_NSEC_NSEC3
* DS10_MIXED_NSEC_NSEC3
* DS10_NSEC3PARAM_GIVES_ERR_ANSWER
* DS10_NSEC3PARAM_MISMATCHES_APEX
* DS10_NSEC3PARAM_QUERY_RESPONSE_ERR
* DS10_NSEC3_ERR_TYPE_LIST
* DS10_NSEC3_MISMATCHES_APEX
* DS10_NSEC3_MISSING_SIGNATURE
* DS10_NSEC3_NODATA_MISSING_SOA
* DS10_NSEC3_NODATA_WRONG_SOA
* DS10_NSEC3_NO_VERIFIED_SIGNATURE
* DS10_NSEC3_RRSIG_EXPIRED
* DS10_NSEC3_RRSIG_NOT_YET_VALID
* DS10_NSEC3_RRSIG_NO_DNSKEY
* DS10_NSEC3_RRSIG_VERIFY_ERROR
* DS10_NSEC_ERR_TYPE_LIST
* DS10_NSEC_GIVES_ERR_ANSWER
* DS10_NSEC_MISMATCHES_APEX
* DS10_NSEC_MISSING_SIGNATURE
* DS10_NSEC_NODATA_MISSING_SOA
* DS10_NSEC_NODATA_WRONG_SOA
* DS10_NSEC_NO_VERIFIED_SIGNATURE
* DS10_NSEC_QUERY_RESPONSE_ERR
* DS10_NSEC_RRSIG_EXPIRED
* DS10_NSEC_RRSIG_NOT_YET_VALID
* DS10_NSEC_RRSIG_NO_DNSKEY
* DS10_NSEC_RRSIG_VERIFY_ERROR
* DS10_SERVER_NO_DNSSEC
* DS10_ZONE_NO_DNSSEC
## Test scenarios and message tags
If a message tag is not listed for the scenario, its presence or non-presence is
irrelevant to the test scenario and must be ignored.
Scenario name | Mandatory message tag | Forbidden message tags
:------------------------------|:-----------------------------------------------------------------------------|:--------------------
GOOD-NSEC-1 | DS10_HAS_NSEC | 2)
GOOD-NSEC-2 | DS10_HAS_NSEC | 2)
GOOD-NSEC-3 | DS10_HAS_NSEC | 2)
GOOD-NSEC3-1 | DS10_HAS_NSEC3 | 2)
GOOD-NSEC3-2 | DS10_HAS_NSEC3 | 2)
GOOD-NSEC3-3 | DS10_HAS_NSEC3 | 2)
ALGO-NOT-SUPP-BY-ZM-1 | DS10_ALGO_NOT_SUPPORTED_BY_ZM, DS10_HAS_NSEC | 2)
ALGO-NOT-SUPP-BY-ZM-2 | DS10_ALGO_NOT_SUPPORTED_BY_ZM, DS10_HAS_NSEC3 | 2)
BAD-SERVERS-BUT-GOOD-NSEC-1 | DS10_HAS_NSEC | 2)
ERR-MULT-NSEC-1 | DS10_ERR_MULT_NSEC, DS10_HAS_NSEC | 2)
ERR-MULT-NSEC-2 | DS10_ERR_MULT_NSEC, DS10_HAS_NSEC | 2)
ERR-MULT-NSEC3-1 | DS10_ERR_MULT_NSEC3, DS10_HAS_NSEC3 | 2)
ERR-MULT-NSEC3PARAM-1 | DS10_ERR_MULT_NSEC3PARAM, DS10_HAS_NSEC3 | 2)
EXP-NSEC-NSEC3-MISS-1 | DS10_EXPECTED_NSEC_NSEC3_MISSING | 2)
INCONSISTENT-NSEC-1 | DS10_INCONSISTENT_NSEC, DS10_HAS_NSEC | 2)
INCONSISTENT-NSEC3-1 | DS10_INCONSISTENT_NSEC3, DS10_HAS_NSEC3 | 2)
INCONSIST-NSEC-NSEC3-1 | DS10_INCONSISTENT_NSEC_NSEC3 | 2)
INCONSIST-NSEC-NSEC3-2 | DS10_INCONSISTENT_NSEC_NSEC3, DS10_INCONSISTENT_NSEC, DS10_INCONSISTENT_NSEC3| 2)
MIXED-NSEC-NSEC3-1 | DS10_MIXED_NSEC_NSEC3 | 2)
MIXED-NSEC-NSEC3-2 | DS10_MIXED_NSEC_NSEC3 | 2)
NSEC3PARAM-GIVES-ERR-ANSWER-1 | DS10_NSEC3PARAM_GIVES_ERR_ANSWER, DS10_HAS_NSEC3, DS10_INCONSISTENT_NSEC3 | 2)
NSEC3PARAM-GIVES-ERR-ANSWER-2 | DS10_NSEC3PARAM_GIVES_ERR_ANSWER, DS10_EXPECTED_NSEC_NSEC3_MISSING, DS10_INCONSISTENT_NSEC3, DS10_HAS_NSEC3 | 2)
NSEC3PARAM-MISMATCHES-APEX-1 | DS10_NSEC3PARAM_MISMATCHES_APEX, DS10_HAS_NSEC3 | 2)
NSEC3PARAM-Q-RESPONSE-ERR-1 | DS10_NSEC3PARAM_QUERY_RESPONSE_ERR, DS10_HAS_NSEC3, DS10_INCONSISTENT_NSEC3 | 2)
NSEC3PARAM-Q-RESPONSE-ERR-2 | DS10_NSEC3PARAM_QUERY_RESPONSE_ERR, DS10_HAS_NSEC3, DS10_INCONSISTENT_NSEC3 | 2)
NSEC3PARAM-Q-RESPONSE-ERR-3 | DS10_NSEC3PARAM_QUERY_RESPONSE_ERR, DS10_EXPECTED_NSEC_NSEC3_MISSING, DS10_INCONSISTENT_NSEC3 | 2)
NSEC3-ERR-TYPE-LIST-1 | DS10_NSEC3_ERR_TYPE_LIST, DS10_HAS_NSEC3 | 2)
NSEC3-ERR-TYPE-LIST-2 | DS10_NSEC3_ERR_TYPE_LIST, DS10_HAS_NSEC3 | 2)
NSEC3-MISMATCHES-APEX-1 | DS10_NSEC3_MISMATCHES_APEX, DS10_HAS_NSEC3 | 2)
NSEC3-MISSING-SIGNATURE-1 | DS10_NSEC3_MISSING_SIGNATURE, DS10_HAS_NSEC3 | 2)
NSEC3-NODATA-MISSING-SOA-1 | DS10_NSEC3_NODATA_MISSING_SOA, DS10_HAS_NSEC3 | 2)
NSEC3-NODATA-WRONG-SOA-1 | DS10_NSEC3_NODATA_WRONG_SOA, DS10_HAS_NSEC3 | 2)
NSEC3-NO-VERIFIED-SIGNATURE-1 | DS10_NSEC3_NO_VERIFIED_SIGNATURE, DS10_HAS_NSEC3, DS10_NSEC3_RRSIG_NO_DNSKEY | 2)
NSEC3-NO-VERIFIED-SIGNATURE-2 | DS10_NSEC3_NO_VERIFIED_SIGNATURE, DS10_HAS_NSEC3, DS10_NSEC3_RRSIG_EXPIRED | 2)
NSEC3-NO-VERIFIED-SIGNATURE-3 | DS10_NSEC3_NO_VERIFIED_SIGNATURE, DS10_HAS_NSEC3, DS10_NSEC3_RRSIG_NOT_YET_VALID | 2)
NSEC3-NO-VERIFIED-SIGNATURE-4 | DS10_NSEC3_NO_VERIFIED_SIGNATURE, DS10_HAS_NSEC3, DS10_NSEC3_RRSIG_VERIFY_ERROR | 2)
NSEC-ERR-TYPE-LIST-1 | DS10_NSEC_ERR_TYPE_LIST, DS10_HAS_NSEC | 2)
NSEC-ERR-TYPE-LIST-2 | DS10_NSEC_ERR_TYPE_LIST, DS10_HAS_NSEC | 2)
NSEC-GIVES-ERR-ANSWER-1 | DS10_NSEC_GIVES_ERR_ANSWER, DS10_HAS_NSEC, DS10_INCONSISTENT_NSEC | 2)
NSEC-GIVES-ERR-ANSWER-2 | DS10_NSEC_GIVES_ERR_ANSWER, DS10_EXPECTED_NSEC_NSEC3_MISSING, DS10_INCONSISTENT_NSEC, DS10_HAS_NSEC | 2)
NSEC-MISMATCHES-APEX-1 | DS10_NSEC_MISMATCHES_APEX, DS10_HAS_NSEC | 2)
NSEC-MISMATCHES-APEX-2 | DS10_NSEC_MISMATCHES_APEX, DS10_HAS_NSEC | 2)
NSEC-MISSING-SIGNATURE-1 | DS10_NSEC_MISSING_SIGNATURE, DS10_HAS_NSEC | 2)
NSEC-NODATA-MISSING-SOA-1 | DS10_NSEC_NODATA_MISSING_SOA, DS10_HAS_NSEC | 2)
NSEC-NODATA-WRONG-SOA-1 | DS10_NSEC_NODATA_WRONG_SOA, DS10_HAS_NSEC | 2)
NSEC-NO-VERIFIED-SIGNATURE-1 | DS10_NSEC_NO_VERIFIED_SIGNATURE, DS10_HAS_NSEC, DS10_NSEC_RRSIG_NO_DNSKEY | 2)
NSEC-NO-VERIFIED-SIGNATURE-2 | DS10_NSEC_NO_VERIFIED_SIGNATURE, DS10_HAS_NSEC, DS10_NSEC_RRSIG_EXPIRED | 2)
NSEC-NO-VERIFIED-SIGNATURE-3 | DS10_NSEC_NO_VERIFIED_SIGNATURE, DS10_HAS_NSEC, DS10_NSEC_RRSIG_NOT_YET_VALID| 2)
NSEC-NO-VERIFIED-SIGNATURE-4 | DS10_NSEC_NO_VERIFIED_SIGNATURE, DS10_HAS_NSEC, DS10_NSEC_RRSIG_VERIFY_ERROR | 2)
NSEC-QUERY-RESPONSE-ERR-1 | DS10_NSEC_QUERY_RESPONSE_ERR, DS10_HAS_NSEC, DS10_INCONSISTENT_NSEC | 2)
NSEC-QUERY-RESPONSE-ERR-2 | DS10_NSEC_QUERY_RESPONSE_ERR, DS10_HAS_NSEC, DS10_INCONSISTENT_NSEC | 2)
NSEC-QUERY-RESPONSE-ERR-3 | DS10_NSEC_QUERY_RESPONSE_ERR, DS10_EXPECTED_NSEC_NSEC3_MISSING, DS10_INCONSISTENT_NSEC | 2)
SERVER-NO-DNSSEC-1 | DS10_SERVER_NO_DNSSEC, DS10_HAS_NSEC | 2)
SERVER-NO-DNSSEC-2 | DS10_SERVER_NO_DNSSEC, DS10_HAS_NSEC3 | 2)
ZONE-NO-DNSSEC-1 | DS10_ZONE_NO_DNSSEC | 2)
* (1) All tags except for those specified as "Forbidden message tags" (no instances for these test scenarios)
* (2) All tags except for those specified as "Mandatory message tags"
## Test scenarios and setup of test zones
### Default zone configuration
Unless otherwise specified in the specific scenario specification, the test zone
or zones for the scenario will follow the default setup as stated below. The
`child zone` is the zone to be tested for the scenario.
* The child zone is `SCENARIO.dnssec10.xa`.
* It is delegated to two name servers, `ns1.SCENARIO.dnssec10.xa`
and `ns2.SCENARIO.dnssec10.xa`.
* The name server names have A and AAAA records to avoid non-relevant error
messages.
* The delegation of the child zone is complete with glue records.
* There is a zone file for the child zone.
* All child zone servers give the same response.
* The responses are either with NSEC record (NSEC zone) or NSEC3 record (NSEC3
zone), not mixed.
* The parent zone is `dnssec10.xa`.
* It is served by two in-bailiwick NS (ns1 and ns2).
* ns1 and ns2 have the same zone content.
* ns1 and ns2 have both IPv4 and IPv6 glue.
* The records matching glue in the zone are complete.
* If the child zone is an NSEC zone:
* Responds with an NSEC response on the NSEC3PARAM query.
* Responds with an NSEC record in answer section on the NSEC query.
* If the child zone is an NSEC3 zone:
* Responds with an NSEC3 response on the NSEC query.
* Responds with an NSEC3PARAM record in answer section on the NSEC3PARAM query.
* All responses will have the AA bit set.
* All responses will have the [RCODE Name] "NoError".
### GOOD-NSEC-1
An NSEC zone and a "happy path". Everything is fine.
* Zone: good-nsec-1.dnssec10.xa
### GOOD-NSEC-2
An NSEC zone and a "happy path". Everything is fine besides that the zone
is served on NS names with the same IP addresses which is fine for this test
case.
* Zone: good-nsec-2.dnssec10.xa
* The zone is delegated to ns1a, ns1b and ns1c.
* All three share the same IPv4 and IPv6 address, respectively.
### GOOD-NSEC-3
An NSEC zone and a "happy path". Everything is fine besides that the NS names
in delegation and zone are different. Fine for this test case.
* Zone: good-nsec-3.dnssec10.xa
* Zone NS are to dns1 and dns2.
* dns1 has the same IP addresses as ns1
* dns2 has the same IP addresses as ns2
### GOOD-NSEC3-1
An NSEC3 zone and a "happy path". Everything is fine.
* Zone: good-nsec3-1.dnssec10.xa
### GOOD-NSEC3-2
An NSEC3 zone and a "happy path". Everything is fine besides that the zone
is served on NS names with the same IP addresses which is fine for this test
case.
* Zone: good-nsec3-2.dnssec10.xa
* The zone is delegated to ns1a, ns1b and ns1c.
* All three share the same IPv4 and IPv6 address, respectively.
### GOOD-NSEC3-3
An NSEC3 zone and a "happy path". Everything is fine besides that the NS names
in delegation and zone are different. Fine for this test case.
* Zone: good-nsec3-3.dnssec10.xa
* Zone NS are to dns1 and dns2.
* dns1 has the same IP addresses as ns1
* dns2 has the same IP addresses as ns2
### ALGO-NOT-SUPP-BY-ZM-1
An NSEC zone. Unknown algorithm of a DNSKEY.
* Zone: algo-not-supp-by-zm-1.dnssec10.xa
* There is an extra RRSIG for the NSEC record (as the response to the
NSEC3PARAM query).
* That RRSIG has been created by [algorithm 255][IANA registry], which is
an unsupported private algorithm.
* A matching DNSKEY ([algorithm 255][IANA registry]) is available.
* For this test scenario a fake signature and a fake public key are used.
* The extra DNSKEY is in the DNSKEY RRset which is resigned by the valid
KSK.
### ALGO-NOT-SUPP-BY-ZM-2
An NSEC3 zone. Unknown algorithm of a DNSKEY.
* Zone: algo-not-supp-by-zm-2.dnssec10.xa
* There is an extra RRSIG for the NSEC3 record (as the response to the
NSEC query).
* That RRSIG has been created by [algorithm 255][IANA registry], which is
an unsupported private algorithm.
* A matching DNSKEY ([algorithm 255][IANA registry]) is available.
* For this test scenario a fake signature and a fake public key are used.
* The extra DNSKEY is in the DNSKEY RRset which is resigned by the valid
KSK.
### BAD-SERVERS-BUT-GOOD-NSEC-1
An NSEC zone. Everything is fine except some non-responsive servers.
* Zone: bad-servers-but-good-nsec-1.dnssec10.xa
* The child zone is delegated to ns1, ns2, ns3, ns4 and ns5, all
in-bailiwick with correct glue.
* ns1 and ns2 are correct and work as they should.
* ns3 does not respond on DNSKEY query.
* ns4 responds with REFUSED on DNSKEY query.
* ns5 responds with AA unset on DNSKEY query.
### ERR-MULT-NSEC-1
An NSEC zone. An extra NSEC record is returned on the NSEC3PARAM query.
* Zone: err-mult-nsec-1.dnssec10.xa
* An extra NSEC record is returned in the response to the NSEC3PARAM query.
* The extra NSEC record has the same owner name, but different value in
"Next Domain Name" field.
* RRSIG is recalculated.
### ERR-MULT-NSEC-2
An NSEC zone. An extra NSEC record is returned on the NSEC query.
* Zone: err-mult-nsec-2.dnssec10.xa
* An extra NSEC record is returned in the response to the NSEC query.
* The extra NSEC record has the same owner name, but different value in
"Type List" field.
* RRSIG is recalculated.
### ERR-MULT-NSEC3-1
An NSEC3 zone. An extra NSEC3 record is returned.
* Zone: err-mult-nsec3-1.dnssec10.xa
* An extra NSEC3 record is returned in the response to the NSEC query.
* The extra NSEC3 record has the same hash owner name, but different value in
"Next Hashed Owner Name" field.
* The NSEC3 RRset has been signed with a valid RRSIG.
### ERR-MULT-NSEC3PARAM-1
An NSEC3 zone. An extra NSEC3PARAM record is returned.
* Zone: err-mult-nsec3param-1.dnssec10.xa
* An extra NSEC3PARAM record is returned in the response to the NSEC query.
* The extra NSEC3PARAM record has the same owner name, but different number
of iterations.
* The NSEC3PARAM RRset has been signed with a valid RRSIG.
### EXP-NSEC-NSEC3-MISS-1
A zone without NSEC and NSEC3. There is no NSEC or NSEC3 function.
* Zone: exp-nsec-nsec3-miss-1.dnssec10.xa
* The NSEC query gives a NODATA response with no NSEC or NSEC3 record.
* The NSEC3PARAM query gives a NODATA response with no NSEC or NSEC3 record.
### INCONSISTENT-NSEC-1
An NSEC zone. Some errors in NSEC handling.
* Zone: inconsistent-nsec-1.dnssec10.xa
* ns1 includes no NSEC record in the NODATA response on the NSEC3PARAM query.
* ns2 includes no NSEC record in the NODATA response on the NSEC query.
### INCONSISTENT-NSEC3-1
An NSEC3 zone. Some errors in NSEC3 handling.
* Zone: inconsistent-nsec3-1.dnssec10.xa
* ns1 includes no NSEC3 record in the NODATA response on the NSEC query.
* ns2 includes no NSEC3PARAM or NSEC3 record in the NODATA response on the
NSEC3PARAM query.
### INCONSIST-NSEC-NSEC3-1
Mixing beteen NSEC and NSEC3.
* Zone: inconsist-nsec-nsec3-1.dnssec10.xa
* ns1 holds an NSEC version of the zone.
* ns2 holds an NSEC3 version of the zone.
### INCONSIST-NSEC-NSEC3-2
NSEC on one server and NSEC3 on the other plus errors in NSEC and NSEC3 handling.
* Zone: inconsist-nsec-nsec3-2.dnssec10.xa
* ns1 holds an NSEC version of the zone.
* It responds with a NODATA respond without NSEC record on the NSEC3PARAM
query.
* It does respond with an NSEC record to the NSEC query.
* ns2 holds an NSEC3 version of the zone.
* It responds with a NODATA respond without NSEC3 record on the NSEC query.
* It does respond with an NSEC3PARAM record to the NSEC3PARAM query.
### MIXED-NSEC-NSEC3-1
Servers gives both NSEC and NSEC3
* Zone: mixed-nsec-nsec3-1.dnssec10.xa
* The zone gives an NSEC record in response to NSEC query.
* The zone gives an NSEC3PARAM record in response to the NSEC3PARAM query.
### MIXED-NSEC-NSEC3-2
Servers gives both NSEC and NSEC3
* Zone: mixed-nsec-nsec3-2.dnssec10.xa
* The zone gives a NODATA response with NSEC3 record in response to NSEC
query.
* The zone gives a NODATA response with NSEC record in response to the
NSEC3PARAM query.
### NSEC3PARAM-GIVES-ERR-ANSWER-1
An NSEC3 zone. Error in response to NSEC3PARAM query.
* Zone: nsec3param-gives-err-answer-1.dnssec10.xa
* The zone gives a TXT record, but no NSEC3PARAM record, in response to the
NSEC3PARAM query.
### NSEC3PARAM-GIVES-ERR-ANSWER-2
An NSEC3 zone. Error in response to NSEC3PARAM query on ns1. No NSEC or NSEC3 on
ns2.
* Zone: nsec3param-gives-err-answer-1.dnssec10.xa
* On ns1, the zone gives a TXT record, but no NSEC3PARAM record, in response to
the NSEC3PARAM query.
* On ns2, the zone gives NODATA responses without NSEC or NSEC3 record for both
the NSEC3PARAM query and the NSEC query.
### NSEC3PARAM-MISMATCHES-APEX-1
An NSEC3 zone. The owner name of the NSEC3PARAM record is erroneous.
* Zone: nsec3param-mismatches-apex-1.dnssec10.xa
* The owner name of the NSEC3PARAM record in response to the NSEC3PARAM query is
erroneous and does not match apex.
* The owner name is `sub.nsec3param-mismatches-apex-1.dnssec10.xa` instead of
expected `nsec3param-mismatches-apex-1.dnssec10.xa`.
## NSEC3PARAM-Q-RESPONSE-ERR-1
An NSEC3 zone. Error in response to NSEC3PARAM query.
* Zone: nsec3param-q-response-err-1.dnssec10.xa
* No DNS response on the NSEC3PARAM query.
## NSEC3PARAM-Q-RESPONSE-ERR-2
An NSEC3 zone. Error in response to NSEC3PARAM query.
* Zone: nsec3param-q-response-err-2.dnssec10.xa
* The response on the NSEC3PARAM query has the [RCODE Name] "REFUSED".
## NSEC3PARAM-Q-RESPONSE-ERR-3
An NSEC3 zone. Error in response to NSEC3PARAM query on ns1. No NSEC or NSEC3 on
ns2.
* Zone: nsec3param-q-response-err-3.dnssec10.xa
* The response from ns1 on the NSEC3PARAM query has the AA flag unset.
* On ns2, the zone gives NODATA responses without NSEC or NSEC3 record for both
the NSEC3PARAM query and the NSEC query.
### NSEC3-ERR-TYPE-LIST-1
An NSEC3 zone. The type list of the NSEC3 record is erroneous.
* Zone: nsec3-err-type-list-1.dnssec10.xa
* The type list of the NSEC3 record includes NSEC.
### NSEC3-ERR-TYPE-LIST-2
An NSEC3 zone. The type list of the NSEC3 record is erroneous.
* Zone: nsec3-err-type-list-2.dnssec10.xa
* The type list of the NSEC3 record misses RRSIG.
### NSEC3-MISMATCHES-APEX-1
An NSEC3 zone. The hash owner name of the NSEC3 record is erroneous.
* Zone: nsec3-mismatches-apex-1.dnssec10.xa
* The hash owner name of the NSEC3 record in response to the NSEC query is
erroneous and does not match apex.
### NSEC3-MISSING-SIGNATURE-1
An NSEC3 zone. The RRSIG is missing
* Zone: nsec3-missing-signature-1.dnssec10.xa
* There is no RRSIG for the NSEC3 record in the response with NSEC3 record.
### NSEC3-NODATA-MISSING-SOA-1
An NSEC3 zone. The SOA record is missing in the NODATA response.
* Zone: nsec3-nodata-missing-soa-1.dnssec10.xa
* In the NODATA response to the NSEC query the SOA record is missing.
### NSEC3-NODATA-WRONG-SOA-1
An NSEC3 zone. In the NODATA response the SOA record has the wrong owner name.
* Zone: nsec3-nodata-wrong-soa-1.dnssec10.xa
* The owner name of the SOA record in the NODATA response to the NSEC query
is `sub.nsec3-nodata-wrong-soa-1.dnssec10.xa` instead of expected
`nsec3-nodata-wrong-soa-1.dnssec10.xa`.
### NSEC3-NO-VERIFIED-SIGNATURE-1
An NSEC3 zone. The RRSIG for the NSEC3 record cannot be verified.
* Zone: nsec3-no-verified-signature-1.dnssec10.xa
* The RRSIG record for the NSEC3 record in the NODATA response to the NSEC
query cannot be verified.
* There is no matching DNSKEY for the RRSIG for the NSEC3 record.
### NSEC3-NO-VERIFIED-SIGNATURE-2
An NSEC3 zone. The RRSIG for the NSEC3 record cannot be verified.
* Zone: nsec3-no-verified-signature-2.dnssec10.xa
* The RRSIG record for the NSEC3 record in the NODATA response to the NSEC
query cannot be verified.
* The RRSIG has expired, i.e. the current date-time is beyond the last valid
date-time.
### NSEC3-NO-VERIFIED-SIGNATURE-3
An NSEC3 zone. The RRSIG for the NSEC3 record cannot be verified.
* Zone: nsec3-no-verified-signature-3.dnssec10.xa
* The RRSIG record for the NSEC3 record in the NODATA response to the NSEC
query cannot be verified.
* The RRSIG it not yet valid, i.e. the current date-time is before the first
valid date-time.
### NSEC3-NO-VERIFIED-SIGNATURE-4
An NSEC3 zone. The RRSIG for the NSEC3 record cannot be verified.
* Zone: nsec3-no-verified-signature-4.dnssec10.xa
* The RRSIG record for the NSEC3 record in the NODATA response to the NSEC
query cannot be verified.
* The RRSIG signature does not match the NSEC record and appointed DNSKEY.
### NSEC-ERR-TYPE-LIST-1
An NSEC zone. The type list of the NSEC record is erroneous.
* Zone: nsec-err-type-list-1.dnssec10.xa
* The type list of the NSEC record includes NSEC3PARAM.
### NSEC-ERR-TYPE-LIST-2
An NSEC zone. The type list of the NSEC record is erroneous.
* Zone: nsec-err-type-list-2.dnssec10.xa
* The type list of the NSEC record misses RRSIG.
### NSEC-GIVES-ERR-ANSWER-1
An NSEC zone. Error in response to NSEC query.
* Zone: nsec-gives-err-answer-1.dnssec10.xa
* The zone gives a TXT record, but no NSEC record, in response to the NSEC
query.
### NSEC-GIVES-ERR-ANSWER-2
An NSEC zone. Error in response to NSEC query on ns1. No NSEC or NSEC3 on ns2.
* Zone: nsec-gives-err-answer-2.dnssec10.xa
* On ns1, the zone gives a TXT record, but no NSEC record, in response to the
NSEC query.
* On ns2, the zone gives NODATA responses without NSEC or NSEC3 record for both
the NSEC3PARAM query and the NSEC query.
### NSEC-MISMATCHES-APEX-1
An NSEC zone. The owner name of the NSEC record is errouneous.
* Zone: nsec-mismatches-apex-1.dnssec10.xa
* The owner name of the NSEC record in response to the NSEC3PARAM query is
errouneous and does not match apex.
* The owner name is `sub.nsec-mismatches-apex-1.dnssec10.xa` instead of
expected `nsec-mismatches-apex-1.dnssec10.xa`.
### NSEC-MISMATCHES-APEX-2
An NSEC zone. The owner name of the NSEC record is errouneous.
* Zone: nsec-mismatches-apex-2.dnssec10.xa
* The owner name of the NSEC record in response to the NSEC query is
errouneous and does not match apex.
* The owner name is `sub.nsec-mismatches-apex-2.dnssec10.xa` instead of
expected `nsec-mismatches-apex-2.dnssec10.xa`.
### NSEC-MISSING-SIGNATURE-1
An NSEC zone. The RRSIG is missing.
* Zone: nsec-missing-signature-1.dnssec10.xa
* There is no RRSIG for the NSEC record in the response with NSEC record on the
NSEC3PARAM query.
### NSEC-NODATA-MISSING-SOA-1
An NSEC zone. The SOA record is missing in the NODATA response.
* Zone: nsec-nodata-missing-soa-1.dnssec10.xa
* In the NODATA response to the NSEC3PARAM query the SOA record is missing.
### NSEC-NODATA-WRONG-SOA-1
An NSEC zone. In the NODATA response the SOA record has the wrong owner name.
* Zone: nsec-nodata-wrong-soa-1.dnssec10.xa
* The owner name of the SOA record in the NODATA response to the NSEC3PARAM
query is `sub.nsec-nodata-wrong-soa-1.dnssec10.xa` instead of expected
`nsec-nodata-wrong-soa-1.dnssec10.xa`.
### NSEC-NO-VERIFIED-SIGNATURE-1
An NSEC zone. The RRSIG for the NSEC record cannot be verified.
* Zone: nsec-no-verified-signature-1.dnssec10.xa
* The RRSIG record for the NSEC record in the NODATA response to the NSEC3PARAM
query cannot be verified.
* There is no matching DNSKEY for the RRSIG for that NSEC record.
### NSEC-NO-VERIFIED-SIGNATURE-2
An NSEC zone. The RRSIG for the NSEC record cannot be verified.
* Zone: nsec-no-verified-signature-2.dnssec10.xa
* The RRSIG record for the NSEC record in the NODATA response to the NSEC3PARAM
query cannot be verified.
* The RRSIG has expired, i.e. the current date-time is beyond the last valid
date-time.
### NSEC-NO-VERIFIED-SIGNATURE-3
An NSEC zone. The RRSIG for the NSEC record cannot be verified.
* Zone: nsec-no-verified-signature-3.dnssec10.xa
* The RRSIG record for the NSEC record in the NODATA response to the NSEC3PARAM
query cannot be verified.
* The RRSIG it not yet valid, i.e. the current date-time is before the first
valid date-time.
### NSEC-NO-VERIFIED-SIGNATURE-4
An NSEC zone. The RRSIG for the NSEC record cannot be verified.
* Zone: nsec-no-verified-signature-4.dnssec10.xa
* The RRSIG record for the NSEC record in the NODATA response to the NSEC3PARAM
query cannot be verified.
* The RRSIG signature does not match the RRSIG record and appointed DNSKEY.
### NSEC-QUERY-RESPONSE-ERR-1
An NSEC zone. Error in response to NSEC query.
* Zone: nsec-query-response-err-1.dnssec10.xa
* No DNS response on the NSEC query.
### NSEC-QUERY-RESPONSE-ERR-2
An NSEC zone. Error in response to NSEC query.
* Zone: nsec-query-response-err-2.dnssec10.xa
* The response on the NSEC query has the [RCODE Name] "REFUSED".
### NSEC-QUERY-RESPONSE-ERR-3
An NSEC zone. Error in response to NSEC query on ns1. No NSEC or NSEC3 in
responses from ns2.
* Zone: nsec-query-response-err-3.dnssec10.xa
* The response from ns1 on the NSEC query has the AA flag unset.
* On ns2, the zone gives NODATA responses without NSEC or NSEC3 record for both
the NSEC3PARAM query and the NSEC query.
### SERVER-NO-DNSSEC-1
An NSEC zone. No DNSKEY in response from ns1. Normal response from ns2.
* Zone: server-no-dnssec-1.dnssec10.xa
* The answer section in response from ns1 on the DNSKEY query is empty. Unsigned
NODATA response without NSEC or NSEC3.
* The NSEC and NSEC3PARAM queries are irrelevant, but they also give a Unsigned
NODATA response without NSEC or NSEC3 on ns1.
### SERVER-NO-DNSSEC-2
An NSEC3 zone. No DNSKEY in response from ns1. Normal response from ns2.
* Zone: server-no-dnssec-2.dnssec10.xa
* The answer section in response from ns1 on the DNSKEY query is empty. Unsigned
NODATA response without NSEC or NSEC3.
* The NSEC and NSEC3PARAM queries are irrelevant, but they also give a Unsigned
NODATA response without NSEC or NSEC3 on ns1.
### ZONE-NO-DNSSEC-1
No DNSKEY in response.
* Zone: zone-no-dnssec-1.dnssec10.xa
* The answer section in response on the DNSKEY query is empty. Unsigned NODATA
response without NSEC or NSEC3.
* The NSEC and NSEC3PARAM queries are irrelevant, but they also give a Unsigned
NODATA response without NSEC or NSEC3.
[DNSSEC10]: ../../tests/DNSSEC-TP/dnssec10.md
[IANA registry]: https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xml
[RCODE Name]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6
[Test scenario README file]: ../README.md
[Test scenarios and setup of test zones]: #test-scenarios-and-setup-of-test-zones

190
zonemaster/docs/public/specifications/test-zones/DNSSEC-TP/dnssec16.md Normal file
View File

@@ -0,0 +1,190 @@
# Specification of test zones for DNSSEC16
## Table of contents
* [Background](#background)
* [Test Case](#test-case)
* [Test scenarios](#test-scenarios)
* [Test zone names](#test-zone-names)
* [Test scenarios and message tags](#test-scenarios-and-message-tags)
* [Zone setup for test scenarios]
* [Terminology](#terminology)
## Background
See the [test zone README file].
## Test Case
This document specifies defined test zones for test case [DNSSEC16].
## Test scenarios
The purpose of the test scenarios is to cover all reasonable contexts where
different message tags are outputted when [DNSSEC16] is run on a test zone. The
message tags are defined in the test case ([DNSSEC16]) and the scenarios are
defined below.
The test scenarios are structured as stated in the [test zone README file].
## Test zone names
The test zone for each test scenario in this document is a subdomain delegated
from the base name (`dnssec16.xa`) and that subdomain having the same name as the
scenario except where the test domain must be the root zone, a TLD or a domain
under `.arpa`. The names of those zones are given in section
"[Zone setup for test scenarios]" below.
## Test scenarios and message tags
If a message tag is not listed for the scenario, its presence or non-presence is
irrelevant to the test scenario and must be ignored.
Scenario name | Mandatory message tags | Forbidden message tags
:----------------------------|:--------------------------------------------------|:-------------------------------------------
CDS-INVALID-RRSIG | DS16_CDS_INVALID_RRSIG | DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
CDS-MATCHES-NO-DNSKEY | DS16_CDS_MATCHES_NO_DNSKEY | DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
CDS-MATCHES-NON-SEP-DNSKEY | DS16_CDS_MATCHES_NON_SEP_DNSKEY | DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
CDS-MATCHES-NON-ZONE-DNSKEY | DS16_CDS_MATCHES_NON_ZONE_DNSKEY | DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
CDS-NOT-SIGNED_BY_CDS | DS16_CDS_NOT_SIGNED_BY_CDS | DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
CDS-SIGNED-BY-UNKNOWN-DNSKEY | DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY | DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
CDS-UNSIGNED | DS16_CDS_UNSIGNED, DS16_CDS_NOT_SIGNED_BY_CDS | DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
CDS-WITHOUT-DNSKEY | DS16_CDS_WITHOUT_DNSKEY | DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
DELETE-CDS | DS16_DELETE_CDS | DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
DNSKEY-NOT-SIGNED-BY-CDS | DS16_DNSKEY_NOT_SIGNED_BY_CDS | DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_MIXED_DELETE_CDS
MIXED-DELETE-CDS | DS16_MIXED_DELETE_CDS | DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS
NO-CDS | (none) | DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
NOT-AA | (none) | DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
VALID-CDS | (none) | DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
## Zone setup for test scenarios
Assumptions for the scenario specifications:
* Only CDS or DNSKEY records in apex are considered.
* Unless stated otherwise, all name servers respond authoritatively with
[RCODE Name] "NoError" on all queries.
* Unless stated otherwise, all name servers respond authoritatively with (or
without) CDS records on CDS queries and DNSKEY records on DNSKEY queries,
respectively.
* Unless stated otherwise, all RRSIGs are present where expected and are valid.
* Each zone is served by two nameservers and both respond consistently.
* No DS record is published at parent zone (`dnssec16.xa`).
### CDS-INVALID-RRSIG
* Zone: "cds-invalid-rrsig.dnssec16.xa."
* The zone has a [Well Formed DNSKEY Record] (key 1).
* The zone has one [Well Formed CDS Record], that matches key 1, but the RRSIG
of the CDS RRset has expired.
### CDS-MATCHES-NO-DNSKEY
* Zone: "cds-matches-no-dnskey.dnssec16.xa."
* The zone has one [Well Formed DNSKEY Record] (key 1).
* The zone has one [Well Formed CDS Record] that matches key 1.
* The zone has a second [Well Formed CDS Record] that matches no key by key
tag.
### CDS-MATCHES-NON-SEP-DNSKEY
* Zone: "cds-matches-non-sep-dnskey.dnssec16.xa."
* The zone has a [Well Formed DNSKEY Record], but flag bit 15 is unset (key
1).
* The zone has one [Well Formed CDS Record] that matches key 1.
### CDS-MATCHES-NON-ZONE-DNSKEY
* Zone: "cds-matches-non-zone-dnskey.dnssec16.xa."
* The zone has one [Well Formed DNSKEY Record] (key 1).
* The zone has a second [Well Formed DNSKEY Record], but flag bit 7 is unset
and the key has not signed the DNSKEY RRset (key 2).
* The zone has one [Well Formed CDS Record] and matches key 1 (CDS 1).
* The zone has a second [Well Formed CDS Record], matching key 2, but the key
has not signed the CDS RRset.
### CDS-NOT-SIGNED-BY-CDS
* Zone: "cds-not-signed-by-cds.dnssec16.xa."
* The zone has two [Well Formed DNSKEY Record] (key 1 and 2).
* The zone has one [Well Formed CDS Record] that matches key 1.
* The zone has a second [Well Formed CDS Record] that matches key 2, but its
DNSKEY has not signed the CDS RRset.
### CDS-SIGNED-BY-UNKNOWN-DNSKEY
* Zone: "cds-signed-by-unknown-dnskey.dnssec16.xa."
* The zone has a [Well Formed DNSKEY Record] (key 1).
* The zone has one [Well Formed CDS Record], and it matches key 1.
* The CDS RRset has an additional RRSIG that matches no DNSKEY by key tag.
### CDS-UNSIGNED
* Zone: "cds-unsigned.dnssec16.xa."
* The zone has a [Well Formed DNSKEY Record] (key 1).
* The zone has one [Well Formed CDS Record], and it matches key 1, but the CDS
RRset is not signed.
### CDS-WITHOUT-DNSKEY
* Zone: "cds-without-dnskey.dnssec16.xa."
* The zone has no DNSKEY.
* The zone has one [Well Formed CDS Record] that matches no DNSKEY.
### DELETE-CDS
* Zone: "delete-cds.dnssec16.xa."
* The zone has a [Well Formed DNSKEY Record].
* The zone has one CDS RR that is a Delete CDS.
### DNSKEY-NOT-SIGNED-BY-CDS
* Zone: "dnskey-not-signed-by-cds.dnssec16.xa."
* The zone has a [Well Formed DNSKEY Record] (key 1), but the key has not
signed the DNSKEY RRset.
* The zone has one [Well Formed CDS Record], and it matches key 1.
### MIXED-DELETE-CDS
* Zone: "mixed-delete-cds.dnssec16.xa."
* The zone has a [Well Formed DNSKEY Record] (key 1).
* The zone has one [Well Formed CDS Record], and it matches key 1.
* The zone has a second CDS RR that is a Delete CDS.
### NO-CDS
* Zone: "no-cds.dnssec16.xa."
* The name servers give no CDS RRset on CDS query (NODATA).
### NOT-AA
* Zone: "not-aa.dnssec16.xa."
* The name servers give non-AA response on CDS queries.
### VALID-CDS
* Zone: "valid-cds.dnssec16.xa."
* The zone has a [Well Formed DNSKEY Record] (key 1).
* The zone has one [Well Formed CDS Record], and it matches key 1.
## Terminology
* "Well Formed DNSKEY Record" - The term is used, in this document, for a DNSKEY
record that meets the following requirements:
* It is a DNSKEY record in apex.
* It uses algorithm 10 (RSA/SHA-512) with a 2048-bit key length, see
[DNSSEC05] and [DNSSEC14].
* Flag bit 7 (zone key) and bit 15 (SEP) are set.
* The DNSKEY RRset has been signed by the key and the RRSIG is valid.
* "Well Formed CDS Record" - The term is used, in this document, for a CDS record
that meets the following requirements:
* It is a CDS record in apex.
* It uses hash digest 2 (SHA-256), see [DNSSEC01].
* Its digest is a digest of a [Well Formed DNSKEY Record].
* The CDS RRset has been signed by the its DNSKEY and the RRSIG is valid.
[DNSSEC01]: ../../tests/DNSSEC-TP/dnssec01.md
[DNSSEC05]: ../../tests/DNSSEC-TP/dnssec05.md
[DNSSEC14]: ../../tests/DNSSEC-TP/dnssec14.md
[DNSSEC16]: ../../tests/DNSSEC-TP/dnssec16.md
[RCODE Name]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6
[Test zone README file]: ../README.md
[Well Formed CDS Record]: #terminology
[Well Formed DNSKEY Record]: #terminology
[Zone setup for test scenarios]: #zone-setup-for-test-scenarios

8
zonemaster/docs/public/specifications/test-zones/Delegation-TP/README.md Normal file
View File

@@ -0,0 +1,8 @@
# Specification of test scenarios for Delegation-TP
Test scenario specifications are available for:
* [Delegation01](delegation01.md)
* [Delegation02](delegation02.md)
* [Delegation03](delegation03.md)

245
zonemaster/docs/public/specifications/test-zones/Delegation-TP/delegation01.md Normal file
View File

@@ -0,0 +1,245 @@
# Specification of test Scenarios for Delegation01
## Table of contents
* [Background](#background)
* [Test Case](#test-case)
* [Test scenarios](#test-scenarios)
* [Test zone names](#test-zone-names)
* [All message tags](#all-message-tags)
* [Test scenarios and message tags](#test-scenarios-and-message-tags)
* [Test zone setup]
## Background
See the [test scenario README file].
## Test Case
This document specifies test scenarios for test case [Delegation01].
## Test scenarios
The purpose of the test scenarios is to cover all reasonable contexts where
different message tags are output when [Delegation01] is run on a test zone.
The message tags are defined in the test case ([Delegation01]) and the scenarios
are defined below.
The test scenarios are structured as stated in the [test scenario README file].
## Test zone names
The test zone for each test scenario in this document is a subdomain delegated
from the base name (`delegation01.xa`) and that subdomain having the same name as
the scenario. The names of those zones are given in section
[Test zone setup] below.
## All message tags
The test case can output any of these message tags, but not necessarily in any
combination. See [Delegation01] for the specification of the tags.
* ENOUGH_IPV4_NS_CHILD
* ENOUGH_IPV4_NS_DEL
* ENOUGH_IPV6_NS_CHILD
* ENOUGH_IPV6_NS_DEL
* ENOUGH_NS_CHILD
* ENOUGH_NS_DEL
* NOT_ENOUGH_IPV4_NS_CHILD
* NOT_ENOUGH_IPV4_NS_DEL
* NOT_ENOUGH_IPV6_NS_CHILD
* NOT_ENOUGH_IPV6_NS_DEL
* NOT_ENOUGH_NS_CHILD
* NOT_ENOUGH_NS_DEL
* NO_IPV4_NS_CHILD
* NO_IPV4_NS_DEL
* NO_IPV6_NS_CHILD
* NO_IPV6_NS_DEL
## Test scenarios and message tags
If a message tag is not listed for the scenario, its presence or non-presence is
irrelevant to the test scenario and must be ignored.
Scenario name | Mandatory message tag | Forbidden message tags
:-----------------------------|:---------------------------------------------------------|:-------------------------------------------
ENOUGH-1 | ENOUGH_IPV4_NS_CHILD, ENOUGH_IPV4_NS_DEL, ENOUGH_IPV6_NS_CHILD, ENOUGH_IPV6_NS_DEL, ENOUGH_NS_CHILD, ENOUGH_NS_DEL | 2)
ENOUGH-2 | ENOUGH_IPV4_NS_CHILD, ENOUGH_IPV4_NS_DEL, ENOUGH_IPV6_NS_CHILD, ENOUGH_IPV6_NS_DEL, ENOUGH_NS_CHILD, ENOUGH_NS_DEL | 2)
ENOUGH-3 | ENOUGH_IPV4_NS_CHILD, ENOUGH_IPV4_NS_DEL, ENOUGH_IPV6_NS_CHILD, ENOUGH_IPV6_NS_DEL, ENOUGH_NS_CHILD, ENOUGH_NS_DEL | 2)
ENOUGH-DEL-NOT-CHILD | ENOUGH_IPV4_NS_DEL, ENOUGH_IPV6_NS_DEL, ENOUGH_NS_DEL, NOT_ENOUGH_IPV4_NS_CHILD, NOT_ENOUGH_IPV6_NS_CHILD, NOT_ENOUGH_NS_CHILD | 2)
ENOUGH-CHILD-NOT-DEL | ENOUGH_IPV4_NS_CHILD, ENOUGH_IPV6_NS_CHILD, ENOUGH_NS_CHILD, NOT_ENOUGH_IPV4_NS_DEL, NOT_ENOUGH_IPV6_NS_DEL, NOT_ENOUGH_NS_DEL | 2)
IPV6-AND-DEL-OK-NO-IPV4-CHILD | ENOUGH_IPV4_NS_DEL, ENOUGH_IPV6_NS_CHILD, ENOUGH_IPV6_NS_DEL, ENOUGH_NS_CHILD, ENOUGH_NS_DEL, NO_IPV4_NS_CHILD | 2)
IPV4-AND-DEL-OK-NO-IPV6-CHILD | ENOUGH_IPV4_NS_DEL, ENOUGH_IPV4_NS_CHILD, ENOUGH_IPV6_NS_DEL, ENOUGH_NS_CHILD, ENOUGH_NS_DEL, NO_IPV6_NS_CHILD | 2)
NO-IPV4-1 | ENOUGH_IPV6_NS_CHILD, ENOUGH_IPV6_NS_DEL, ENOUGH_NS_CHILD, ENOUGH_NS_DEL, NO_IPV4_NS_CHILD, NO_IPV4_NS_DEL | 2)
NO-IPV4-2 | ENOUGH_IPV6_NS_CHILD, ENOUGH_IPV6_NS_DEL, ENOUGH_NS_CHILD, ENOUGH_NS_DEL, NO_IPV4_NS_CHILD, NO_IPV4_NS_DEL | 2)
NO-IPV4-3 | ENOUGH_IPV6_NS_CHILD, ENOUGH_IPV6_NS_DEL, ENOUGH_NS_CHILD, ENOUGH_NS_DEL, NO_IPV4_NS_CHILD, NO_IPV4_NS_DEL | 2)
NO-IPV6-1 | ENOUGH_IPV4_NS_CHILD, ENOUGH_IPV4_NS_DEL, ENOUGH_NS_CHILD, ENOUGH_NS_DEL, NO_IPV6_NS_CHILD, NO_IPV6_NS_DEL | 2)
NO-IPV6-2 | ENOUGH_IPV4_NS_CHILD, ENOUGH_IPV4_NS_DEL, ENOUGH_NS_CHILD, ENOUGH_NS_DEL, NO_IPV6_NS_CHILD, NO_IPV6_NS_DEL | 2)
NO-IPV6-3 | ENOUGH_IPV4_NS_CHILD, ENOUGH_IPV4_NS_DEL, ENOUGH_NS_CHILD, ENOUGH_NS_DEL, NO_IPV6_NS_CHILD, NO_IPV6_NS_DEL | 2)
MISMATCH-DELEGATION-CHILD-1 | ENOUGH_IPV4_NS_CHILD, NOT_ENOUGH_IPV4_NS_DEL, ENOUGH_IPV6_NS_CHILD, NOT_ENOUGH_IPV6_NS_DEL, ENOUGH_NS_CHILD, ENOUGH_NS_DEL | 2)
MISMATCH-DELEGATION-CHILD-2 | NOT_ENOUGH_IPV4_NS_CHILD, ENOUGH_IPV4_NS_DEL, NOT_ENOUGH_IPV6_NS_CHILD, ENOUGH_IPV6_NS_DEL, ENOUGH_NS_CHILD, ENOUGH_NS_DEL | 2)
1\) All tags except for those specified as "Forbidden message tags" (no
instances for these test scenarios)
2\) All tags except for those specified as "Mandatory message tags"
## Test zone setup
Assumptions for the scenario specifications unless otherwise specified for the
specific scenario:
* For each scenario zone there are two name servers configured.
* Both name servers (ns1 and ns2) are equal in delegation and in zone.
* Both name servers are in-bailiwick.
* Both name servers have both IPv4 and IPv6 addresses.
* All required glue records are present in the delegation.
* All glue exactly match the authoritative address records in correct zone
(not more and not less records).
* All name server IP addresses respond with identical zone content.
### ENOUGH-1
This is the main happy path.
* Zone: enough-1.delegation01.xa
### ENOUGH-2
This is also a happy path. Out-of-bailiwick.
* Zone: enough-2.delegation01.xa
* Both ns1 and ns2 are out-of-bailiwick.
* ns1 is "ns1.enough-2.delegation01.xb"
* ns2 is "ns2.enough-2.delegation01.xb"
* Delegation is without glue.
* The test zone ("child") has no address records for the name server names.
* The "delegation01.xb" zone has the full set of address records.
### ENOUGH-3
This is also a happy path. Also out-of-bailiwick, but with sibling glue.
* Zone: enough-3.delegation01.xa
* Both ns1 and ns2 are out-of-bailiwick
* ns1 is "ns1.enough-3.sibling.delegation01.xa"
* ns2 is "ns2.enough-3.sibling.delegation01.xa"
* Delegation is with glue.
* The child zone has no address records for the name server names.
* The two name servers are defined directly in the parent zone with full set of
address records.
### ENOUGH-DEL-NOT-CHILD
Only one name server in child zone.
* Zone: enough-del-not-child.delegation01.xa
* The child zone defines only one name server, ns1.
* Delegation is complete.
### ENOUGH-CHILD-NOT-DEL
Only one name server in delegation.
* Zone: enough-child-not-del.delegation01.xa
* The delegation has only one name server, for ns1.
* The child has two name servers with full set of address records.
### IPV6-AND-DEL-OK-NO-IPV4-CHILD
No IPv4 in zone.
* Zone: ipv6-and-del-ok-no-ipv4-child.delegation01.xa
* No A records for ns1 and ns2 in zone.
* Delegation is complete.
### IPV4-AND-DEL-OK-NO-IPV6-CHILD
No IPv6 in zone.
* Zone: ipv4-and-del-ok-no-ipv6-child.delegation01.xa
* No AAAA records for ns1 and ns2 in zone.
* Delegation is complete.
### NO-IPV4-1
No IPv4 in delegation or zone.
* Zone: no-ipv4-1.delegation01.xa
* No A glue for ns1 and ns2.
* No A records in zone for ns1 and ns2.
### NO-IPV4-2
No IPv4 in delegation or zone. Out-of-bailiwick name servers and no glue.
* Zone: no-ipv4-2.delegation01.xa
* Both ns1 and ns2 are out-of-bailiwick under the xb tree.
* ns1 is "ns1.no-ipv4-2.delegation01.xb"
* ns2 is "ns2.no-ipv4-2.delegation01.xb"
* Delegation is without glue.
* The test zone ("child") has no address records for the name server names
* The "delegation01.xb" zone has full set of address records for this.
* AAAA only, not A
### NO-IPV4-3
No IPv4 in delegation or zone. Out-of-bailiwick name servers, but with sibling
glue.
* Zone: no-ipv4-3.delegation01.xa
* Both ns1 and ns2 are out-of-bailiwick
* ns1 is "ns1.no-ipv4-3.sibling.delegation01.xa"
* ns2 is "ns2.no-ipv4-3.sibling.delegation01.xa"
* Delegation is with glue.
* The child zone has no address records for the name server names
* The sibling names have full sets of address records.
* AAAA only, not A.
### NO-IPV6-1
No IPv6 in delegation or zone.
* Zone: no-ipv6-1.delegation01.xa
* No AAAA glue for ns1 and ns2.
* No AAAA records in zone for ns1 and ns2.
### NO-IPV6-2
No IPv6 in delegation or zone. Out-of-bailiwick name servers and no glue.
* Zone: no-ipv6-2.delegation01.xa
* Both ns1 and ns2 are out-of-bailiwick under the xb tree.
* ns1 is "ns1.no-ipv6-2.delegation01.xb"
* ns2 is "ns2.no-ipv6-2.delegation01.xb"
* Delegation is without glue.
* The test zone ("child") has no address records for the name servers names
* The "delegation01.xb" zone has full set of address records for this.
* A only, not AAAA
### NO-IPV6-3
No IPv6 in delegation or zone. Out-of-bailiwick name servers, but with sibling
glue.
* Zone: no-ipv6-3.delegation01.xa
* Both ns1 and ns2 are out-of-bailiwick
* ns1 is "ns1.no-ipv6-3.sibling.delegation01.xa"
* ns2 is "ns2.no-ipv6-3.sibling.delegation01.xa"
* Delegation is with glue.
* The child zone has no address records for the name server names
* The sibling names has full set of address records.
* A only, not AAAA.
### MISMATCH-DELEGATION-CHILD-1
Missing glue, only IPv4 on ns1 and only IPv6 on ns2.
* Zone: mismatch-delegation-child-1.delegation01.xa
* Only IPv4 glue on ns1.
* Only IPv6 glue on ns2.
* Full set in zone.
### MISMATCH-DELEGATION-CHILD-2
The zone has only IPv4 on ns1 and only IPv6 on ns2.
* Zone: mismatch-delegation-child-2.delegation01.xa
* Only IPv4 on ns1 in zone.
* Only IPv6 on ns2 in zone.
* Full set in delegation.
[Delegation01]: ../../tests/Delegation-TP/delegation01.md
[RCODE Name]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6
[Test scenario README file]: ../README.md
[Test zone setup]: #test-zone-setup

214
zonemaster/docs/public/specifications/test-zones/Delegation-TP/delegation02.md Normal file
View File

@@ -0,0 +1,214 @@
# Specification of test Scenarios for Delegation02
## Table of contents
* [Background](#background)
* [Test Case](#test-case)
* [Test scenarios](#test-scenarios)
* [Test zone names](#test-zone-names)
* [All message tags](#all-message-tags)
* [Test scenarios and message tags](#test-scenarios-and-message-tags)
* [Test zone setup]
## Background
See the [test scenario README file].
## Test Case
This document specifies test scenarios for test case [Delegation02].
## Test scenarios
The purpose of the test scenarios is to cover all reasonable contexts where
different message tags are output when [Delegation02] is run on a test zone.
The message tags are defined in the test case ([Delegation02]) and the scenarios
are defined below.
The test scenarios are structured as stated in the [test scenario README file].
## Test zone names
The test zone for each test scenario in this document is a subdomain delegated
from the base name (`delegation02.xa`) and that subdomain having the same name as
the scenario. The names of those zones are given in section [Test zone setup]
below.
## All message tags
The test case can output any of these message tags, but not necessarily in any
combination. See [Delegation02] for the specification of the tags.
* DEL_DISTINCT_NS_IP
* CHILD_DISTINCT_NS_IP
* DEL_NS_SAME_IP
* CHILD_NS_SAME_IP
## Test scenarios and message tags
If a message tag is not listed for the scenario, its presence or non-presence is
irrelevant to the test scenario and must be ignored.
Scenario name | Mandatory message tag | Forbidden message tags
:-----------------------------|:-----------------------------------------|:-------------------------------------------
ALL-DISTINCT-1 | DEL_DISTINCT_NS_IP, CHILD_DISTINCT_NS_IP | 2)
ALL-DISTINCT-2 | DEL_DISTINCT_NS_IP, CHILD_DISTINCT_NS_IP | 2)
ALL-DISTINCT-3 | DEL_DISTINCT_NS_IP, CHILD_DISTINCT_NS_IP | 2)
DEL-NON-DISTINCT | DEL_NS_SAME_IP, CHILD_DISTINCT_NS_IP | 2)
DEL-NON-DISTINCT-UND | DEL_NS_SAME_IP, CHILD_DISTINCT_NS_IP | 2)
CHILD-NON-DISTINCT | DEL_DISTINCT_NS_IP, CHILD_NS_SAME_IP | 2)
CHILD-NON-DISTINCT-UND | DEL_DISTINCT_NS_IP, CHILD_NS_SAME_IP | 2)
NON-DISTINCT-1 | DEL_NS_SAME_IP, CHILD_NS_SAME_IP | 2)
NON-DISTINCT-2 | DEL_NS_SAME_IP, CHILD_NS_SAME_IP | 2)
NON-DISTINCT-3 | DEL_NS_SAME_IP, CHILD_NS_SAME_IP | 2)
1\) All tags except for those specified as "Forbidden message tags" (no
instances for these test scenarios)
2\) All tags except for those specified as "Mandatory message tags"
## Test zone setup
Assumptions for the scenario specifications unless otherwise specified for the
specific scenario:
* For each scenario zone there are two name servers configured.
* Both name servers (ns1 and ns2) are equal in delegation and in zone.
* Both name servers are in-bailiwick.
* Both name servers have both IPv4 and IPv6 addresses.
* All addresses are distinct.
* All required glue are present in the delegation.
* All glue exactly matches the authoritative address records in correct zone
(not more and not less records).
* All name server IP addresses respond with identical zone content.
### ALL-DISTINCT-1
This is the happy path.
* Zone: all-distinct-1.delegation02.xa
### ALL-DISTINCT-2
This is also a happy path. Out-of-bailiwick.
* Zone: all-distinct-2.delegation02.xa
* Both ns1 and ns2 are out-of-bailiwick under the xb tree.
* ns1 is "ns1.all-distinct-2.delegation02.xb"
* ns2 is "ns2.all-distinct-2.delegation02.xb"
* Delegation is without glue.
* The test zone has no address records for the name server names.
* The "delegation02.xb" zone has full set of address records for this scenario.
### ALL-DISTINCT-3
This is also a happy path. Also out-of-bailiwick, but with sibling glue.
* Zone: all-distinct-3.delegation02.xa
* Both ns1 and ns2 are out-of-bailiwick
* ns1 is "ns1.all-distinct-3.sibling.delegation02.xa"
* ns2 is "ns2.all-distinct-3.sibling.delegation02.xa"
* Delegation is with glue.
* The test zone ("child") has no address records for the name server names.
* The "delegation02.xa" zone has full set of address records for this scenario.
### DEL-NON-DISTINCT
The glue records use the same IP addresses.
* Zone: del-non-distinct.delegation02.xa
* The name servers are ns1a and ns1b
* ns1a and ns1b in the delegation (glue) have the same IPv4 and IPv6
addresses, respectively.
* ns1a and ns1b have distinct addresses in the zone (IPv4 and IPv6,
respectively).
### DEL-NON-DISTINCT-UND
The glue records use the same IP addresses. The zone is undelegated.
* Zone: del-non-distinct-und.delegation02.xa
* The zone is undelegated.
* name servers are ns1a and ns1b
* ns1a and ns1b in the delegation (glue) have the same IPv4 and IPv6
addresses, respectively.
* ns1a and ns1b have distinct addresses in the zone (IPv4 and IPv6,
respectively).
* Undelegated data:
* ns1a.del-non-distinct-und.delegation02.xa/IPv4
* ns1a.del-non-distinct-und.delegation02.xa/IPv6
* ns1b.del-non-distinct-und.delegation02.xa/IPv4
* ns1b.del-non-distinct-und.delegation02.xa/IPv6
### CHILD-NON-DISTINCT
The address records in the zone use the same IP addresses.
* Zone: child-non-distinct.delegation02.xa
* name servers are ns1a and ns1b
* ns1a and ns1b in the delegation (glue) have distinct addresses (IPv4 and
IPv6, respectively).
* ns1a and ns1b have the same addresses in the zone, IPv4 and IPv6,
respectively.
### CHILD-NON-DISTINCT-UND
The address records in the zone use the same IP addresses.
* Zone: child-non-distinct-und.delegation02.xa
* The zone is undelegated.
* name servers are ns1a and ns1b
* ns1a and ns1b in the delegation (glue) have distinct addresses (IPv4 and
IPv6, respectively).
* ns1a and ns1b have the same addresses in the zone, IPv4 and IPv6,
respectively.
* Undelegated data:
* ns1a.child-non-distinct-und.delegation02.xa/IPv4
* ns1a.child-non-distinct-und.delegation02.xa/IPv6
* ns1b.child-non-distinct-und.delegation02.xa/IPv4
* ns1b.child-non-distinct-und.delegation02.xa/IPv6
### NON-DISTINCT-1
The address records in both delegation and zone use the same IP addresses.
* Zone: non-distinct-1.delegation02.xa
* name servers are ns1a, ns1b and ns2
* ns1a and ns1b in the delegation (glue) have the same IPv4 and IPv6
addresses, respectively.
* ns1a and ns1b have the same addresses in the zone, IPv4 and IPv6,
respectively.
* ns2 has a distinct address both in delegation and in zone.
### NON-DISTINCT-2
The name servers in both delegation and zone refer to the same IP addresses. The
names are out-of-bailiwick.
* Zone: non-distinct-2.delegation02.xa
* name servers are ns1a, ns1b and ns2, and are out-of-bailiwick under the xb
tree.
* ns1a is "ns1a.non-distinct-2.delegation02.xb"
* ns1b is "ns1a.non-distinct-2.delegation02.xb"
* ns2 is "ns2.non-distinct-2.delegation02.xb"
* Delegation is without glue.
* ns1a and ns1b have the same addresses, IPv4 and IPv6, respectively.
* ns2 has distinct addresses (IPv4 and IPv6).
* The test zone has no address records for the name server names.
* The "delegation02.xb" zone has full set of address records for this scenario.
### NON-DISTINCT-3
The name servers in both delegation and zone refer to the same IP addresses. The
names are out-of-bailiwick, but with sibling glue.
* Zone: non-distinct-3.delegation02.xa
* name servers are ns1a, ns1b and ns2, and are out-of-bailiwick.
* ns1a is "ns1a.non-distinct-3.sibling.delegation02.xa"
* ns1b is "ns1a.non-distinct-3.sibling.delegation02.xa"
* ns2 is "ns2.non-distinct-3.sibling.delegation02.xa"
* Delegation has sibling glue.
* ns1a and ns1b have the same addresses, IPv4 and IPv6, respectively.
* ns2 has distinct addresses (IPv4 and IPv6).
* The test zone has no address records for the name server names.
* The "delegation02.xa" zone has full set of address records for this scenario.
[Delegation02]: ../../tests/Delegation-TP/delegation02.md
[RCODE Name]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6
[test scenario README file]: ../README.md
[Test zone setup]: #test-zone-setup

124
zonemaster/docs/public/specifications/test-zones/Delegation-TP/delegation03.md Normal file
View File

@@ -0,0 +1,124 @@
# Specification of test Scenarios for Delegation03
## Table of contents
* [Background](#background)
* [Test Case](#test-case)
* [Test scenarios](#test-scenarios)
* [Test zone names](#test-zone-names)
* [All message tags](#all-message-tags)
* [Test scenarios and message tags](#test-scenarios-and-message-tags)
* [Test zone setup]
## Background
See the [test scenario README file].
## Test Case
This document specifies test scenarios for test case [Delegation03].
## Test scenarios
The purpose of the test scenarios is to cover all reasonable contexts where
different message tags are output when [Delegation03] is run on a test zone.
The message tags are defined in the test case ([Delegation03]) and the scenarios
are defined below.
The test scenarios are structured as stated in the [test scenario README file].
## Test zone names
The test zone for each test scenario in this document is a subdomain delegated
from the base name (`delegation03.xa`) and that subdomain having the same name as the
scenario. The names of those zones are given in section
[Test zone setup] below.
## All message tags
The test case can output any of these message tags, but not necessarily in any
combination. See [Delegation03] for the specification of the tags.
* REFERRAL_SIZE_OK
* REFERRAL_SIZE_TOO_LARGE
## Test scenarios and message tags
If a message tag is not listed for the scenario, its presence or non-presence is
irrelevant to the test scenario and must be ignored.
Scenario name | Mandatory message tag | Forbidden message tags
:-----------------------------|:-----------------------------------------|:-------------------------------------------
REFERRAL-SIZE-OK-1 | REFERRAL_SIZE_OK | 2)
REFERRAL-SIZE-OK-2 | REFERRAL_SIZE_OK | 2)
REFERRAL-SIZE-TOO-LARGE-1 | REFERRAL_SIZE_TOO_LARGE | 2)
REFERRAL-SIZE-TOO-LARGE-2 | REFERRAL_SIZE_TOO_LARGE | 2)
1\) All tags except for those specified as "Forbidden message tags" (no
instances for these test scenarios)
2\) All tags except for those specified as "Mandatory message tags"
## Test zone setup
Assumptions for the scenario specifications unless otherwise specified for the
specific scenario:
* For each scenario zone there are two name server configured.
* Both name servers are in-bailiwick.
* Both name servers have both IPv4 and IPv6 addresses.
* All addresses are distinct.
* All required glue are present in the delegation.
* There is no actual zone or zone file, only a delegation.
* For these scenarios only the delegation is needed.
### REFERRAL-SIZE-OK-1
This is the happy path.
* Zone: referral-size-ok-1.delegation03.xa.
### REFERRAL-SIZE-OK-2
Referral is large, but not too large. The name servers are in-bailiwick.
* Zone: referral-size-ok-2.delegation03.xa.
* ns1 is "ns1.ipv4-large-but-not-too-large.referral-size-ok-2.delegation03.xa".
* ns1 is "ns1.ipv6-large-but-not-too-large.referral-size-ok-2.delegation03.xa".
* ns2 is "ns2.ipv4-large-but-not-too-large.referral-size-ok-2.delegation03.xa".
* ns2 is "ns2.ipv6-large-but-not-too-large.referral-size-ok-2.delegation03.xa".
### REFERRAL-SIZE-TOO-LARGE-1
Referral is too large and name servers are in-bailiwick.
* Zone: referral-size-too-large-1.delegation03.xa
* Name server names are relative to the zone name:
* ns1 is "ns1.1abcdefghijklmnopqrstuv.1defghijkl"
* ns2 is "ns2.2abcdefghijklmnopqrstuv.2defghijkl"
* ns3 is "ns3.2abcdefghijklmnopqrstuv.3defghijkl"
* ns4 is "ns4.2abcdefghijklmnopqrstuv.4defghijkl"
* ns5 is "ns5.2abcdefghijklmnopqrstuv.5defghijkl"
### REFERRAL-SIZE-TOO-LARGE-2
Referral is too large and name servers are out-of-bailiwick with no glue.
* Zone: referral-size-too-large-2.delegation03.xa
* The zone is delegated to ns1, ns2, ns3 and ns4.
* ns1 is "ns1.1abcdefghijklmnopqrstuvwxyz.1abcdefghijklmnopqrstuvwxy.1abcdefghijklmnopqrstuvw.referral-size-too-large-2.delegation03.xb"
* ns2 is "ns2.2abcdefghijklmnopqrstuvwxyz.2abcdefghijklmnopqrstuvwxy.2abcdefghijklmnopqrstuvw.referral-size-too-large-2.delegation03.xb"
* ns3 is "ns3.3abcdefghijklmnopqrstuvwxyz.3abcdefghijklmnopqrstuvwxy.3abcdefghijklmnopqrstuvw.referral-size-too-large-2.delegation03.xb"
* ns4 is "ns4.4abcdefghijklmnopqrstuvwxyz.4abcdefghijklmnopqrstuvwxy.4abcdefghijklmnopqrstuvw.referral-size-too-large-2.delegation03.xb"
* Delegation is without glue.
* The test zone has no address records for the name server names.
* The "delegation03.xb" zone has full set of address records (IPv4 and IPv6).
[Delegation03]: ../../tests/Delegation-TP/delegation03.md
[RCODE Name]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6
[test scenario README file]: ../README.md
[Test zone setup]: #test-zone-setup

18
zonemaster/docs/public/specifications/test-zones/Engine/README.md Normal file
View File

@@ -0,0 +1,18 @@
# Specification of test scenarios for Zonemaster-Engine Perl modules
This document structure contains test scenario specifications for
Zonemaster-Engine Perl Modules, except for test scenarios for [Test Case]
implementations and implementation of [MethodsV2], which are found in sibling
structures.
The test scenarios found here are for various Perl modules. The specifications
are split by Perl module, and sometimes further split by area.
The following specifications are available:
* [Recursor-PM](Recursor-PM/README.md)
[Test Case]: ../../tests/README.md
[MethodsV2]: ../../tests/MethodsV2.md

320
zonemaster/docs/public/specifications/test-zones/Engine/Recursor-PM/CNAME.md Normal file
View File

@@ -0,0 +1,320 @@
# Specification of test zones for the CNAME functions in Recursor.pm
## Table of contents
* [Background](#background)
* [Test scenarios](#test-scenarios)
* [Test zone names](#test-zone-names)
* [Test scenarios and message tags](#test-scenarios-and-message-tags)
* [Zone setup for test scenarios]
## Background
See the [test zone README file] which is for test case base test zones. Since
this specifies test zones for code it is not fully applicable.
## Test scenarios
The purpose of the test scenarios is to cover all reasonable contexts where
the code should be tested.
## Test zone name
The test zone for these scenarios is `cname.recursor.engine.xa`. Subdomain and
subzones are created. The names are given in section
"[Zone setup for test scenarios]" below.
## Test scenarios
Scenario name | Expected output
:----------------------------|:---------------------------------------------------------------------------------------------
GOOD-CNAME-1 | True and tags `CNAME_START`, `CNAME_FOLLOWED_IN_ZONE`
GOOD-CNAME-2 | True and tags `CNAME_START`, `CNAME_FOLLOWED_IN_ZONE`
GOOD-CNAME-CHAIN | True and tags `CNAME_START`, `CNAME_FOLLOWED_IN_ZONE`
GOOD-CNAME-OUT-OF-ZONE | True and tags `CNAME_START`, `CNAME_FOLLOWED_OUT_OF_ZONE`
NXDOMAIN-VIA-CNAME | True and tags `CNAME_START`, `CNAME_FOLLOWED_OUT_OF_ZONE`
NODATA-VIA-CNAME | True and tags `CNAME_START`, `CNAME_FOLLOWED_OUT_OF_ZONE`
MULT-CNAME | Undefined and tags `CNAME_START`, `CNAME_MULTIPLE_FOR_NAME`
LOOPED-CNAME-IN-ZONE-1 | Undefined and tags `CNAME_START`, `CNAME_LOOP_INNER`
LOOPED-CNAME-IN-ZONE-2 | Undefined and tags `CNAME_START`, `CNAME_LOOP_INNER`
LOOPED-CNAME-IN-ZONE-3 | Undefined and tags `CNAME_START`, `CNAME_LOOP_INNER`
LOOPED-CNAME-OUT-OF-ZONE | Undefined and tags `CNAME_START`, `CNAME_LOOP_OUTER`
TOO-LONG-CNAME-CHAIN | Undefined and tags `CNAME_START`, `CNAME_RECORDS_TOO_MANY`
TARGET-NO-MATCH-CNAME | Undefined and tags `CNAME_START`, `CNAME_NO_MATCH`
BROKEN-CNAME-CHAIN | Undefined and tags `CNAME_START`, `CNAME_RECORDS_CHAIN_BROKEN`
WRONG-CNAME-OWNER-NAME | False and no tags
EXTRA-CNAME-IN-ANSWER | False and no tags
## Zone setup for test scenarios
Assumptions for the scenario specifications, unless stated otherwise for the
specific scenario:
* The `cname.recursor.engine.xa` zone is used for all scenarios.
* Relative names are under `cname.recursor.engine.xa.`.
* The query name is given by the scenario.
* Query type is assumed to be `A`.
* In the zone, the query name always has a `CNAME` record.
* The zone is set up on one NS, ns1.
* The [RCODE Name] in the response is NoError.
### GOOD-CNAME-1
The query name will resolve to one `A` record via one CNAME.
* Query name: "good-cname-1.cname.recursor.engine.xa"
* To be found in the answer section:
```
good-cname-1 CNAME good-cname-1-target
good-cname-1-target A 127.0.0.1
```
### GOOD-CNAME-2
The query name will resolve to two `A` record via one CNAME.
* Query name: "good-cname-2.cname.recursor.engine.xa"
* To be found in the answer section:
```
good-cname-2 CNAME good-cname-2-target
good-cname-2-target A 127.0.0.1
good-cname-2-target A 127.0.0.2
```
### GOOD-CNAME-CHAIN
The query name will resolve to two `A` record via three CNAME.
* Query name: "good-cname-chain.cname.recursor.engine.xa"
* To be found in the answer section:
```
good-cname-chain CNAME good-cname-chain-two
good-cname-chain-two CNAME good-cname-chain-three
good-cname-chain-three CNAME good-cname-chain-target
good-cname-chain-target A 127.0.0.1
```
### GOOD-CNAME-OUT-OF-ZONE
The query name will resolve to an `A` record via a CNAME in the zone with a
target that points at a subzone, and a delegation to that sub zone.
* For all queries
* The two zones, `cname.recursor.engine.xa` and
`goodsub.cname.recursor.engine.xa`, are hosted on different IP addresses.
* "x", "y" and "z" in the IP addresses in the configuration below are to be
set in the configuration of the test zones.
* Query name: "good-cname-out-of-zone.cname.recursor.engine.xa"
* Servers: NS of `cname.recursor.engine.xa`.
* Answer, authority and additional sections, respectively, to be found in the
response:
```
;; ANSWER SECTION:
good-cname-out-of-zone CNAME target.goodsub
;; AUTHORITY SECTION:
goodsub NS ns1.goodsub
;; ADDITIONAL SECTION:
ns1.goodsub A 127.x.y.z
ns1.goodsub AAAA fda1:b2:c3::127:x:y:z
```
* Query name: "target.goodsub.cname.recursor.engine.xa"
* Servers: NS of `goodsub.cname.recursor.engine.xa`.
* To be found in the answer section:
```
target.goodsub A 127.0.0.1
```
### NXDOMAIN-VIA-CNAME
The query name exists, but as CNAME record. The target name of CNAME does not
exist.
* Query name: "nxdomain-via-cname.cname.recursor.engine.xa"
* The [RCODE Name] in the response is NxDomain.
* The target of the CNAME, `nxdomain-via-cname-target` does not exist in the
zone and is not delegated.
* SOA of "cname.recursor.engine.xa" to be found in authority section.
* To be found in the answer section:
```
nxdomain-via-cname CNAME nxdomain-via-cname-target
```
### NODATA-VIA-CNAME
The query name exists, but as CNAME record. The target name of CNAME exists, but
not with any A record.
* Query name: "nodata-via-cname.cname.recursor.engine.xa"
* The target of the CNAME, `nodata-via-cname-target`, exists in the zone but
has neither `A` or `CNAME` record, and is not delegated.
* SOA of "cname.recursor.engine.xa" to be found in authority section.
* To be found in the answer section:
```
nodata-via-cname CNAME nodata-via-cname-target
```
### MULT-CNAME
The query name exists, but as CNAME, as two CNAME records.
* Query name: "mult-cname.cname.recursor.engine.xa"
* To be found in the answer section:
```
mult-cname CNAME mult-cname-target-1
mult-cname CNAME mult-cname-target-2
mult-cname-target-1 A 127.0.0.1
mult-cname-target-2 A 127.0.0.2
```
## LOOPED-CNAME-IN-ZONE-1
The query name will point at a CNAME record with the same target as owner name.
* Query name: "looped-cname-in-zone-1.cname.recursor.engine.xa"
* To be found in the answer section:
```
looped-cname-in-zone-1 CNAME looped-cname-in-zone-1
```
## LOOPED-CNAME-IN-ZONE-2
The query name will point at a CNAME, which points at a second CNAME,
which points to a third CNAME whose target name is the same as the
owner name of the second CNAME.
* Query name: "looped-cname-in-zone-2.cname.recursor.engine.xa"
* To be found in the answer section:
```
looped-cname-in-zone-2 CNAME looped-cname-in-zone-2-a
looped-cname-in-zone-2-a CNAME looped-cname-in-zone-2-b
looped-cname-in-zone-2-b CNAME looped-cname-in-zone-2-a
```
## LOOPED-CNAME-IN-ZONE-3
The query name will point at a CNAME, which points at a second CNAME whose target
name is the same as the owner name of the first CNAME.
* Query name: "looped-cname-in-zone-3.cname.recursor.engine.xa"
* To be found in the answer section:
```
looped-cname-in-zone-3 CNAME looped-cname-in-zone-3-next
looped-cname-in-zone-3-next CNAME looped-cname-in-zone-3
```
## LOOPED-CNAME-OUT-OF-ZONE
The query name will point at a CNAME record, but in a sub zone, and the target
name of the CNAME record will point at another CNAME record in another sub zone,
and the target name of the second CNAME record will point at the first.
* For all four queries
* The three zones `cname.recursor.engine.xa`, `sub2.cname.recursor.engine.xa`
and `sub3.cname.recursor.engine.xa` are hosted on different IP addresses.
* "x", "y" and "z" in the IP addresses in the configuration below are to be
set in the configuration of the test zones.
* Query name: "looped-cname-out-of-zone.sub2.cname.recursor.engine.xa"
* Servers: NS of `cname.recursor.engine.xa`.
* Authority and additional sections, respectively, to be found in the
response:
```
;; AUTHORITY SECTION:
sub2 NS ns1.sub2
;; ADDITIONAL SECTION:
ns1.sub2 A 127.x.y.z
ns1.sub2 AAAA fda1:b2:c3::127:x:y:z
```
* Query name: "looped-cname-out-of-zone.sub2.cname.recursor.engine.xa"
* Servers: NS of `sub2.cname.recursor.engine.xa`.
* To be found in the answer section:
```
looped-cname-out-of-zone.sub2 CNAME looped-cname-out-of-zone.sub3
```
* Query name: "looped-cname-out-of-zone.sub3.cname.recursor.engine.xa"
* Servers: NS of `cname.recursor.engine.xa`.
* Relative names are under `cname.recursor.engine.xa.`.
* Authority and additional sections, respectively, to be found in the
response:
```
;; AUTHORITY SECTION:
sub3 NS ns1.sub3
;; ADDITIONAL SECTION:
ns1.sub3 A 127.x.y.z
ns1.sub3 AAAA fda1:b2:c3::127:x:y:z
```
* Query name: "looped-cname-out-of-zone.sub3.cname.recursor.engine.xa"
* Servers: NS of `sub3.cname.recursor.engine.xa`.
* To be found in the answer section:
```
looped-cname-out-of-zone.sub3 CNAME looped-cname-out-of-zone.sub2
```
### TOO-LONG-CNAME-CHAIN
The query name will resolve to one `A` record via ten CNAME records which is
above the limit.
* Query name: "too-long-cname-chain.cname.recursor.engine.xa"
* To be found in the answer section:
```
too-long-cname-chain CNAME too-long-cname-chain-two
too-long-cname-chain-two CNAME too-long-cname-chain-three
too-long-cname-chain-three CNAME too-long-cname-chain-four
too-long-cname-chain-four CNAME too-long-cname-chain-five
too-long-cname-chain-five CNAME too-long-cname-chain-six
too-long-cname-chain-six CNAME too-long-cname-chain-seven
too-long-cname-chain-seven CNAME too-long-cname-chain-eight
too-long-cname-chain-eight CNAME too-long-cname-chain-nine
too-long-cname-chain-nine CNAME too-long-cname-chain-ten
too-long-cname-chain-ten CNAME too-long-cname-chain-target
too-long-cname-chain-target A 127.0.0.1
```
### TARGET-NO-MATCH-CNAME
The CNAME target name does not match the owner name of the `A` record.
* Query name: "target-no-match-cname.cname.recursor.engine.xa"
* To be found in the answer section:
```
target-no-match-cname CNAME target-no-match-cname-two
target-no-match-cname-target A 127.0.0.1
```
### BROKEN-CNAME-CHAIN
The CNAME chain is broken between first and second CNAME records.
* Query name: "broken-cname-chain.cname.recursor.engine.xa"
* To be found in the answer section:
```
broken-cname-chain CNAME broken-cname-chain-two
broken-cname-chain-three CNAME broken-cname-chain-target
broken-cname-chain-target A 127.0.0.1
```
### WRONG-CNAME-OWNER-NAME
The owner name of the CNAME in the response does not match query name.
* Query name: "wrong-cname-owner-name.cname.recursor.engine.xa"
* To be found in the answer section:
```
wrong-cname-owner-name-1 CNAME wrong-cname-owner-name-target
wrong-cname-owner-name-target A 127.0.0.1
```
### EXTRA-CNAME-IN-ANSWER
There is an extra CNAME record with an owner name not matching the query name
besides the `A` record matching query name.
* Query name: "extra-cname-in-answer.cname.recursor.engine.xa"
* To be found in the answer section:
```
extra-cname-in-answer A 127.0.0.1
extra-cname-in-answer-1 CNAME extra-cname-in-answer-2
```
[RCODE Name]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6
[Test zone README file]: ../../README.md
[Zone setup for test scenarios]: #zone-setup-for-test-scenarios

6
zonemaster/docs/public/specifications/test-zones/Engine/Recursor-PM/README.md Normal file
View File

@@ -0,0 +1,6 @@
# Specification of test scenarios for Recursor.pm Perl module
The following specifications are available:
* [CNAME](CNAME.md)

29
zonemaster/docs/public/specifications/test-zones/MethodsV2/README.md Normal file
View File

@@ -0,0 +1,29 @@
# Specification of test scenarios for MethodsV2
This document structure contains test scenario specifications for [MethodsV2],
which is not a Test Case module. Instead it is a collection of Method
specifications referred to by the Test Case specifications and implemented by
Perl methods used in the implementations of the Test Cases.
The purpose of the test scenarios for [MethodsV2] is to verify that the
implementation of the methods matches the specifications.
Test scenarios specification for the following methods are available:
* [Get parent NS IP addresses]
* [Get delegation NS names and IP addresses]
* [Get zone NS names and IP addresses]
Test scenarios specification:
* [Specification of test scenarios for MethodsV2](methodsv2.md)
Test scenarios for [Test Case] implementations and test scenarios for Perl
modules in Zonemaster-Engine are not in this structure. Instead they can
be found in sibling structures.
[Get delegation NS names and IP addresses]: ../../tests/MethodsV2.md#method-get-delegation-ns-names-and-ip-addresses
[Get parent NS IP addresses]: ../../tests/MethodsV2.md#method-get-parent-ns-ip-addresses
[Get zone NS names and IP addresses]: ../../tests/MethodsV2.md#method-get-zone-ns-names-and-ip-addresses
[MethodsV2]: ../../tests/MethodsV2.md
[Test Case]: ../../tests/README.md

695
zonemaster/docs/public/specifications/test-zones/MethodsV2/methodsv2.md Normal file
View File

@@ -0,0 +1,695 @@
# Specification of test scenarios for MethodsV2
## Table of contents
* [Background](#background)
* [Test scenarios](#test-scenarios)
* [Public methods](#public-methods)
* [Test zone names](#test-zone-names)
* [Test scenarios and setup of test zones]
## Background
See the [test zone README file] which is for test case base test zones. Since
this document specifies test zones for a [MethodsV2] Method, it is not fully
applicable.
## Test scenarios
The purpose of the test scenarios is to cover all reasonable contexts for the
Methods. See [the implementation of the scenarios] for the latest version of the
implementation of the MethodsV2 scenarios.
## Public methods
[MethodsV2] provides the following public methods:
* For parent zone:
* Get parent NS names and IP addresses
* Get parent NS IP addresses
* For delegation:
* Get delegation NS names and IP addresses
* Get delegation NS IP addresses
* Get delegation NS names
* For zone information:
* Get zone NS names and IP addresses
* Get zone NS names
* Get zone NS IP addresses
### Data type
All methods can return one of the following data types:
* Empty set
* Non-empty set
* Undefined set
The non-empty set from the following methods consists of unique IP addresses,
IPv4, IPv6 or both (e.g "127.40.4.21" and "fda1:b2:c3::21" are valid):
* Get parent NS IP addresses
* Get delegation NS IP addresses
* Get zone NS IP addresses
The non-empty set from the following methods consists of unique name server
names (e.g. "ns1.example.xa" and "ns2.example.xb" are valid):
* Get delegation NS names
* Get zone NS names
The non-empty set from the following methods consists of unique pairs of name
server name and its IP address (IPv4 or IPv6). The IP address cannot be blank
(e.g. "ns1.example.xa/127.40.4.21" and "ns1.example.xa/fda1:b2:c3::21" are
valid but "ns1.example.xa" is not):
* Get parent NS names and IP addresses
The non-empty set from the following methods consists of unique pairs of name
server name and its IP address (IPv4 or IPv6). The IP address can be left blank
(e.g. "ns1.example.xa/127.40.4.21", "ns1.example.xa/fda1:b2:c3::21" and
"ns1.example.xa" are valid):
* Get delegation NS names and IP addresses
* Get zone NS names and IP addresses
### Data defined for the scenarios
Both *Get delegation NS IP addresses* and *Get delegation NS names* can be
derived from *Get delegation NS names and IP addresses*.
Both *Get zone NS IP addresses* and *Get zone NS names* can be derived from
*Get zone NS names and IP addresses*.
*Get parent NS IP addresses* can be derived from *Get parent NS names and IP
addresses*.
Consequently, for the scenarios defined in this document the expected data is only
defined for the following three methods:
* Get parent NS names and IP addresses
* Get delegation NS names and IP addresses
* Get zone NS names and IP addresses
## Test zone names
The test zone for each test scenario in this document is a subdomain delegated
from the base name (`methodsv2.xa`) and that subdomain having the same name as
the specific scenario. The names of those zones are given in section
"[Test scenarios and setup of test zones]" below.
## Test scenarios and setup of test zones
### Default zone configuration
Assumptions for the scenario specifications unless otherwise specified for
the specific scenario:
* The child zone is `child.parent.SCENARIO.methodsv2.xa`.
* It is served by two IB (in-bailiwick) NS (ns1 and ns2).
* ns1 and ns2 have the same zone content.
* ns1 and ns2 have both IPv4 and IPv6 glue.
* The records matching glue in the zone are complete.
* The delegation from the parent has the same NS with complete glue.
* The parent zone is `parent.SCENARIO.methodsv2.xa`.
* It is served by two IB NS (ns1 and ns2).
* ns1 and ns2 have the same zone content.
* ns1 and ns2 have both IPv4 and IPv6 glue.
* The records matching glue in the zone are complete.
* The delegation from the grandparent has the same NS with complete glue.
* The grandparent zone is `SCENARIO.methodsv2.xa`.
* It is served by two IB NS (ns1 and ns2).
* ns1 and ns2 have the same zone content.
* ns1 and ns2 have both IPv4 and IPv6 glue.
* The records matching glue in the zone are complete.
* The delegation from the SCENARIO zoen has the same NS with complete glue.
* Responds with a A record for the zone on query for A.
* Responds with a AAAA record for the zone on query for AAAA.
* All responses are authoritative with [RCODE Name] "NoError".
* EDNS, version 0, is included in all responses on queries with EDNS.
* EDNS is not included in responses on queries without EDNS.
* Standard root is used.
* In all cases, delegation and zone are consistent.
* Same NS
* Any required glue matches address records in zone. No extra address
records.
### GOOD-1
A "happy path". Everything is fine.
* Zone: child.parent.good-1.methodsv2.xa
* Just defaults
### GOOD-2
A "happy path". Everything is fine. Child has out-of-bailiwick name servers
only.
* Zone: child.parent.good-2.methodsv2.xa
* Child NS are out-of-bailiwick but not shared with grandparent zone.
* ns5.good-2.methodsv2.xa
* ns6.good-2.methodsv2.xa
* No glue
### GOOD-3
A "happy path". Everything is fine. Child has both in-bailiwick and
out-of-bailiwick name servers.
* Zone: child.parent.good-3.methodsv2.xa
* Child NS:
* ns1.child.parent.good-3.methodsv2.xa
* ns3.parent.good-3.methodsv2.xa
* ns5.good-3.methodsv2.xa (not shared with grandparent zone).
* Glue:
* Address records (A and AAAA) for
* ns1.child.parent.good-3.methodsv2.xa
* ns3.parent.good-3.methodsv2.xa (optional)
### GOOD-4
A "happy path". Everything is fine. Parent zone is also hosted on grandparent
server.
* Zone: child.parent.good-4.methodsv2.xa
* Parent NS:
* ns1.parent.good-4.methodsv2.xa
* ns2.parent.good-4.methodsv2.xa
* ns1.good-4.methodsv2.xa (shared with grandparent zone).
* Glue for parent:
* Address records (A and AAAA) for
* ns1.parent.good-4.methodsv2.xa
* ns2.parent.good-4.methodsv2.xa
* ns1.good-4.methodsv2.xa (optional)
### GOOD-5
A "happy path". Everything is fine. Child zone is hosted also on grandparent
server and parent server.
* Zone: child.parent.good-5.methodsv2.xa
* Child NS:
* ns1.child.parent.good-5.methodsv2.xa
* ns2.child.parent.good-5.methodsv2.xa
* ns1.good-5.methodsv2.xa (shared with grandparent zone).
* ns1.parent.good-5.methodsv2.xa (shared with parent zone).
* Glue:
* Address records (A and AAAA) for
* ns1.child.parent.good-5.methodsv2.xa
* ns2.child.parent.good-5.methodsv2.xa
* ns1.parent.good-5.methodsv2.xa (optional)
### GOOD-6
A "happy path". Everything is fine. Child zone is only hosted on grandparent
servers.
* Zone: child.parent.good-6.methodsv2.xa
* Child NS (both shared with grandparent zone):
* ns1.good-6.methodsv2.xa
* ns2.good-6.methodsv2.xa
* No glue.
### GOOD-7
A "happy path". Everything is fine. Child zone is only hosted on parent
servers.
* Zone: child.parent.good-7.methodsv2.xa
* Child NS (both shared with parent zone):
* ns1.parent.good-7.methodsv2.xa
* ns2.parent.good-7.methodsv2.xa
* Glue:
* Address records (A and AAAA) for
* ns1.parent.good-7.methodsv2.xa (optional)
* ns2.parent.good-7.methodsv2.xa (optional)
### GOOD-UNDEL-1
A "happy path". Everything is fine. Child has both in-bailiwick and
out-of-bailiwick name servers. Child is delegated but is tested
undelegated.
* Zone: child.parent.good-undel-1.methodsv2.xa
* Delegation:
* Child NS:
* ns1-2.child.parent.good-undel-1.methodsv2.xa
* ns3.parent.good-undel-1.methodsv2.xa (not shared with parent zone)
* ns5.good-undel-1.methodsv2.xa (not shared with grandparent zone)
* Glue:
* Adress records (A and AAAA) for
* ns1-2.child.parent.good-undel-1.methodsv2.xa
* ns3.parent.good-undel-1.methodsv2.xa (optional)
* There is an undelegated version of the zone matching undelegated data.
* `ns1-2` have different IP addresses for delegation and delegated zone, on one
hand, and undelegated data and undelegated version of the zone, on the other.
* `ns3.parent.good-undel-1.methodsv2.xa` is shared between delegated zone and
undelegated version of zone, but holding the data of the undelegated version.
* Undelegated data:
* ns1-2.child.parent.good-undel-1.methodsv2.xa/IPv4
* ns1-2.child.parent.good-undel-1.methodsv2.xa/IPv6
* ns3.parent.good-undel-1.methodsv2.xa/IPv4
* ns3.parent.good-undel-1.methodsv2.xa/IPv6
* ns6.good-undel-1.methodsv2.xa
### GOOD-UNDEL-2
A "happy path". Everything is fine. Child has both in-bailiwick and
out-of-bailiwick name servers. Child is not delegated but is tested
undelegated.
* Zone: child.parent.good-undel-2.methodsv2.xa
* No delegation from parent.
* To be tested with undelegated data:
* There is an undelegated version of the zone matching undelegated data.
* Undelegated data:
* ns1.child.parent.good-undel-2.methodsv2.xa/IPv4
* ns1.child.parent.good-undel-2.methodsv2.xa/IPv6
* ns3.parent.good-undel-2.methodsv2.xa/IPv4
* ns3.parent.good-undel-2.methodsv2.xa/IPv6
* ns6.good-undel-2.methodsv2.xa
### DIFF-NS-1
No match in name server names between delegation and zone. Same name server IP.
* Zone: child.parent.diff-ns-1.methodsv2.xa
* Delegation to ns1 and ns2.
* NS in zone ns1-2 and ns2-2.
* ns1-2 and ns2-2 in zone, ns1 and ns2 not in zone.
### DIFF-NS-2
No match in name server names between delegation and zone. Same name server IP on
one server. Different on the other. No zone on servers from delegation except
ns1.
* Zone: child.parent.diff-ns-2.methodsv2.xa
* Delegation to ns1 and ns2.
* NS in zone ns1-2, ns3.
* ns1-2 and ns3 in zone, ns1 and ns2 not in zone.
* No zone on ns2.
* ns1 and ns1-2 have the same IP.
### IB-NOT-IN-ZONE-1
Delegation has in-bailiwick NS, but the names are not defined in the zone.
* Zone: child.parent.ib-not-in-zone-1.methodsv2.xa
* ns1 and ns2 not defined in zone.
### CHILD-NO-ZONE-1
* Zone: child.parent.child-no-zone-1.methodsv2.xa
* No child zone on ns1 and ns2.
* Response SERVFAIL.
### CHILD-NO-ZONE-2
* Zone: child.parent.child-no-zone-2.methodsv2.xa
* No response from ns1 and ns2 of the child.
### GOOD-MIXED-UNDEL-1
The child zone is delegated, but there is also an undelegated version which is
the one tested. One grandparent server, in the delegated tree, also serves
parent zone.
* Zone: child.parent.good-mixed-undel-1.methodsv2.xa
* Grandparent zone `good-mixed-undel-1.methodsv2.xa` is served on `ns1` and
`ns4`.
* Parent zone `parent.good-mixed-undel-1.methodsv2.xa` is served by `ns1`,
`ns2` and `ns4.good-mixed-undel-1.methodsv2.xa`.
* Child zone is delegated, but there is also an undelegated version where
the zone has the same data as the delegation.
* Undelegated data:
* ns3.child.parent.good-mixed-undel-1.methodsv2.xa/IPv4
* ns3.child.parent.good-mixed-undel-1.methodsv2.xa/IPv6
* ns4.child.parent.good-mixed-undel-1.methodsv2.xa/IPv4
* ns4.child.parent.good-mixed-undel-1.methodsv2.xa/IPv6
### GOOD-MIXED-UNDEL-2
The child zone is delegated, but there is also an undelegated version. One parent
server also serves the delegated child zone.
* Zone: child.parent.good-mixed-undel-2.methodsv2.xa
* Parent zone `parent.good-mixed-undel-2.methodsv2.xa` is served by `ns1` and
`ns2`.
* Child zone is served by `ns1`, `ns2` and
`ns2.parent.good-mixed-undel-2.methodsv2.xa`.
* Child zone is delegated, but there is also an undelegated version where the
zone has the same data as the delegation.
* Undelegated data:
* ns3.child.parent.good-mixed-undel-2.methodsv2.xa/IPv4
* ns3.child.parent.good-mixed-undel-2.methodsv2.xa/IPv6
* ns4.child.parent.good-mixed-undel-2.methodsv2.xa/IPv4
* ns4.child.parent.good-mixed-undel-2.methodsv2.xa/IPv6
### NO-DEL-MIXED-UNDEL-1
The child zone is not delegated, but there is an undelegated version that is
tested. One grandparent server also serves the parent zone.
* Zone: child.parent.no-del-mixed-undel-1.methodsv2.xa
* Parent zone `parent.no-del-mixed-undel-1.methodsv2.xa` is served by `ns1`,
`ns2` and on `ns2.no-del-mixed-undel-1.methodsv2.xa`.
* Child zone is not delegated, but there is an undelegated version.
* Undelegated data:
* ns1.child.parent.no-del-mixed-undel-1.methodsv2.xa/IPv4
* ns1.child.parent.no-del-mixed-undel-1.methodsv2.xa/IPv6
* ns2.child.parent.no-del-mixed-undel-1.methodsv2.xa/IPv4
* ns2.child.parent.no-del-mixed-undel-1.methodsv2.xa/IPv6
### NO-CHILD-1
The child zone is not delegated. Parent zone returns NXDOMAIN.
* Zone: child.parent.no-child-1.methodsv2.xa
* Child zone does not exist and is not served by any NS.
### NO-CHILD-2
The child zone is not delegated. Parent zone returns NODATA.
* Zone: child.parent.no-child-2.methodsv2.xa
* Child zone does not exist is not served by any NS.
* The name child.parent.no-child-2.methodsv2.xa exists as a TXT record.
### NO-CHLD-PAR-UNDETER-1
The child zone is not delegated. One grandparent NS lacks delegation of parent
and return NXDOMAIN of child. The parent zone lacks delegation of child.
* Zone: child.parent.no-chld-par-undeter-1.methodsv2.xa
* Child zone does not exist is not served by any NS.
* Grandparent `ns1` lacks delegation of parent.
* Grandparent `ns2` has delegation of parent (to both parent NS).
* Parent zone lacks delegation of child.
### CHLD-FOUND-PAR-UNDET-1
The child zone is delegated from one grandparent NS and from the parent zone.
* Zone: child.parent.chld-found-par-undet-1.methodsv2.xa
* Grandparent `ns1` has delegation of child but lacks delegation of parent.
* Grandparent `ns2` has delegation of parent (to both parent NS).
* Parent zone has delegation of child.
### CHLD-FOUND-INCONSIST-1
The child is delegated from one parent NS. On the other there is an NXDOMAIN
response.
* Zone: child.parent.chld-found-inconsist-1.methodsv2.xa
* Parent `ns1` has normal delegation of child to two child NS, `ns1` and `ns2`.
* Parent `ns2` lacks delegation of child (NXDOMAIN).
### CHLD-FOUND-INCONSIST-2
The child is delegated from one parent NS. On the other there is an CNAME
response.
* Zone: child.parent.chld-found-inconsist-2.methodsv2.xa
* Parent `ns1` has normal delegation of child to two child NS, `ns1` and `ns2`.
* Parent `ns2` lacks delegation of child, and has a CNAME on that name,
pointing at `no-child.parent.chld-found-inconsist-2.methodsv2.xa`, which has
two address records (A and AAAA) with the IP addresses of child `ns2`.
### CHLD-FOUND-INCONSIST-3
The child is delegated from one parent NS. On the other there is a CNAME
to another name, and that other name is delegated.
* Zone: child.parent.chld-found-inconsist-3.methodsv2.xa
* Parent `ns1` has normal delegation of child to two child NS, `ns1` and `ns2`.
* Parent `ns2` lacks delegation of child, and has a CNAME on the name,
pointing at `sister.parent.chld-found-inconsist-3.methodsv2.xa`, which is
delegated to `ns6-delegated-child.methodsv2.xa` and
`ns7-delegated-child.methodsv2.xa`.
* Zone `sister` does not exist.
### CHLD-FOUND-INCONSIST-4
The child is delegated from one parent NS. On the other there is a DNAME to
another name.
* Zone: child.parent.chld-found-inconsist-4.methodsv2.xa
* Parent `ns1` has normal delegation of child to two child NS, `ns1` and `ns2`.
* Parent `ns2` has a DNAME on `child` pointing at
`sister.parent.chld-found-inconsist-4.methodsv2.xa` which is delegated to
`ns6-delegated-child.methodsv2.xa` and `ns7-delegated-child.methodsv2.xa`.
* Zone `sister` does not exist.
### CHLD-FOUND-INCONSIST-5
The child is delegated from one parent NS. On the other there is a NODATA
response.
* Zone: child.parent.chld-found-inconsist-5.methodsv2.xa
* Parent `ns1` has normal delegation of child to two child NS, `ns1` and `ns2`.
* Parent `ns2` lacks delegation of child, instead `child` has two address
records (A and AAAA) with the IP addresses of child `ns2`.
### CHLD-FOUND-INCONSIST-6
The child is delegated from one parent NS, which is also NS for the child.
On the other there is an NXDOMAIN response.
* Zone: child.parent.chld-found-inconsist-6.methodsv2.xa
* Parent `ns1` has normal delegation of child to the two child NS.
* Parent `ns2` lacks delegation of child (NXDOMAIN).
* Child shares `ns1.parent.chld-found-inconsist-6.methodsv2.xa` with parent.
* Child also uses child `ns1` and `ns2`.
* Child exists with a zone.
### CHLD-FOUND-INCONSIST-7
The child is delegated from one parent NS, which is also NS for the child. On the
other there is an CNAME response.
* Zone: child.parent.chld-found-inconsist-7.methodsv2.xa
* Parent `ns1` has normal delegation of child to two child NS, `ns1` and `ns2`.
* Parent `ns2` lacks delegation of child, and has a CNAME on that name,
pointing at `no-child.parent.chld-found-inconsist-7.methodsv2.xa`, which has
two address records (A and AAAA) with the IP addresses of child `ns2`.
* Child shares `ns1.parent.chld-found-inconsist-7.methodsv2.xa` with parent.
* Child also uses `ns2`.
* Child exists with a zone.
### CHLD-FOUND-INCONSIST-8
The child is delegated from one parent NS, which is also NS for the child. On
the other there is a CNAME to another name, and that other name is delegated.
* Zone: child.parent.chld-found-inconsist-8.methodsv2.xa
* Parent `ns1` has normal delegation of child to two child NS, `ns1` and `ns2`.
* Parent `ns2` lacks delegation of child, and has a CNAME on the name,
pointing at `sister.parent.chld-found-inconsist-8.methodsv2.xa`, which is
`ns6-delegated-child.methodsv2.xa` and `ns7-delegated-child.methodsv2.xa`.
* Zone `sister` does not exist.
* Child shares `ns1.parent.chld-found-inconsist-8.methodsv2.xa` with parent.
* Child also uses `ns2`.
* Child exists with a zone.
### CHLD-FOUND-INCONSIST-9
The child is delegated from one parent NS, which is also NS for the child. On
the other there is a DNAME to another name.
* Zone: child.parent.chld-found-inconsist-9.methodsv2.xa
* Parent `ns1` has normal delegation of child to two child NS, `ns1` and `ns2`.
* Parent `ns2` has a DNAME on `child` pointing at
`sister.parent.chld-found-inconsist-9.methodsv2.xa` which is delegated to
`ns6-delegated-child.methodsv2.xa` and `ns7-delegated-child.methodsv2.xa`.
* Zone `sister` does not exist.
* Child shares `ns1.parent.chld-found-inconsist-9.methodsv2.xa` with parent.
* Child also uses `ns2`.
* Child exists with a zone.
### CHLD-FOUND-INCONSIST-10
The child is delegated from one parent NS, which is also NS for the child. On the
other there is a NODATA response.
* Zone: child.parent.chld-found-inconsist-10.methodsv2.xa
* Parent `ns1` has normal delegation of child to two child NS, `ns1` and `ns2`.
* Parent `ns2` lacks delegation of child, instead `child` has two address
records (A and AAAA) with the IP addresses of child `ns2`.
* Child shares `ns1.parent.chld-found-inconsist-10.methodsv2.xa` with parent.
* Child also uses `ns2`.
* Child exists with a zone.
### NO-DEL-UNDEL-NO-PAR-1
The child is not delegated, but there is undelegated data to test. Both
grandparent NS return SERVFAIL.
* Zone: child.parent.no-del-undel-no-par-1.methodsv2.xa
* Grandparent `ns1` and `ns2` both return SERVFAIL.
* No need of parent zone.
* Child zone is not delegated, but there is an undelegated version.
* Undelegated data:
* ns1.child.parent.no-del-undel-no-par-1.methodsv2.xa/IPv4
* ns1.child.parent.no-del-undel-no-par-1.methodsv2.xa/IPv6
* ns2.child.parent.no-del-undel-no-par-1.methodsv2.xa/IPv4
* ns2.child.parent.no-del-undel-no-par-1.methodsv2.xa/IPv6
### NO-DEL-UNDEL-PAR-UND-1
The child is not delegated, but there is an undelegated data to test. One
grandparent NS lacks delegation of parent and return NXDOMAIN of child. The
parent zone lacks delegation of child.
* Zone: child.parent.no-del-undel-par-und-1.methodsv2.xa
* Child zone does not exist is not served by any NS.
* Grandparent `ns1` has delegation of parent (to both parent NS).
* Grandparent `ns2` lacks delegation of parent.
* Parent zone lacks delegation of child.
* Child zone is not delegated, but there is an undelegated version.
* Undelegated data:
* ns1.child.no-del-undel-par-und-1.methodsv2.xa/IPv4
* ns1.child.no-del-undel-par-und-1.methodsv2.xa/IPv6
* ns2.child.no-del-undel-par-und-1.methodsv2.xa/IPv4
* ns2.child.no-del-undel-par-und-1.methodsv2.xa/IPv6
### NO-CHLD-NO-PAR-1
The child is not delegated. Both grandparent NS return SERVFAIL.
* Zone: child.parent.no-chld-no-par-1.methodsv2.xa
* Grandparent `ns1` and `ns2` both return SERVFAIL.
* No need of parent zone.
* Child zone is not delegated, and there is no undelegated data.
* No need of child zone.
### CHILD-ALIAS-1
The child zone does not exist, instead there is a DNAME in the parent zone.
* Zone: child.parent.child-alias-1.methodsv2.xa
* Parent has a DNAME on `child` pointing at
`sister.parent.child-alias-1.methodsv2.xa` which is delegated to
`ns6-delegated-child.methodsv2.xa` and `ns7-delegated-child.methodsv2.xa`.
* Zone `sister` does not exist.
### ZONE-ERR-GRANDPARENT-1
Grandparent `ns2` responds with AA bit unset on queries for grandparent zone.
* Zone: child.parent.zone-err-grandparent-1.methodsv2.xa
* Normal response on grandparent `ns1`.
* Grandparent `ns2` responds with AA bit unset on queries for the
grandparent zone.
### ZONE-ERR-GRANDPARENT-2
Grandparent `ns2` responds with NODATA on NS query for grandparent zone.
* Zone: child.parent.zone-err-grandparent-2.methodsv2.xa
* Normal response on grandparent `ns1`.
* Grandparent `ns2` responds with NODATA on NS query for the
grandparent zone.
### ZONE-ERR-GRANDPARENT-3
Grandparent `ns2` responds with wrong owner name on NS
on query for grandparent zone NS.
* Zone: child.parent.zone-err-grandparent-3.methodsv2.xa
* Normal response on grandparent `ns1`.
* Grandparent `ns2` responds with other owner name on NS query for
`zone-err-grandparent-3.methodsv2.xa`:
* Owner name `oncle.zone-err-grandparent-3.methodsv2.xa` instead.
### DELEG-OOB-W-ERROR-1
Zone is delegated to two OOB NS, of which one has no IP (NODATA).
* Zone: child.parent.deleg-oob-w-error-1.methodsv2.xa
* Zone is delegated to `ns3.deleg-oob-w-error-1.methodsv2.xa` and
`ns4-nodata.deleg-oob-w-error-1.methodsv2.xa`.
* `ns3` is fully functional with the zone which matches the
delegation.
* `ns4-nodata` cannot be resolved (NODATA).
### DELEG-OOB-W-ERROR-2
Zone is delegated to two OOB NS, of which one has no IP (NXDOMAIN).
* Zone: child.parent.deleg-oob-w-error-2.methodsv2.xa
* Zone is delegated to `ns3.deleg-oob-w-error-2.methodsv2.xa` and
`ns4-nxdomain.deleg-oob-w-error-2.methodsv2.xa`.
* `ns3` is fully functional with the zone which matches the
delegation.
* `ns4-nxdomain` cannot be resolved (NXDOMAIN).
### DELEG-OOB-W-ERROR-3
Zone is delegated to two OOB NS, where both have no IP (NODATA).
* Zone: child.parent.deleg-oob-w-error-3.methodsv2.xa
* Zone is delegated to `ns3-nodata.deleg-oob-w-error-3.methodsv2.xa` and
`ns4-nodata.deleg-oob-w-error-3.methodsv2.xa`.
* `ns3-nodata` and `ns4-nodata` cannot be resolved (NODATA).
* There is no child zone.
### DELEG-OOB-W-ERROR-4
Zone is delegated to two OOB NS, where both have no IP (NXDOMAIN).
* Zone: child.parent.deleg-oob-w-error-4.methodsv2.xa
* Zone is delegated to `ns3-nxdomain.deleg-oob-w-error-4.methodsv2.xa` and
`ns4-nxdomain.deleg-oob-w-error-4.methodsv2.xa`.
* `ns3-nxdomain` and `ns4-nxdomain` cannot be resolved (NXDOMAIN).
* There is no child zone.
### CHILD-NS-CNAME-1
Zone is delegated to two IB NS, where both NS names are aliases (CNAME)
to other names in zone.
* Zone: child.parent.child-ns-cname-1.methodsv2.xa
* Zone is delegated to `ns1-cname` and `ns2-cname` and both are aliases to
`ns1` and `ns2`, respectively.
* Both names can be resolved to A and AAAA via CNAME and give correct IP.
### CHILD-NS-CNAME-2
Zone is delegated to two IB NS, where both NS names are aliases (CNAME)
to other names out of zone.
* Zone: child.parent.child-ns-cname-2.methodsv2.xa
* Zone is delegated to `ns1-cname` and `ns2-cname` and both are aliases to
`child-ns1.child-ns-cname-2.methodsv2.xa` and
`child-ns2.child-ns-cname-2.methodsv2.xa`
* Both names can be resolved to A and AAAA via CNAME and give correct IP.
### CHILD-NS-CNAME-3
Zone is delegated to two OOB NS, where both NS names are aliases (CNAME)
to other names out of zone.
* Zone: child.parent.child-ns-cname-3.methodsv2.xa
* Zone is delegated to `ns3-cname.child-ns-cname-3.methodsv2.xa` and
`ns4-cname.child-ns-cname-3.methodsv2.xa` and both are aliases to `ns3`
and `ns4`, respectively.
* Both names can be resolved to A and AAAA via CNAME and give correct IP.
### CHILD-NS-CNAME-4
Zone is delegated to two IB NS, where both NS names are aliases (CNAME)
to other names in zone.
* Zone: child.parent.child-ns-cname-4.methodsv2.xa
* Zone is delegated to `ns1-cname` and `ns2-cname` and both are aliases to
`ns1` and `ns2`, respectively.
* Both names can be resolved to A via CNAME and give correct IP.
* Neither name can be resolved to AAAA via CNAME.
* The parent zone has glue records for `ns1-cname`, but not for `ns2-cname`.
### PARENT-NS-CNAME-1
Parent is delegated to two IB NS, where both NS names are aliases (CNAME)
to other names in parent zone.
* Zone: child.parent.parent-ns-cname-1.methodsv2.xa
* Parent is delegated to `ns1-cname` and `ns2-cname` and both are aliases to
`ns1` and `ns2`, respectively.
* Both names can be resolved to A and AAAA via CNAME and give correct IP.
### PARENT-NS-CNAME-2
Parent is delegated to two IB NS, where both NS names are aliases (CNAME)
to other names out of zone.
* Zone: child.parent.parent-ns-cname-2.methodsv2.xa
* Parent is delegated to `ns1-cname` and `ns2-cname` and both are aliases to
`parent-ns1.parent-ns-cname-2.methodsv2.xa` and
`parent-ns2.parent-ns-cname-2.methodsv2.xa`
* Both names can be resolved to A and AAAA via CNAME and give correct IP.
### PARENT-NS-SAME-IP-1
Parent is delegated to three IB NS. The delegation lists two name server names
resolving to the same IP.
* Zone: child.parent.parent-ns-same-ip-1.methodsv2.xa
* Parent zone (parent.parent-ns-name-ip-1.methodsv2.xa) is delegated to
`ns1a`, `ns1b` and `ns2`.
* Both `ns1a` and `ns1b` have A and AAAA records pointing to the same IPv4
and IPv6 address respectively.
### PARENT-NS-SAME-IP-2
Parent is delegated to two IB NS. Two of the in-zone NS records resolve to the
same IP. The grandparent zones delegation lists name server names that are
different from the in-zone NS records, but the sets of IP addresses are equal.
* Zone: child.parent.parent-ns-same-ip-2.methodsv2.xa
* Grandparent zone (parent-ns-name-ip-2.methodsv2.xa) delegates the parent
zone (parent.parent-ns-name-ip-2.methodsv2.xa) to `ns1` and `ns2`.
* Parent zones NS records list `ns1a`, `ns1b` and `ns2` instead of `ns1` and
`ns2`.
* Both `ns1a` and `ns1b` have A and AAAA records pointing to the same IPv4
and IPv6 address respectively.
<!-- Links to documents in this repository but outside the public tree must be
absolute -->
[RCODE Name]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6
[Test zone README file]: ../../README.md
[Test scenarios and setup of test zones]: #test-scenarios-and-setup-of-test-zones
[MethodsV2]: ../../tests/MethodsV2.md
[Get parent NS IP addresses]: ../../tests/MethodsV2.md#method-get-parent-ns-ip-addresses
[the implementation of the scenarios]: https://github.com/zonemaster/zonemaster/blob/master/test-zone-data/MethodsV2/README.md

7
zonemaster/docs/public/specifications/test-zones/Nameserver-TP/README.md Normal file
View File

@@ -0,0 +1,7 @@
# Specification of test zones for Nameserver-TP
Test zone specifications are available for:
* [NAMESERVER11](nameserver11.md)
* [NAMESERVER15](nameserver15.md)

118
zonemaster/docs/public/specifications/test-zones/Nameserver-TP/nameserver11.md Normal file
View File

@@ -0,0 +1,118 @@
# Specification of test zones for NAMESERVER11
## Table of contents
* [Background](#background)
* [Test Case](#test-case)
* [Test scenarios](#test-scenarios)
* [Test zone names](#test-zone-names)
* [Test scenarios and message tags](#test-scenarios-and-message-tags)
* [Zone setup for test scenarios]
## Background
See the [test zone README file].
## Test Case
This document specifies defined test zones for test case [NAMESERVER11].
## Test scenarios
The purpose of the test scenarios is to cover all reasonable contexts where
different message tags are outputted when [NAMESERVER11] is run on a test zone.
The message tags are defined in the test case ([NAMESERVER11]) and the scenarios
are defined below.
The test scenarios are structured as stated in the [test zone README file].
## Test zone names
The test zone for each test scenario in this document is a subdomain delegated
from the base name (`nameserver11.xa`) and that subdomain having the same name as the
scenario. The names of those zones are given in section
"[Zone setup for test scenarios]" below.
## Test scenarios and message tags
If a message tag is not listed for the scenario, its presence or non-presence is
irrelevant to the test scenario and must be ignored.
Scenario name | Mandatory message tag | Forbidden message tags
:-------------------------|:---------------------------------|:-------------------------------------------
NO-EDNS-ON-UNKNOWN-OC | N11_NO_EDNS | N11_NO_RESPONSE, N11_RETURNS_UNKNOWN_OPTION_CODE, N11_UNEXPECTED_ANSWER_SECTION, N11_UNEXPECTED_RCODE, N11_UNSET_AA
NO-ERROR | (none) | N11_NO_EDNS, N11_NO_RESPONSE, N11_RETURNS_UNKNOWN_OPTION_CODE, N11_UNEXPECTED_ANSWER_SECTION, N11_UNEXPECTED_RCODE, N11_UNSET_AA
NO-RESPONSE-ON-EDNS | (none) | N11_NO_EDNS, N11_NO_RESPONSE, N11_RETURNS_UNKNOWN_OPTION_CODE, N11_UNEXPECTED_ANSWER_SECTION, N11_UNEXPECTED_RCODE, N11_UNSET_AA
NO-RESPONSE-ON-UNKNOWN-OC | N11_NO_RESPONSE | N11_NO_EDNS, N11_RETURNS_UNKNOWN_OPTION_CODE, N11_UNEXPECTED_ANSWER_SECTION, N11_UNEXPECTED_RCODE, N11_UNSET_AA
RETURNS-UNKNOWN-OC | N11_RETURNS_UNKNOWN_OPTION_CODE | N11_NO_EDNS, N11_NO_RESPONSE, N11_UNEXPECTED_ANSWER_SECTION, N11_UNEXPECTED_RCODE, N11_UNSET_AA
UNEXPECTED-ANSWER-SECTION | N11_UNEXPECTED_ANSWER_SECTION | N11_NO_EDNS, N11_NO_RESPONSE, N11_RETURNS_UNKNOWN_OPTION_CODE, N11_UNEXPECTED_RCODE, N11_UNSET_AA
UNEXPECTED-RCODE-FORMERR | N11_UNEXPECTED_RCODE | N11_NO_EDNS, N11_NO_RESPONSE, N11_RETURNS_UNKNOWN_OPTION_CODE, N11_UNEXPECTED_ANSWER_SECTION, N11_UNSET_AA
UNEXPECTED-RCODE-REFUSED | N11_UNEXPECTED_RCODE | N11_NO_EDNS, N11_NO_RESPONSE, N11_RETURNS_UNKNOWN_OPTION_CODE, N11_UNEXPECTED_ANSWER_SECTION, N11_UNSET_AA
UNSET-AA | N11_UNSET_AA | N11_NO_EDNS, N11_NO_RESPONSE, N11_RETURNS_UNKNOWN_OPTION_CODE, N11_UNEXPECTED_ANSWER_SECTION, N11_UNEXPECTED_RCODE
## Zone setup for test scenarios
Assumptions for the scenario specifications:
* For each scenario zone there is one name server configured.
* Unless stated otherwise, all name servers respond as follows:
* Responds with a SOA record for the zone on query for SOA.
* All responses are authoritative with [RCODE Name] "NoError".
* EDNS, version 0, is included in all responses on queries with EDNS.
* EDNS is not included in responses on queries without EDNS.
* Unknown EDNS option codes are not included in responses.
### NO-EDNS-ON-UNKNOWN-OC
* Zone: "no-edns-on-unknown-oc.nameserver11.xa."
* The name server will respond without EDNS if the query includes an unknown
EDNS OPTION CODE.
### NO-ERROR
* Zone: "no-error.nameserver11.xa."
* The name server will respond as default (no error).
### NO-RESPONSE-ON-EDNS
* Zone: "no-response-on-edns.nameserver11.xa."
* The name server will not respond to any query with EDNS.
### NO-RESPONSE-ON-UNKNOWN-OC
* Zone: "no-response-on-unknown-oc.nameserver11.xa."
* The name server will not respond if the query includes an unknown EDNS OPTION
CODE.
### RETURNS-UNKNOWN-OC
* Zone: "returns-unknown-oc.nameserver11.xa."
* The name server will respond with an unknown EDNS OPTION CODE if the query
includes an unknown EDNS OPTION CODE.
### UNEXPECTED-ANSWER-SECTION
* Zone: "unexpected-answer-section.nameserver11.xa."
* The name server will respond without the SOA record if the query includes an
unknown EDNS OPTION CODE.
### UNEXPECTED-RCODE-FORMERR
* Zone: "unexpected-rcode-formerr.nameserver11.xa."
* The name server will respond with [RCODE Name] "FormErr" if the query includes an
unknown EDNS OPTION CODE.
### UNEXPECTED-RCODE-REFUSED
* Zone: "unexpected-rcode-refused.nameserver11.xa."
* The name server will respond with [RCODE Name] "Refused" if the query includes an
unknown EDNS OPTION CODE.
### UNSET-AA
* Zone: "unset-aa.nameserver11.xa."
* The name server will respond with AA unset if the query includes an unknown
EDNS OPTION CODE.
[NAMESERVER11]: ../../tests/Nameserver-TP/nameserver11.md
[RCODE Name]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6
[Test zone README file]: ../README.md
[Zone setup for test scenarios]: #zone-setup-for-test-scenarios

178
zonemaster/docs/public/specifications/test-zones/Nameserver-TP/nameserver15.md Normal file
View File

@@ -0,0 +1,178 @@
# Specification of test zones for NAMESERVER15
## Table of contents
* [Background](#background)
* [Test Case](#test-case)
* [Test scenarios](#test-scenarios)
* [Test zone names](#test-zone-names)
* [Test scenarios and message tags](#test-scenarios-and-message-tags)
* [Zone setup for test scenarios]
## Background
See the [test zone README file].
## Test Case
This document specifies defined test zones for test case [NAMESERVER15].
## Test scenarios
The purpose of the test scenarios is to cover all reasonable contexts where
different message tags are outputted when [NAMESERVER15] is run on a test zone.
The message tags are defined in the test case ([NAMESERVER15]) and the scenarios
are defined below.
The test scenarios are structured as stated in the [test zone README file].
## Test zone names
The test zone for each test scenario in this document is a subdomain delegated
from the base name (`nameserver15.xa`) and that subdomain having the same name as the
scenario. The names of those zones are given in section
"[Zone setup for test scenarios]" below.
## Test scenarios and message tags
If a message tag is not listed for the scenario, its presence or non-presence is
irrelevant to the test scenario and must be ignored.
Scenario name | Mandatory message tag | Forbidden message tags
:-------------------------|:--------------------------------------|:-------------------------------------------
NO-VERSION-REVEALED-1 | N15_NO_VERSION_REVEALED | N15_ERROR_ON_VERSION_QUERY, N15_SOFTWARE_VERSION, N15_WRONG_CLASS
NO-VERSION-REVEALED-2 | N15_NO_VERSION_REVEALED | N15_ERROR_ON_VERSION_QUERY, N15_SOFTWARE_VERSION, N15_WRONG_CLASS
NO-VERSION-REVEALED-3 | N15_NO_VERSION_REVEALED | N15_ERROR_ON_VERSION_QUERY, N15_SOFTWARE_VERSION, N15_WRONG_CLASS
NO-VERSION-REVEALED-4 | N15_NO_VERSION_REVEALED | N15_ERROR_ON_VERSION_QUERY, N15_SOFTWARE_VERSION, N15_WRONG_CLASS
NO-VERSION-REVEALED-5 | N15_NO_VERSION_REVEALED | N15_ERROR_ON_VERSION_QUERY, N15_SOFTWARE_VERSION, N15_WRONG_CLASS
NO-VERSION-REVEALED-6 | N15_NO_VERSION_REVEALED | N15_ERROR_ON_VERSION_QUERY, N15_SOFTWARE_VERSION, N15_WRONG_CLASS
ERROR-ON-VERSION-QUERY-1 | N15_ERROR_ON_VERSION_QUERY, N15_NO_VERSION_REVEALED | N15_SOFTWARE_VERSION, N15_WRONG_CLASS
ERROR-ON-VERSION-QUERY-2 | N15_ERROR_ON_VERSION_QUERY, N15_NO_VERSION_REVEALED | N15_SOFTWARE_VERSION, N15_WRONG_CLASS
SOFTWARE-VERSION-1 | N15_SOFTWARE_VERSION | N15_ERROR_ON_VERSION_QUERY, N15_NO_VERSION_REVEALED, N15_WRONG_CLASS
SOFTWARE-VERSION-2 | N15_SOFTWARE_VERSION | N15_ERROR_ON_VERSION_QUERY, N15_NO_VERSION_REVEALED, N15_WRONG_CLASS
WRONG-CLASS-1 | N15_SOFTWARE_VERSION, N15_WRONG_CLASS | N15_ERROR_ON_VERSION_QUERY, N15_NO_VERSION_REVEALED
WRONG-CLASS-2 | N15_SOFTWARE_VERSION, N15_WRONG_CLASS | N15_ERROR_ON_VERSION_QUERY, N15_NO_VERSION_REVEALED
## Zone setup for test scenarios
Assumptions for the scenario specifications:
* For each scenario zone there is one name server configured.
* Unless stated otherwise, all name servers respond as follows:
* Responds with a SOA record for the zone on query for SOA.
* Responds with CH class on queries on CH class.
* Software version query names are "version.bind" and "version.server".
* All responses are [RCODE Name] "NoError".
* EDNS, version 0, is included in all responses on queries with EDNS.
* EDNS is not included in responses on queries without EDNS.
### NO-VERSION-REVEALED-1
This is a happy path
* Zone: "no-version-revealed-1.nameserver15.xa."
* The name server responds with empty answer section on both software version
query names.
### NO-VERSION-REVEALED-2
This is a happy path
* Zone: "no-version-revealed-2.nameserver15.xa."
* The name server responds with empty answer section on both software version
query names.
* The name server responds with [RCODE Name] "NxDomain" on both software
version query names.
### NO-VERSION-REVEALED-3
This is a happy path
* Zone: "no-version-revealed-3.nameserver15.xa."
* The name server responds with empty answer section on both software version
query names.
* The name server responds with [RCODE Name] "Refused" on both software
version query names.
### NO-VERSION-REVEALED-4
This is a happy path
* Zone: "no-version-revealed-4.nameserver15.xa."
* The name server responds with a single CNAME record and no other record in
answer section on both software version query names.
* "version.bind. CNAME version.server." when query name is version.bind.
* "version.server. CNAME version.bind." when query name is version.server.
### NO-VERSION-REVEALED-5
This is a happy path
* Zone: "no-version-revealed-5.nameserver15.xa."
* RDATA of the TXT records for both software version query names is the empty
string.
### NO-VERSION-REVEALED-6
This is a happy path
* Zone: "no-version-revealed-6.nameserver15.xa."
* RDATA of the TXT records for both software version query names only consists
of space characters.
### ERROR-ON-VERSION-QUERY-1
Unexpected response from server
* Zone: "error-on-version-query-1.nameserver15.xa."
* The name server responds with empty answer section on both software version
query names.
* The name server responds with [RCODE Name] "ServFail" on both software
version query names.
### ERROR-ON-VERSION-QUERY-2
Unexpected response from server
* Zone: "error-on-version-query-2.nameserver15.xa."
* The name server does not respond at all to the queries with the software
version query names.
### SOFTWARE-VERSION-1
Normal version string
* Zone: "software-version-1.nameserver15.xa."
* Empty response on software query name "version.bind".
* TXT record with RDATA "v0" in response on software query name
"version.server" in answer section.
### SOFTWARE-VERSION-2
Normal version string
* Zone: "software-version-2.nameserver15.xa."
* Empty response on software query name "version.server".
* TXT record with RDATA "v0" in response on software query name
"version.bind" in answer section.
### WRONG-CLASS-1
Version string returned in wrong class
* Zone: "wrong-class-1.nameserver15.xa."
* Empty response on software query name "version.bind".
* TXT record with RDATA "v0" in response on software query name
"version.server" in answer section.
* TXT record is in IN class, not CH class.
### WRONG-CLASS-2
Version string returned in wrong class
* Zone: "wrong-class-2.nameserver15.xa."
* Empty response on software query name "version.server".
* TXT record with RDATA "v0" in response on software query name
"version.bind" in answer section.
* TXT record is in IN class, not CH class.
[NAMESERVER15]: ../../tests/Nameserver-TP/nameserver15.md
[RCODE Name]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6
[Test zone README file]: ../README.md
[Zone setup for test scenarios]: #zone-setup-for-test-scenarios

180
zonemaster/docs/public/specifications/test-zones/README.md Normal file
View File

@@ -0,0 +1,180 @@
# Test scenarios for verification of test case implementation
## Table of contents
* [Objective](#objective)
* [Test scenarios](#test-scenarios)
* [Test environment](#test-environment)
* [Naming conventions](#naming-conventions)
* [Test zone names](#test-zone-names)
* [Data outside the test zones](#data-outside-the-test-zones)
* [Undelegated data](#undelegated-data)
* [Terminology](#terminology)
## Objective
The purpose of the structure found here is to define test zones to be able to
test the correctness of the implementation of the Zonemaster [test cases]. The
main use case is to be the basis for the [unit tests] in the Zonemaster
implementation. The second use case is to verify work in progress, e.g.
implementation of new or updated test cases or updated test case
implementation where the test case has not changed.
There can be other use cases, but only these two use cases are covered here
and in the test zone specifications.
## Test scenarios
The goal of the test scenarios is to cover all reasonable contexts where
different message tags are outputted when a test case is run on test zones. The
message tags are defined in the test case specifications found via "[test cases]"
and the scenarios are defined in the test case specific specifications for test
data found via the [test-zones] directory.
In the test zone specifications the scenarios are defined in two parts:
* What messages from test case that are expected to be outputted and what
messages are expected not to be outputted when a test zone setup according to
the scenario is tested by the test case.
* Specification of the zone setup for the scenario.
One special aspect is the test scenario name. Since the name is to be part
of the test zone name there are some requirements on it:
* Under a specific test case there must not be two scenarios with the same name.
Two closely related scenarios can, in their names, be separated with a
relevant suffix.
* The length of the scenario name must not exceed 32 characters to give room for
additional parts and still make sure it can fit into a DNS label.
* The character set of the name is limited to those of a host name, i.e.
`A-Z0-9-` where `A-Z` will be downcased to `a-z` in the domain name.
* The scenario name must not start or end with `-`.
## Test environment
The tests against the test zones are assumed to be run in a closed environment
with a private DNS tree to achieve full access to any zone. Configuration data
and instructions to set this up are available in the [test-zone-data] directory
in this repository.
## Naming conventions
In this document, domain names are given without trailing dot, except for the root
zone (or node) given as a dot `.`.
The non-existing `.xa` TLD and its tree is used to host the target test
zones, i.e. the zone name that will be given as *Child Zone* to the test case.
All test zones are to be created under `.xa` except for a few cases elaborated
below.
Unless specified in the test zone specification, DNS records that can be stored
within the zone should also be stored there:
* MX records should point at the relative name `mail` and that name should be
added to the zone.
* Name server names (NS record RDATA) should be [in-bailiwick]. "Prefixes" to be
used are `ns1`, `ns2`, `ns3` etc.
### Test zone names
The normal test zone name is built from the following parts:
* `.xa`, the non-existing TLD used here.
* The test case identifier in lower case, e.g. `zone09`.
* The test scenario name in lower case, e.g. `no-response-mx-query`.
In the normal case, the test zone name is `<scenario name>.<test case name>.xa`,
e.g. `no-response-mx-query.zone09.xa`. The normal case should be used as long as
it is possible.
There are some exceptions to the name of the test zone that are identified here:
1. If the test zone is the root, then the name is `.`.
2. If the test zone is a TLD zone, then the name is
`<scenario name>-<test case name>`. Note that hyphen "-" is used between the
parts to create one label. E.g. `no-mx-tld-zone09`. In practice such a TLD
can never be in conflict with real TLDs in the public DNS tree, especially
since TLD names are not permitted to contain neither dash "-" nor digits.
3. If the test zone must be in the ARPA tree, then the name is
`<scenario name>.<test case name>.arpa`, e.g. `no-mx-arpa.zone09.arpa`. In
practice such a name will never be in conflict with names in the public DNS
tree since there no such names under public `.arpa`.
4. If a scenario requires that the parent zone has different settings compared to
other scenarios for the same test case, then the test zone name is
`child.<scenario name>.<test case name>.xa`, e.g.
`child.no-response-mx-query.zone09.xa`, where
`no-response-mx-query.zone09.xa`, instead of `zone09.xa`, is the parent zone
of the test zone.
5. If a scenario requires that the grandparent zone has different settings
compared to other scenarios for the same test case, then the test zone name is
`child.parent.<scenario name>.<test case name>.xa`, e.g.
`child.parent.no-response-mx-query.zone09.xa`, where
`no-response-mx-query.zone09.xa`, instead of `zone09.xa`, is the grandparent
zone of the test zone.
### Data outside the test zones
If a scenario requires that a certain name is outside its own zone, it should be
stored within the `.xb` TLD (also a non-existing TLD) using the same name
structure as under `.xa`, i.e. names for a scenario should be stored under
`<scenario name>.<test case name>.xb`, e.g. `no-mx-arpa.zone09.xb`. If required
test zones can be created in the same way under `.xc` and `.xd`.
What was stated above on data outside its own zone does not apply to reverse data
since that must be stored in the `in-addr.arpa` or `ip6.arpa` tree, and the
owner names of such data must follow the reverse data standards. There is no
requirements for creating separate zones for `in-addr.arpa` or `ip6.arpa` or
below.
### Undelegated data
Some test scenarios require that an [undelegated test] be carried out on it.
In that case, the scenario specification will contain a small
"undelegated data" structure with one line per name server. The format is one of
the following
* NAME-SERVER-NAME
* NAME-SERVER-NAME/IPv4
* NAME-SERVER-NAME/IPv6
where "NAME-SERVER-NAME" is the actual name of the name server, e.g.
`ns1a.del-non-distinct-und.delegation02.xa`, and "IPv4" and "IPv6",
respectively, are literal strings indicating that in the test zone configuration
an IP address of that type should be used. If there is no "/IPv4" or "/IPv6"
then the name server is given without IP address.
In the undelegated structure for a specific scenario the name server name can be
repeated multiple times with different IP addresses. If it appears without
IP address specification it should only appear once.
Here is an example of an undelegated data section from a scenario specification:
```
* Undelegated data:
* ns1a.del-non-distinct-und.delegation02.xa/IPv4
* ns1a.del-non-distinct-und.delegation02.xa/IPv6
* ns1b.del-non-distinct-und.delegation02.xa/IPv4
* ns1b.del-non-distinct-und.delegation02.xa/IPv6
```
## Terminology
* "Glue Record" - The term is used as defined in [RFC 8499], section 7, pages
24-25.
* "In-Bailiwick" - The term is used as defined in [RFC 8499], section 7,
pages 24-25. In this document it is limited to the meaning "in domain" in the
RFC.
* "Out-Of-Bailiwick" - The terms means, in this document, what is not
"In-Bailiwick, in domain". [RFC 8499], section 7, pages 24-25.
[Glue Records]: #terminology
[In-Bailiwick]: #terminology
[Out-Of-Bailiwick]: #terminology
[RFC 8499]: https://datatracker.ietf.org/doc/html/rfc8499#section-7
[Test cases]: ../tests/README.md
[Test-zones]: .
[undelegated test]: ../test-types/undelegated-test.md
[Unit tests]: https://github.com/zonemaster/zonemaster-engine/tree/master/t
[Test-zone-data]: https://github.com/zonemaster/zonemaster/tree/master/test-zone-data

7
zonemaster/docs/public/specifications/test-zones/Zone-TP/README.md Normal file
View File

@@ -0,0 +1,7 @@
# Specification of test zones for Zone-TP
Test zone specifications are available for:
* [Zone09](zone09.md)
* [Zone11](zone11.md)

158
zonemaster/docs/public/specifications/test-zones/Zone-TP/zone09.md Normal file
View File

@@ -0,0 +1,158 @@
# Specification of test zones for ZONE09
## Table of contents
* [Background](#background)
* [Test Case](#test-case)
* [Test scenarios](#test-scenarios)
* [Test zone names](#test-zone-names)
* [Test scenarios and message tags](#test-scenarios-and-message-tags)
* [Zone setup for test scenarios]
## Background
See the [test zone README file].
## Test Case
This document specifies defined test zones for test case [Zone09].
## Test scenarios
The purpose of the test scenarios is to cover all reasonable contexts where
different message tags are outputted when [Zone09] is run on a test zone. The
message tags are defined in the test case ([Zone09]) and the scenarios are
defined below.
The test scenarios are structured as stated in the [test zone README file].
## Test zone names
The test zone for each test scenario in this document is a subdomain delegated
from the base name (`zone09.xa`) and that subdomain having the same name as the
scenario except where the test domain must be the root zone, a TLD or a domain
under `.arpa`. The names of those zones are given in section
"[Zone setup for test scenarios]" below.
## Test scenarios and message tags
If a message tag is not listed for the scenario, its presence or non-presence is
irrelevant to the test scenario and must be ignored.
Scenario name | Mandatory message tags | Forbidden message tags
:---------------------|:--------------------------------------------------|:-------------------------------------------
NO-RESPONSE-MX-QUERY | Z09_NO_RESPONSE_MX_QUERY | (none)
UNEXPECTED-RCODE-MX | Z09_UNEXPECTED_RCODE_MX | (none)
NON-AUTH-MX-RESPONSE | Z09_NON_AUTH_MX_RESPONSE | (none)
INCONSISTENT-MX | Z09_INCONSISTENT_MX, Z09_MX_FOUND Z09, NO_MX_FOUND, Z09_MX_DATA | Z09_MISSING_MAIL_TARGET
INCONSISTENT-MX-DATA | Z09_INCONSISTENT_MX_DATA, Z09_MX_DATA | Z09_MISSING_MAIL_TARGET, Z09_NULL_MX_NON_ZERO_PREF, Z09_NULL_MX_WITH_OTHER_MX, Z09_ROOT_EMAIL_DOMAIN, Z09_TLD_EMAIL_DOMAIN
NULL-MX-WITH-OTHER-MX | Z09_NULL_MX_WITH_OTHER_MX | Z09_INCONSISTENT_MX_DATA, Z09_MX_DATA, Z09_MISSING_MAIL_TARGET, Z09_ROOT_EMAIL_DOMAIN, Z09_TLD_EMAIL_DOMAIN
NULL-MX-NON-ZERO-PREF | Z09_NULL_MX_NON_ZERO_PREF | Z09_INCONSISTENT_MX_DATA, Z09_MX_DATA, Z09_MISSING_MAIL_TARGET, Z09_ROOT_EMAIL_DOMAIN, Z09_TLD_EMAIL_DOMAIN
TLD-EMAIL-DOMAIN | Z09_TLD_EMAIL_DOMAIN | Z09_INCONSISTENT_MX_DATA, Z09_MX_DATA, Z09_MISSING_MAIL_TARGET, Z09_ROOT_EMAIL_DOMAIN, Z09_NULL_MX_WITH_OTHER_MX, Z09_NULL_MX_NON_ZERO_PREF
ROOT-EMAIL-DOMAIN | Z09_ROOT_EMAIL_DOMAIN | Z09_INCONSISTENT_MX_DATA, Z09_MX_DATA, Z09_MISSING_MAIL_TARGET, Z09_TLD_EMAIL_DOMAIN, Z09_NULL_MX_WITH_OTHER_MX, Z09_NULL_MX_NON_ZERO_PREF
MX-DATA | Z09_MX_DATA | Z09_INCONSISTENT_MX_DATA, Z09_MISSING_MAIL_TARGET, Z09_TLD_EMAIL_DOMAIN, Z09_ROOT_EMAIL_DOMAIN, Z09_NULL_MX_WITH_OTHER_MX, Z09_NULL_MX_NON_ZERO_PREF
NULL-MX | (none) | Z09_INCONSISTENT_MX_DATA, Z09_MX_DATA, Z09_MISSING_MAIL_TARGET, Z09_TLD_EMAIL_DOMAIN, Z09_ROOT_EMAIL_DOMAIN, Z09_NULL_MX_WITH_OTHER_MX, Z09_NULL_MX_NON_ZERO_PREF
NO-MX-SLD | Z09_MISSING_MAIL_TARGET | Z09_INCONSISTENT_MX_DATA, Z09_MX_DATA, Z09_TLD_EMAIL_DOMAIN, Z09_ROOT_EMAIL_DOMAIN, Z09_NULL_MX_WITH_OTHER_MX, Z09_NULL_MX_NON_ZERO_PREF
NO-MX-TLD | (none) | Z09_INCONSISTENT_MX_DATA, Z09_MX_DATA, Z09_MISSING_MAIL_TARGET, Z09_TLD_EMAIL_DOMAIN, Z09_ROOT_EMAIL_DOMAIN, Z09_NULL_MX_WITH_OTHER_MX, Z09_NULL_MX_NON_ZERO_PREF
NO-MX-ARPA | (none) | Z09_INCONSISTENT_MX_DATA, Z09_MX_DATA, Z09_MISSING_MAIL_TARGET, Z09_TLD_EMAIL_DOMAIN, Z09_ROOT_EMAIL_DOMAIN, Z09_NULL_MX_WITH_OTHER_MX, Z09_NULL_MX_NON_ZERO_PREF
## Zone setup for test scenarios
Assumptions for the zone setup for the test scenarios:
* Only MX records in apex are considered.
* Unless otherwise stated, all name servers respond authoritatively with the
SOA record on SOA queries.
* Unless otherwise stated, all name servers respond authoritatively with (or
without) MX records on MX queries.
* Unless otherwise stated, all responses are authoritative and with [RCODE Name]
"NoError".
### NO-RESPONSE-MX-QUERY
* Zone: "no-response-mx-query.zone09.xa."
* The zone has two name servers.
* Both name servers return an authoritative answer on SOA query.
* One name server does not respond on MX query.
### UNEXPECTED-RCODE-MX
* Zone: "unexpected-rcode-mx.zone09.xa."
* The zone has two name servers.
* Both name servers return an authoritative answer on SOA query.
* One name server returns with any [RCODE Name] except "NoError".
### NON-AUTH-MX-RESPONSE
* Zone: "non-auth-mx-response.zone09.xa."
* The zone has two name servers.
* Both name server return an authoritative answer on SOA query.
* One name server returns with [RCODE Name] "NoError" and non-AA on MX query.
### INCONSISTENT-MX
* Zone: "inconsistent-mx.zone09.xa."
* The zone has two name servers.
* One name server respond with a non-Null MX RRset.
* The other responds without MX RRset (NODATA).
### INCONSISTENT-MX-DATA
* Zone: "inconsistent-mx-data.zone09.xa."
* The zone has two name servers.
* Both name servers respond with an MX RRset.
* The two MX RRsets are not equal.
### NULL-MX-WITH-OTHER-MX
* Zone: "null-mx-with-other-mx.zone09.xa."
* All name servers respond with the same MX RRset.
* The MX RRset is a mix of Null MX and non-Null MX.
### NULL-MX-NON-ZERO-PREF
* Zone: "null-mx-non-zero-pref.zone09.xa."
* All name servers respond with the same MX RRset.
* The MX RRset is a single MX record.
* The MX record is a Null MX with a non-zero preference.
### TLD-EMAIL-DOMAIN
* Zone: "tld-email-domain-zone09." (TLD, dash "-", not dot ".")
* The test zone is a TLD zone.
* All name servers respond with the same MX RRset.
* All MX records are non-Null MX.
### ROOT-EMAIL-DOMAIN
* Zone: "." (root zone)
* The test zone is the root zone.
* All name servers respond with the same MX RRset.
* All MX records are non-Null MX.
### MX-DATA
* Zone: "mx-data.zone09.xa."
* All name servers respond with the same MX RRset.
* All MX records are non-Null MX.
### NULL-MX
* Zone: "null-mx.zone09.xa."
* All name servers respond with the same MX RRset.
* The MX RRset has a single, valid NULL MX.
### NO-MX-SLD
* Zone: "no-mx-sld.zone09.xa."
* The test zone is neither root, TLD or under .ARPA.
* All name servers respond with no MX RRset (NODATA).
### NO-MX-TLD
* Zone: "no-mx-tld-zone09." (TLD, dash "-", not dot ".")
* The test zone is a TLD.
* All name servers respond with no MX RRset (NODATA).
### NO-MX-ARPA
* Zone: "no-mx-arpa.zone09.arpa."
* The test zone is under .ARPA.
* All name servers respond with no MX RRset (NODATA).
[RCODE Name]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6
[Test zone README file]: ../README.md
[Zone setup for test scenarios]: #zone-setup-for-test-scenarios
[Zone09]: ../../tests/Zone-TP/zone09.md

340
zonemaster/docs/public/specifications/test-zones/Zone-TP/zone11.md Normal file
View File

@@ -0,0 +1,340 @@
# Specification of test scenarios for Zone11
## Table of contents
* [Background](#background)
* [Test Case](#test-case)
* [Test scenarios](#test-scenarios)
* [Test zone names](#test-zone-names)
* [All message tags](#all-message-tags)
* [Test scenarios and message tags](#test-scenarios-and-message-tags)
* [Test scenarios and setup of test zones]
## Background
See the [test scenario README file].
## Test Case
This document specifies defined test scenarios for test case [Zone11].
## Test scenarios
The purpose of the test scenarios is to cover all reasonable contexts where
different message tags are outputted when [Zone11] is run on a test zone.
The message tags are defined in the test case ([Zone11]) and the scenarios
are defined below.
The test scenarios are structured as stated in the [test scenario README file].
## Test zone names
Unless specified otherwise, the test zone for each test scenario in this
document is a subdomain delegated from the base name (`zone11.xa`) and that
subdomain having the same name as the scenario. The names of those zones are
given in section "[Test scenarios and setup of test zones]" below.
## All message tags
The test case can output any of these message tags, but not necessarily in any
combination. See [Zone11] for the specification of the tags.
* Z11_DIFFERENT_SPF_POLICIES_FOUND
* Z11_INCONSISTENT_SPF_POLICIES
* Z11_NO_SPF_FOUND
* Z11_NO_SPF_NON_MAIL_DOMAIN
* Z11_NON_NULL_SPF_NON_MAIL_DOMAIN
* Z11_NULL_SPF_NON_MAIL_DOMAIN
* Z11_SPF_MULTIPLE_RECORDS
* Z11_SPF_SYNTAX_ERROR
* Z11_SPF_SYNTAX_OK
* Z11_UNABLE_TO_CHECK_FOR_SPF
## Test scenarios and message tags
If a message tag is not listed for the scenario, its presence or non-presence is
irrelevant to the test scenario and must be ignored.
| Scenario name | Mandatory message tags | Forbidden message tags |
|:-----------------------|:----------------------------------------------------------------|:-----------------------|
| GOOD-SPF-1 | Z11_SPF_SYNTAX_OK | 2) |
| GOOD-SPF-2 | Z11_SPF_SYNTAX_OK | 2) |
| SAME-SPF-DIFFERENT-TXT | Z11_SPF_SYNTAX_OK | 2) |
| NO-TXT | Z11_NO_SPF_FOUND | 2) |
| NO-SPF-TXT | Z11_NO_SPF_FOUND | 2) |
| NO-SPF-ROOT-ZONE | Z11_NO_SPF_NON_MAIL_DOMAIN | 2) |
| NO-SPF-TLD-ZONE | Z11_NO_SPF_NON_MAIL_DOMAIN | 2) |
| NO-SPF-ARPA-ZONE | Z11_NO_SPF_NON_MAIL_DOMAIN | 2) |
| NULL-SPF-ROOT-ZONE | Z11_NULL_SPF_NON_MAIL_DOMAIN | 2) |
| NULL-SPF-TLD-ZONE | Z11_NULL_SPF_NON_MAIL_DOMAIN | 2) |
| NULL-SPF-ARPA-ZONE | Z11_NULL_SPF_NON_MAIL_DOMAIN | 2) |
| NON-NULL-SPF-ROOT-ZONE | Z11_NON_NULL_SPF_NON_MAIL_DOMAIN | 2) |
| NON-NULL-SPF-TLD-ZONE | Z11_NON_NULL_SPF_NON_MAIL_DOMAIN | 2) |
| NON-NULL-SPF-ARPA-ZONE | Z11_NON_NULL_SPF_NON_MAIL_DOMAIN | 2) |
| INVALID-SYNTAX-1 | Z11_SPF_SYNTAX_ERROR | 2) |
| INVALID-SYNTAX-2 | Z11_SPF_SYNTAX_ERROR | 2) |
| INVALID-SYNTAX-3 | Z11_SPF_SYNTAX_ERROR | 2) |
| NON-AUTH-TXT | Z11_UNABLE_TO_CHECK_FOR_SPF | 2) |
| SERVFAIL | Z11_UNABLE_TO_CHECK_FOR_SPF | 2) |
| INCONSISTENT-SPF | Z11_INCONSISTENT_SPF_POLICIES, Z11_DIFFERENT_SPF_POLICIES_FOUND | 2) |
| SPF-MISSING-ON-ONE | Z11_INCONSISTENT_SPF_POLICIES, Z11_DIFFERENT_SPF_POLICIES_FOUND | 2) |
| ALL-DIFFERENT-SPF | Z11_INCONSISTENT_SPF_POLICIES, Z11_DIFFERENT_SPF_POLICIES_FOUND | 2) |
| MULTIPLE-SPF-RECORDS | Z11_SPF_MULTIPLE_RECORDS | 2) |
* (1) All tags except for those specified as "Forbidden message tags" (no instances for these test scenarios)
* (2) All tags except for those specified as "Mandatory message tags"
## Test scenarios and setup of test zones
### Default zone configuration
Unless otherwise specified in the specific scenario specification, the test zone
for the scenario will follow the default setup as stated below. The `child zone`
is the zone to be tested for the scenario.
* The child zone is `SCENARIO.zone11.xa`.
* There is a zone file for the child zone.
* It is served by two name servers named ns1 and ns2.child.zone11.xa.
* ns1 and ns2 have the same zone content.
* ns1 and ns2 have both IPv4 and IPv6 address records.
* The parent zone is `zone11.xa`.
* It is served by two in-bailiwick name servers named ns1 and ns2.zone11.xa.
* ns1 and ns2 have the same zone content.
* ns1 and ns2 have both IPv4 and IPv6 glue.
* The records matching glue in the zone are complete.
* All responses will have the AA bit set.
* All responses will have the [RCODE Name] "NoError".
### GOOD-SPF-1
A zone whose SPF record is the shortest legal SPF record possible, namely the
string `v=spf1`. It is valid syntax, albeit not very useful.
* Zone: good-spf-1.zone11.xa
* The TXT RRset at the apex contains one TXT record with the text `v=spf1`.
### GOOD-SPF-2
A zone whose SPF record is well-formed and contains at least one term.
* Zone: good-spf-2.zone11.xa
* The TXT RRset at the apex contains one TXT record starting with the text
`v=spf1`, followed by a space, followed by one or more legal SPF terms.
### SAME-SPF-DIFFERENT-TXT
A zone whose SPF record is identical despite inconsistent TXT RRset records at
the apex.
* Zone: same-spf-different-txt.zone11.xa
* ns1 serves a TXT RRset containing one SPF record and one non-SPF record.
* ns2 serves a different TXT RRset containing one SPF record and one non-SPF
record. The SPF record served by ns2 is identical to the one served
by ns1. The non-SPF record served by ns2 is different from the one served
by ns1.
### NO-TXT
A zone containing no TXT record at the apex.
* Zone: no-txt.zone11.xa
* The TXT RRset at the apex is empty.
### NO-SPF-TXT
A zone containing at least one TXT record, but none of the TXT after
concatenating all strings, gives a string starting with `v=spf1`.
* Zone: no-spf-txt.zone11.xa
* The TXT RRset at the apex is non-empty, but none of the TXT records are
recognized as SPF records.
### NO-SPF-ROOT-ZONE
A root zone without SPF records.
* Zone: "." (root zone)
* It is served by ns1 and ns2.no-spf.root-servers.zone11.xa.
* The TXT RRset at the apex of the root zone is empty.
### NO-SPF-TLD-ZONE
A TLD zone without SPF records.
* Zone: no-spf-zone11
* It is served by ns1 and ns2.zone11.xa.
* The TXT RRset at the apex of the TLD zone is empty.
### NO-SPF-ARPA-ZONE
A zone in .arpa without SPF records.
* Zone: no-spf-arpa-zone.zone11.arpa
* It is served by ns1 and ns2.child.zone11.xa.
* The TXT RRset at the apex of the zone is empty.
### NULL-SPF-ROOT-ZONE
A root zone with a null SPF record.
* Zone: "." (root zone)
* It is served by ns1 and ns2.null-spf.root-servers.zone11.xa.
* The TXT RRset at the apex of the root zone contains one TXT record with the
string `v=spf1 -all`.
### NULL-SPF-TLD-ZONE
A TLD zone with null SPF records.
* Zone: null-spf-zone11
* It is served by ns1 and ns2.zone11.xa.
* The TXT RRset at the apex of the TLD zone contains one TXT record with the
string `v=spf1 -all`.
### NULL-SPF-ARPA-ZONE
A zone in .arpa with a null SPF record.
* Zone: null-spf-arpa-zone.zone11.arpa
* It is served by ns1 and ns2.child.zone11.xa.
* The TXT RRset at the apex of the zone contains one TXT record with the
string `v=spf1 -all`.
### NON-NULL-SPF-ROOT-ZONE
A root zone with a non-null SPF record.
* Zone: "." (root zone)
* It is served by ns1 and ns2.non-null-spf.root-servers.zone11.xa.
* The TXT RRset at the apex of the root zone contains one TXT record with an
SPF record that isnt null (i.e. permits at least one IP address).
### NON-NULL-SPF-TLD-ZONE
A TLD zone with a non-null SPF record.
* Zone: non-null-spf-zone11
* It is served by ns1 and ns2.zone11.xa.
* The TXT RRset at the apex of the TLD zone contains one TXT record with an
SPF record that isnt null (i.e. permits at least one IP address).
### NON-NULL-SPF-ARPA-ZONE
A zone in .arpa with a non-null SPF record.
* Zone: non-null-spf-arpa-zone.zone11.arpa
* It is served by ns1 and ns2.child.zone11.xa.
* The TXT RRset at the apex of the zone contains one TXT record with an SPF
record that isnt null (i.e. permits at least one IP address).
### INVALID-SYNTAX-1
A zone whose SPF record is syntactically invalid.
* Zone: invalid-syntax-1.zone11.xa
* The TXT RRset at the apex contains one SPF record with invalid syntax,
i.e. beginning with `v=spf1` followed by whitespace but not compliant with
the ABNF grammar described in [RFC 7208, Section 4.5][RFC 7208#4.5] and
following sections.
### INVALID-SYNTAX-2
Like INVALID-SYNTAX-1, but two of the name server names in the delegation and in
the zone point to the same IP address. This scenario is there to ensure that
all name servers that serve an ill-formed SPF policy are reported, even if two
of them have the same IP address.
* Zone: invalid-syntax-2.zone11.xa
* It is served by ns1a, ns1b, and ns2.invalid-syntax.zone11.xa.
* ns1a and ns1b resolve to the same IPv4 and IPv6 address as
ns1.child.zone11.xa.
* ns2 resolves to the same IPv4 and IPv6 address as ns2.child.zone11.xa.
* The TXT RRset at the apex contains one SPF record with invalid syntax,
i.e. beginning with `v=spf1` followed by whitespace but not compliant with
the ABNF grammar described in [RFC 7208, Section 4.5][RFC 7208#4.5] and
following sections.
### INVALID-SYNTAX-3
A zone whose SPF record contains a few random bytes, with a few non-ASCII
bytes among those.
* Zone: invalid-syntax-3.zone11.xa
* The TXT RRset at the apex contains one SPF record beginning with `v=spf1`,
followed by some whitespace and containing some random bytes outside the
printable ASCII range, which is not compliant with the ABNF grammar
described in [RFC 7208, Section 4.5][RFC 7208#4.5] and following sections.
### NON-AUTH-TXT
A zone containing one SPF record in its TXT RRset, but served from name
servers that fail to set the AA bit in their responses.
* Zone: non-auth-txt.zone11.xa
* The TXT RRset at the apex contains one SPF record.
* Both name servers serve the aforementioned TXT RRset with the AA bit unset
in the response header.
### SERVFAIL
A zone where responses to queries for the TXT RRset have an RCODE different
from NoError.
* Zone: servfail.zone11.xa
* Responses to queries for the TXT RRset at the zones apex have the
[RCODE Name] "ServFail".
### INCONSISTENT-SPF
A zone that serves different SPF records depending on the name server being
queried.
* Zone: inconsistent-spf.zone11.xa
* ns1 serves a TXT RRset at the apex containing one SPF record.
* ns2 serves a different TXT RRset at the apex containing one SPF record
that is also different from the SPF record served by ns1.
### SPF-MISSING-ON-ONE
A zone that serves identical SPF records, except on one of the name servers.
* Zone: spf-missing-on-one.zone11.xa
* The zone is delegated to three name servers named ns1, ns2 and
ns3.child.zone11.xa.
* ns2 and ns3 serve an identical TXT RRset at the apex containing one SPF
record.
* ns1 serves a different TXT RRset at the apex without an SPF record.
### ALL-DIFFERENT-SPF
A zone that serves different SPF records on all of its name servers.
* Zone: all-different-spf.zone11.xa
* The zone is delegated to three name servers named ns1, ns2 and
ns3.child.zone11.xa.
* ns1 serves a TXT RRset at the apex containing one SPF record
* ns2 serves a different TXT RRset at the apex containing one SPF record
that is also different.
* ns3 serves another different TXT RRset at the apex containing one SPF
record that is different from the two previous records.
### MULTIPLE-SPF-RECORDS
A zone whose TXT RRset at the apex contains more than one SPF record.
* Zone: multiple-spf-records.zone11.xa
* The TXT RRset at the apex contains more than one SPF record.
[Zone11]: ../../tests/Zone-TP/zone11.md
[RCODE Name]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6
[RFC 7208]: https://www.rfc-editor.org/rfc/rfc7208
[RFC 7208#4.5]: https://www.rfc-editor.org/rfc/rfc7208#section-4.5
[Test scenario README file]: ../README.md
[Test scenarios and setup of test zones]: #test-scenarios-and-setup-of-test-zones