CloudHost/zonemaster.es
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add full Zonemaster stack with Docker and Spanish UI

Browse Source 
- Clone all 5 Zonemaster component repos (LDNS, Engine, CLI, Backend, GUI)
- Dockerfile.backend: 8-stage multi-stage build LDNS→Engine→CLI→Backend
- Dockerfile.gui: Astro static build served via nginx
- docker-compose.yml: backend (internal) + frontend (port 5353)
- nginx.conf: root redirects to /es/, /api/ proxied to backend
- zonemaster-gui/config.ts: defaultLanguage set to 'es' (Spanish)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Malin
2026-04-21 08:19:24 +02:00
commit 8d4eaa1489
1567 changed files with 204155 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
zonemaster/docs/public/specifications/test-zones/DNSSEC-TP/README.md Normal file
View File

@@ -0,0 +1,11 @@
# Specification of test scenarios for DNSSEC-TP
Test scenario specifications are available for:
* [DNSSEC01](dnssec01.md)
* [DNSSEC03](dnssec03.md)
* [DNSSEC05](dnssec05.md)
* [DNSSEC07](dnssec07.md)
* [DNSSEC10](dnssec10.md)
* [DNSSEC16](dnssec16.md)

311
zonemaster/docs/public/specifications/test-zones/DNSSEC-TP/dnssec01.md Normal file
View File

@@ -0,0 +1,311 @@
# Specification of Test Scenarios for DNSSEC01
## Table of contents
* [Background](#background)
* [Test Case](#test-case)
* [Test scenarios](#test-scenarios)
* [Test zone names](#test-zone-names)
* [All message tags](#all-message-tags)
* [Test scenarios and message tags](#test-scenarios-and-message-tags)
* [Test scenarios and setup of test zones]
## Background
See the [test scenario README file].
## Test Case
This document specifies defined test scenarios for test case [DNSSEC01].
## Test scenarios
The purpose of the test scenarios is to cover all reasonable contexts where
different message tags are outputted when [DNSSEC01] is run on a test zone. The
message tags are defined in the test case ([DNSSEC01]) and the scenarios are
defined below.
The test scenarios are structured as stated in the [test scenario README file].
## Test zone names
The test zone or zones for each test scenario in this document is a subdomain
(or lower zone) delegated from the base name (`dnssec01.xa`) and that subdomain
having the same name as the scenario. The names of those zones are given in
section "[Test scenarios and setup of test zones]" below.
## All message tags
The test case can output any of these message tags, but not necessarily in any
combination. See [DNSSEC01] for the specification of the tags.
* DS01_DS_ALGO_2_MISSING
* DS01_DS_ALGO_DEPRECATED
* DS01_DS_ALGO_NOT_DS
* DS01_DS_ALGO_OK
* DS01_DS_ALGO_PRIVATE
* DS01_DS_ALGO_RESERVED
* DS01_DS_ALGO_UNASSIGNED
* DS01_NO_RESPONSE
* DS01_PARENT_SERVER_NO_DS
* DS01_PARENT_ZONE_NO_DS
* DS01_ROOT_N_NO_UNDEL_DS
* DS01_UNDEL_N_NO_UNDEL_DS
## Test scenarios and message tags
If a message tag is not listed for the scenario, its presence or non-presence is
irrelevant to the test scenario and must be ignored.
| Scenario name | Mandatory tags | Forbidden tags |
|:----------------------|:---------------------------------------------------------------|:---------------|
| ALGO-DEPRECATED-1 | DS01_DS_ALGO_DEPRECATED, DS01_DS_ALGO_2_MISSING | 2) |
| ALGO-DEPRECATED-3 | DS01_DS_ALGO_DEPRECATED, DS01_DS_ALGO_2_MISSING | 2) |
| ALGO-NOT-DS-0 | DS01_DS_ALGO_NOT_DS, DS01_DS_ALGO_2_MISSING | 2) |
| ALGO-OK-2 | DS01_DS_ALGO_OK | 2) |
| ALGO-OK-4 | DS01_DS_ALGO_OK, DS01_DS_ALGO_2_MISSING | 2) |
| ALGO-OK-5 | DS01_DS_ALGO_OK, DS01_DS_ALGO_2_MISSING | 2) |
| ALGO-OK-6 | DS01_DS_ALGO_OK, DS01_DS_ALGO_2_MISSING | 2) |
| ALGO-PRIVATE-253 | DS01_DS_ALGO_PRIVATE, DS01_DS_ALGO_2_MISSING | 2) |
| ALGO-PRIVATE-254 | DS01_DS_ALGO_PRIVATE, DS01_DS_ALGO_2_MISSING | 2) |
| ALGO-RESERVED-128 | DS01_DS_ALGO_RESERVED, DS01_DS_ALGO_2_MISSING | 2) |
| ALGO-RESERVED-188 | DS01_DS_ALGO_RESERVED, DS01_DS_ALGO_2_MISSING | 2) |
| ALGO-RESERVED-252 | DS01_DS_ALGO_RESERVED, DS01_DS_ALGO_2_MISSING | 2) |
| ALGO-UNASSIGNED-7 | DS01_DS_ALGO_UNASSIGNED, DS01_DS_ALGO_2_MISSING | 2) |
| ALGO-UNASSIGNED-67 | DS01_DS_ALGO_UNASSIGNED, DS01_DS_ALGO_2_MISSING | 2) |
| ALGO-UNASSIGNED-127 | DS01_DS_ALGO_UNASSIGNED, DS01_DS_ALGO_2_MISSING | 2) |
| MIXED-ALGO-1 | DS01_DS_ALGO_DEPRECATED, DS01_DS_ALGO_PRIVATE, DS01_DS_ALGO_OK | 2) |
| SHARED-IP-1 | DS01_DS_ALGO_OK | 2) |
| SHARED-IP-2 | DS01_DS_ALGO_OK | 2) |
| NO-RESPONSE-1 | DS01_NO_RESPONSE | 2) |
| NO-VALID-RESPONSE-1 | DS01_NO_RESPONSE | 2) |
| PARENT-SERVER-NO-DS-1 | DS01_PARENT_SERVER_NO_DS, DS01_DS_ALGO_OK | 2) |
| PARENT-ZONE-NO-DS-1 | DS01_PARENT_ZONE_NO_DS | 2) |
| UNDEL-NO-UNDEL-DS-1 | DS01_UNDEL_N_NO_UNDEL_DS | 2) |
| UNDEL-WITH-UNDEL-DS-1 | DS01_DS_ALGO_OK | 2) |
| ROOT-NO-UNDEL-DS-1 | DS01_ROOT_N_NO_UNDEL_DS | 2) |
| ROOT-WITH-UNDEL-DS-1 | DS01_DS_ALGO_OK | 2) |
* (1) All tags except for those specified as "Forbidden tags" (no instances for these test scenarios)
* (2) All tags except for those specified as "Mandatory tags"
## Test scenarios and setup of test zones
### Default zone configuration
Unless otherwise specified in the specific scenario specification, the test zone
or zones for the scenario will follow the default setup as stated below. The
`child zone` is the zone to be tested for the scenario.
* The child zone is `SCENARIO.dnssec01.xa`.
* It is delegated to two name servers, `ns1.SCENARIO.dnssec01.xa`
and `ns2.SCENARIO.dnssec01.xa`.
* The name server names have A and AAAA records to avoid non-relevant error
messages.
* The delegation of the child zone is to an OOB NS.
* NS can be resolved through the `dnssec01.xa` zone.
* There is a zone file for the child zone.
* All child zone servers give the same response.
* The only responses that can be assumed are queries for
* NS
* SOA
* The parent zone will respond with one DS record per child zone.
* The parent zone is `dnssec01.xa`.
* It is served by two in-bailiwick NS (ns1 and ns2).
* ns1 and ns2 have the same zone content.
* ns1 and ns2 have both IPv4 and IPv6 glue.
* The records matching glue in the zone are complete.
* All responses will have the AA bit set.
* All responses will have the [RCODE Name] "NoError".
* The DS digest algorithm is 2 unless specified for the scenario.
* The DS record can be technically invalid. Only the format is valid and
only the digest algorithm value is checked.
* The zone is not signed.
### ALGO-DEPRECATED-1
The DS digest algorithm number is 1
* Zone: algo-deprecated-1.dnssec01.xa.
* The algorithm of the DS digest in the response is 1.
### ALGO-DEPRECATED-3
The DS digest algorithm number is 3
* Zone: algo-deprecated-3.dnssec01.xa.
* The algorithm of the DS digest in the response is 3.
### ALGO-RESERVED-128
The DS digest algorithm number is 128
* Zone: algo-reserved-128.dnssec01.xa.
* The algorithm of the DS digest in the response is 128.
### ALGO-RESERVED-188
The DS digest algorithm number is 188
* Zone: algo-reserved-188.dnssec01.xa.
* The algorithm of the DS digest in the response is 188.
### ALGO-RESERVED-252
The DS digest algorithm number is 252
* Zone: algo-reserved-252.dnssec01.xa.
* The algorithm of the DS digest in the response is 252.
### ALGO-UNASSIGNED-7
The DS digest algorithm number is 7
* Zone: algo-unassigned-7.dnssec01.xa.
* The algorithm of the DS digest in the response is 7.
### ALGO-UNASSIGNED-67
The DS digest algorithm number is 67
* Zone: algo-unassigned-67.dnssec01.xa.
* The algorithm of the DS digest in the response is 67.
### ALGO-UNASSIGNED-127
The DS digest algorithm number is 127
* Zone: algo-unassigned-127.dnssec01.xa.
* The algorithm of the DS digest in the response is 127.
### ALGO-PRIVATE-253
The DS digest algorithm number is 253
* Zone: algo-private-253.dnssec01.xa.
* The algorithm of the DS digest in the response is 253.
### ALGO-PRIVATE-254
The DS digest algorithm number is 254
* Zone: algo-private-254.dnssec01.xa.
* The algorithm of the DS digest in the response is 254.
### ALGO-NOT-DS-0
The DS digest algorithm number is 0
* Zone: algo-not-ds-0.dnssec01.xa.
* The algorithm of the DS digest in the response is 0.
### ALGO-OK-2
The DS digest algorithm number is 2
* Zone: algo-ok-2.dnssec01.xa.
* The algorithm of the DS digest in the response is 2.
### ALGO-OK-4
The DS digest algorithm number is 4
* Zone: algo-ok-4.dnssec01.xa.
* The algorithm of the DS digest in the response is 4.
### ALGO-OK-5
The DS digest algorithm number is 5
* Zone: algo-ok-5.dnssec01.xa.
* The algorithm of the DS digest in the response is 5.
### ALGO-OK-6
The DS digest algorithm number is 6
* Zone: algo-ok-6.dnssec01.xa.
* The algorithm of the DS digest in the response is 6.
### MIXED-ALGO-1
Three DS with different algorithms.
* Zone: mixed-algo-1.dnssec01.xa.
* The response has three DS with different algorithms:
* 1
* 2
* 253
### SHARED-IP-1
Two parent name servers resolv to the same IP address.
* Zone: child.shared-ip-1.dnssec01.xa.
* The parent zone is "shared-ip-1.dnssec01.xa" and the grandparent zone is
"dnssec01.xa".
* The parent is delegated to IB ns1a and ns1b with the same IPv4 and IPv6
addresses.
### SHARED-IP-2
Delegation of parent does not use the same name server name as parent zone.
* Zone: child.shared-ip-2.dnssec01.xa.
* The parent zone is "shared-ip-2.dnssec01.xa" and the grandparent zone is
"dnssec01.xa".
* The parent is delegated to IB ns1 and ns2, but in the parent zone the names
are dns1 and dns2.
* ns1 and dns1 resolve to the same IP addresses.
* ns2 and dns2 resolve to the same IP addresses.
### NO-RESPONSE-1
No response from any of the servers on the DS query.
* Zone: child.no-response-1.dnssec01.xa.
* No response at all from parent ns1 and ns2.
### NO-VALID-RESPONSE-1
No valid response from any of the servers on the DS query.
* Zone: child.no-valid-response-1.dnssec01.xa.
* Response from parent ns1 has RCODE SERVFAIL.
* Response from parent ns2 has RCODE REFUSED.
* Child zone does not exist
### PARENT-SERVER-NO-DS-1
No DS from parent ns1.
* Zone: child.parent-server-no-ds-1.dnssec01.xa.
* Response from parent ns1 is NODATA (no DS).
* Response from parent ns2 is normal.
### PARENT-ZONE-NO-DS-1
No DS from neither parent ns1 nor parent ns2.
* Zone: parent-zone-no-ds-1.dnssec01.xa.
* Responses from parent ns1 and parent ns2 are NODATA (no DS).
### UNDEL-NO-UNDEL-DS-1
Zone is not delegated, but undelegated data is provided. No DS.
* Zone: undel-no-undel-ds-1.dnssec01.xa.
* The zone is not delegated, but there is undelegated data.
* ns1 and ns2 are OOB.
* No undelegated DS is provided.
### UNDEL-WITH-UNDEL-DS-1
Zone is not delegated, but undelegated data is provided with DS.
* Zone: undel-with-undel-ds-1.dnssec01.xa.
* The zone is not delegated, but there is undelegated data.
* ns1 and ns2 are OOB.
* Undelegated DS is provided.
### ROOT-NO-UNDEL-DS-1
Zone is the root zone, and no undelegated DS is provided.
* Zone: "."
* ns1 and ns2 are IB.
* The zone exists.
### ROOT-WITH-UNDEL-DS-1
Zone is the root zone, and undelegated DS is provided.
* Zone: "."
* ns1 and ns2 are IB.
* The zone exists.
[DNSSEC01]: ../../tests/DNSSEC-TP/dnssec01.md
[RCODE Name]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6
[Test scenario README file]: ../README.md
[Test scenarios and setup of test zones]: #test-scenarios-and-setup-of-test-zones

197
zonemaster/docs/public/specifications/test-zones/DNSSEC-TP/dnssec03.md Normal file
View File

@@ -0,0 +1,197 @@
# Specification of test zones for DNSSEC03
## Table of contents
* [Background](#background)
* [Test Case](#test-case)
* [Test scenarios](#test-scenarios)
* [Test zone names](#test-zone-names)
* [Test scenarios and message tags](#test-scenarios-and-message-tags)
* [Zone setup for test scenarios]
* [Terminology](#terminology)
## Background
See the [test zone README file].
## Test Case
This document specifies defined test zones for test case [DNSSEC03].
## Test scenarios
The purpose of the test scenarios is to cover all reasonable contexts where
different message tags are outputted when [DNSSEC03] is run on a test zone. The
message tags are defined in the test case ([DNSSEC03]) and the scenarios are
defined below.
The test scenarios are structured as stated in the [test zone README file].
## Test zone names
The test zone for each test scenario in this document is a subdomain delegated
from the base name (`dnssec03.xa`) and that subdomain having the same name as the
scenario except where the test domain must be the root zone, a TLD or a domain
under `.arpa`. The names of those zones are given in section
"[Zone setup for test scenarios]" below.
## Test scenarios and message tags
If a message tag is not listed for the scenario, its presence or non-presence is
irrelevant to the test scenario and must be ignored.
Scenario name | Mandatory message tags | Forbidden message tags
:----------------------------|:--------------------------------------------------|:-------------------------------------------
NO-DNSSEC-SUPPORT | DS03_NO_DNSSEC_SUPPORT | DS03_ERR_MULT_NSEC3, DS03_ILLEGAL_HASH_ALGO, DS03_ILLEGAL_ITERATION_VALUE, DS03_ILLEGAL_SALT_LENGTH, DS03_INCONSISTENT_HASH_ALGO, DS03_INCONSISTENT_ITERATION, DS03_INCONSISTENT_NSEC3_FLAGS, DS03_INCONSISTENT_SALT_LENGTH, DS03_LEGAL_EMPTY_SALT, DS03_LEGAL_HASH_ALGO, DS03_LEGAL_ITERATION_VALUE, DS03_NO_NSEC3, DS03_NSEC3_OPT_OUT_DISABLED, DS03_NSEC3_OPT_OUT_ENABLED_NON_TLD, DS03_NSEC3_OPT_OUT_ENABLED_TLD, DS03_SERVER_NO_DNSSEC_SUPPORT, DS03_SERVER_NO_NSEC3, DS03_UNASSIGNED_FLAG_USED, DS03_ERROR_RESPONSE_NSEC_QUERY, DS03_NO_RESPONSE_NSEC_QUERY
NO-NSEC3 | DS03_NO_NSEC3 | DS03_ERR_MULT_NSEC3, DS03_ILLEGAL_HASH_ALGO, DS03_ILLEGAL_ITERATION_VALUE, DS03_ILLEGAL_SALT_LENGTH, DS03_INCONSISTENT_HASH_ALGO, DS03_INCONSISTENT_ITERATION, DS03_INCONSISTENT_NSEC3_FLAGS, DS03_INCONSISTENT_SALT_LENGTH, DS03_LEGAL_EMPTY_SALT, DS03_LEGAL_HASH_ALGO, DS03_LEGAL_ITERATION_VALUE, DS03_NO_DNSSEC_SUPPORT, DS03_NSEC3_OPT_OUT_DISABLED, DS03_NSEC3_OPT_OUT_ENABLED_NON_TLD, DS03_NSEC3_OPT_OUT_ENABLED_TLD, DS03_SERVER_NO_DNSSEC_SUPPORT, DS03_SERVER_NO_NSEC3, DS03_UNASSIGNED_FLAG_USED, DS03_ERROR_RESPONSE_NSEC_QUERY, DS03_NO_RESPONSE_NSEC_QUERY
GOOD-VALUES | DS03_LEGAL_EMPTY_SALT, DS03_LEGAL_HASH_ALGO, DS03_LEGAL_ITERATION_VALUE, DS03_NSEC3_OPT_OUT_DISABLED | DS03_ERR_MULT_NSEC3, DS03_ILLEGAL_HASH_ALGO, DS03_ILLEGAL_ITERATION_VALUE, DS03_ILLEGAL_SALT_LENGTH, DS03_INCONSISTENT_HASH_ALGO, DS03_INCONSISTENT_ITERATION, DS03_INCONSISTENT_NSEC3_FLAGS, DS03_INCONSISTENT_SALT_LENGTH, DS03_NO_DNSSEC_SUPPORT, DS03_NO_NSEC3, DS03_NSEC3_OPT_OUT_ENABLED_NON_TLD, DS03_NSEC3_OPT_OUT_ENABLED_TLD, DS03_SERVER_NO_DNSSEC_SUPPORT, DS03_SERVER_NO_NSEC3, DS03_UNASSIGNED_FLAG_USED, DS03_ERROR_RESPONSE_NSEC_QUERY, DS03_NO_RESPONSE_NSEC_QUERY
ERR-MULT-NSEC3 | DS03_ERR_MULT_NSEC3, DS03_LEGAL_EMPTY_SALT, DS03_LEGAL_HASH_ALGO, DS03_LEGAL_ITERATION_VALUE, DS03_NSEC3_OPT_OUT_DISABLED | DS03_ILLEGAL_HASH_ALGO, DS03_ILLEGAL_ITERATION_VALUE, DS03_ILLEGAL_SALT_LENGTH, DS03_INCONSISTENT_HASH_ALGO, DS03_INCONSISTENT_ITERATION, DS03_INCONSISTENT_NSEC3_FLAGS, DS03_INCONSISTENT_SALT_LENGTH, DS03_NO_DNSSEC_SUPPORT, DS03_NO_NSEC3, DS03_NSEC3_OPT_OUT_ENABLED_NON_TLD, DS03_NSEC3_OPT_OUT_ENABLED_TLD, DS03_SERVER_NO_DNSSEC_SUPPORT, DS03_SERVER_NO_NSEC3, DS03_UNASSIGNED_FLAG_USED, DS03_ERROR_RESPONSE_NSEC_QUERY, DS03_NO_RESPONSE_NSEC_QUERY
BAD-VALUES | DS03_ILLEGAL_HASH_ALGO, DS03_ILLEGAL_ITERATION_VALUE, DS03_ILLEGAL_SALT_LENGTH, DS03_NSEC3_OPT_OUT_ENABLED_NON_TLD | DS03_ERR_MULT_NSEC3, DS03_INCONSISTENT_HASH_ALGO, DS03_INCONSISTENT_ITERATION, DS03_INCONSISTENT_NSEC3_FLAGS, DS03_INCONSISTENT_SALT_LENGTH, DS03_LEGAL_EMPTY_SALT, DS03_LEGAL_HASH_ALGO, DS03_LEGAL_ITERATION_VALUE, DS03_NO_DNSSEC_SUPPORT, DS03_NO_NSEC3, DS03_NSEC3_OPT_OUT_DISABLED, DS03_NSEC3_OPT_OUT_ENABLED_TLD, DS03_SERVER_NO_DNSSEC_SUPPORT, DS03_SERVER_NO_NSEC3, DS03_UNASSIGNED_FLAG_USED, DS03_ERROR_RESPONSE_NSEC_QUERY, DS03_NO_RESPONSE_NSEC_QUERY
INCONSISTENT-VALUES | DS03_ILLEGAL_HASH_ALGO, DS03_ILLEGAL_ITERATION_VALUE, DS03_ILLEGAL_SALT_LENGTH, DS03_INCONSISTENT_HASH_ALGO, DS03_INCONSISTENT_ITERATION, DS03_INCONSISTENT_NSEC3_FLAGS, DS03_INCONSISTENT_SALT_LENGTH, DS03_LEGAL_EMPTY_SALT, DS03_LEGAL_HASH_ALGO, DS03_LEGAL_ITERATION_VALUE, DS03_NSEC3_OPT_OUT_DISABLED, DS03_NSEC3_OPT_OUT_ENABLED_NON_TLD | DS03_ERR_MULT_NSEC3, DS03_NO_DNSSEC_SUPPORT, DS03_NO_NSEC3, DS03_NSEC3_OPT_OUT_ENABLED_TLD, DS03_SERVER_NO_DNSSEC_SUPPORT, DS03_SERVER_NO_NSEC3, DS03_UNASSIGNED_FLAG_USED, DS03_ERROR_RESPONSE_NSEC_QUERY, DS03_NO_RESPONSE_NSEC_QUERY
NSEC3-OPT-OUT-ENABLED-TLD | DS03_NSEC3_OPT_OUT_ENABLED_TLD, DS03_LEGAL_EMPTY_SALT, DS03_LEGAL_HASH_ALGO, DS03_LEGAL_ITERATION_VALUE | DS03_ERR_MULT_NSEC3, DS03_ILLEGAL_HASH_ALGO, DS03_ILLEGAL_ITERATION_VALUE, DS03_ILLEGAL_SALT_LENGTH, DS03_INCONSISTENT_HASH_ALGO, DS03_INCONSISTENT_ITERATION, DS03_INCONSISTENT_NSEC3_FLAGS, DS03_INCONSISTENT_SALT_LENGTH, DS03_NO_DNSSEC_SUPPORT, DS03_NO_NSEC3, DS03_NSEC3_OPT_OUT_DISABLED, DS03_NSEC3_OPT_OUT_ENABLED_NON_TLD, DS03_SERVER_NO_DNSSEC_SUPPORT, DS03_SERVER_NO_NSEC3, DS03_UNASSIGNED_FLAG_USED, DS03_ERROR_RESPONSE_NSEC_QUERY, DS03_NO_RESPONSE_NSEC_QUERY
SERVER-NO-DNSSEC-SUPPORT | DS03_SERVER_NO_DNSSEC_SUPPORT, DS03_LEGAL_EMPTY_SALT, DS03_LEGAL_HASH_ALGO, DS03_LEGAL_ITERATION_VALUE, DS03_NSEC3_OPT_OUT_DISABLED | DS03_ERR_MULT_NSEC3, DS03_ILLEGAL_HASH_ALGO, DS03_ILLEGAL_ITERATION_VALUE, DS03_ILLEGAL_SALT_LENGTH, DS03_INCONSISTENT_HASH_ALGO, DS03_INCONSISTENT_ITERATION, DS03_INCONSISTENT_NSEC3_FLAGS, DS03_INCONSISTENT_SALT_LENGTH, DS03_NO_DNSSEC_SUPPORT, DS03_NO_NSEC3, DS03_NSEC3_OPT_OUT_ENABLED_NON_TLD, DS03_NSEC3_OPT_OUT_ENABLED_TLD, DS03_SERVER_NO_NSEC3, DS03_UNASSIGNED_FLAG_USED, DS03_ERROR_RESPONSE_NSEC_QUERY, DS03_NO_RESPONSE_NSEC_QUERY
SERVER-NO-NSEC3 | DS03_SERVER_NO_NSEC3, DS03_LEGAL_EMPTY_SALT, DS03_LEGAL_HASH_ALGO, DS03_LEGAL_ITERATION_VALUE, DS03_NSEC3_OPT_OUT_DISABLED | DS03_ERR_MULT_NSEC3, DS03_ILLEGAL_HASH_ALGO, DS03_ILLEGAL_ITERATION_VALUE, DS03_ILLEGAL_SALT_LENGTH, DS03_INCONSISTENT_HASH_ALGO, DS03_INCONSISTENT_ITERATION, DS03_INCONSISTENT_NSEC3_FLAGS, DS03_INCONSISTENT_SALT_LENGTH, DS03_NO_DNSSEC_SUPPORT, DS03_NO_NSEC3, DS03_NSEC3_OPT_OUT_ENABLED_NON_TLD, DS03_NSEC3_OPT_OUT_ENABLED_TLD, DS03_SERVER_NO_DNSSEC_SUPPORT, DS03_UNASSIGNED_FLAG_USED, DS03_ERROR_RESPONSE_NSEC_QUERY, DS03_NO_RESPONSE_NSEC_QUERY
UNASSIGNED-FLAG-USED | DS03_UNASSIGNED_FLAG_USED, DS03_LEGAL_EMPTY_SALT, DS03_LEGAL_HASH_ALGO, DS03_LEGAL_ITERATION_VALUE, DS03_NSEC3_OPT_OUT_DISABLED | DS03_ERR_MULT_NSEC3, DS03_ILLEGAL_HASH_ALGO, DS03_ILLEGAL_ITERATION_VALUE, DS03_ILLEGAL_SALT_LENGTH, DS03_INCONSISTENT_HASH_ALGO, DS03_INCONSISTENT_ITERATION, DS03_INCONSISTENT_NSEC3_FLAGS, DS03_INCONSISTENT_SALT_LENGTH, DS03_NO_DNSSEC_SUPPORT, DS03_NO_NSEC3, DS03_NSEC3_OPT_OUT_ENABLED_NON_TLD, DS03_NSEC3_OPT_OUT_ENABLED_TLD, DS03_SERVER_NO_DNSSEC_SUPPORT, DS03_SERVER_NO_NSEC3, DS03_ERROR_RESPONSE_NSEC_QUERY, DS03_NO_RESPONSE_NSEC_QUERY
ERROR-RESPONSE-NSEC-QUERY | DS03_LEGAL_EMPTY_SALT, DS03_LEGAL_HASH_ALGO, DS03_LEGAL_ITERATION_VALUE, DS03_NSEC3_OPT_OUT_DISABLED, DS03_ERROR_RESPONSE_NSEC_QUERY | DS03_ERR_MULT_NSEC3, DS03_ILLEGAL_HASH_ALGO, DS03_ILLEGAL_ITERATION_VALUE, DS03_ILLEGAL_SALT_LENGTH, DS03_INCONSISTENT_HASH_ALGO, DS03_INCONSISTENT_ITERATION, DS03_INCONSISTENT_NSEC3_FLAGS, DS03_INCONSISTENT_SALT_LENGTH, DS03_NO_DNSSEC_SUPPORT, DS03_NO_NSEC3, DS03_NSEC3_OPT_OUT_ENABLED_NON_TLD, DS03_NSEC3_OPT_OUT_ENABLED_TLD, DS03_SERVER_NO_DNSSEC_SUPPORT, DS03_SERVER_NO_NSEC3, DS03_UNASSIGNED_FLAG_USED, DS03_NO_RESPONSE_NSEC_QUERY
NO-RESPONSE-NSEC-QUERY | DS03_LEGAL_EMPTY_SALT, DS03_LEGAL_HASH_ALGO, DS03_LEGAL_ITERATION_VALUE, DS03_NSEC3_OPT_OUT_DISABLED, DS03_NO_RESPONSE_NSEC_QUERY | DS03_ERR_MULT_NSEC3, DS03_ILLEGAL_HASH_ALGO, DS03_ILLEGAL_ITERATION_VALUE, DS03_ILLEGAL_SALT_LENGTH, DS03_INCONSISTENT_HASH_ALGO, DS03_INCONSISTENT_ITERATION, DS03_INCONSISTENT_NSEC3_FLAGS, DS03_INCONSISTENT_SALT_LENGTH, DS03_NO_DNSSEC_SUPPORT, DS03_NO_NSEC3, DS03_NSEC3_OPT_OUT_ENABLED_NON_TLD, DS03_NSEC3_OPT_OUT_ENABLED_TLD, DS03_SERVER_NO_DNSSEC_SUPPORT, DS03_SERVER_NO_NSEC3, DS03_UNASSIGNED_FLAG_USED, DS03_ERROR_RESPONSE_NSEC_QUERY
ERROR-NSEC-QUERY | DS03_ERROR_RESPONSE_NSEC_QUERY, DS03_NO_RESPONSE_NSEC_QUERY | DS03_ERR_MULT_NSEC3, DS03_ILLEGAL_HASH_ALGO, DS03_ILLEGAL_ITERATION_VALUE, DS03_ILLEGAL_SALT_LENGTH, DS03_INCONSISTENT_HASH_ALGO, DS03_INCONSISTENT_ITERATION, DS03_INCONSISTENT_NSEC3_FLAGS, DS03_INCONSISTENT_SALT_LENGTH, DS03_LEGAL_EMPTY_SALT, DS03_LEGAL_HASH_ALGO, DS03_LEGAL_ITERATION_VALUE, DS03_NO_DNSSEC_SUPPORT, DS03_NO_NSEC3, DS03_NSEC3_OPT_OUT_DISABLED, DS03_NSEC3_OPT_OUT_ENABLED_NON_TLD, DS03_NSEC3_OPT_OUT_ENABLED_TLD, DS03_SERVER_NO_DNSSEC_SUPPORT, DS03_SERVER_NO_NSEC3, DS03_UNASSIGNED_FLAG_USED
## Zone setup for test scenarios
Assumptions for the scenario specifications, unless stated otherwise for the
specific scenario:
1. Each zone is hosted by two NS, ns1 and ns2.
2. Both ns have equal hosting.
3. NS in delegation is equal to NS in zone.
4. All responses are authoritative.
5. RRSIG in responses are disregarded.
6. The actual owner name of the NSEC3 record will not be verified.
7. The record type list of the NSEC3 record will not be verified.
8. The zone is to respond with one SOA record with the zone name as owner name
on SOA query.
9. The zone is to respond with one DNSKEY record with the zone name as owner
name on DNSKEY query.
10. The zone is to respond with one NSEC3 record with a hash owner name in
authority section on NSEC query (note, NSEC not NSEC3). NODATA response.
11. The NSEC3 record is to have the following settings:
* Hash algo = 1
* Flags = 0
* Iteration = 0
* Salt = "-" (no salt)
### NO-DNSSEC-SUPPORT
No DNSSEC support in the zone.
* Zone: "no-dnssec-support.dnssec03.xa."
* No DNSKEY in query for DNSKEY (9).
### NO-NSEC3
No NSEC3 support in the zone.
* Zone: "no-nsec3.dnssec03.xa."
* No NSEC3 in query for NSEC (10).
### GOOD-VALUES
Happy path
* Zone: "good-values.dnssec03.xa."
### ERR-MULT-NSEC3
Strange response with two NSEC3 records.
* Zone: "err-mult-nsec3.dnssec03.xa."
* Two NSEC3 records, with different hash owner name are to be included in the
response. RDATA can be identical. (10)
### BAD-VALUES
The NSEC3 record has values no permitted by RFC 9276, see the specification of
test case [DNSSEC03].
* Zone: "bad-values.dnssec03.xa."
* The following values in NSEC3 (11):
* Hash algo = 2
* Flags = 1
* Iteration = 1
* Salt = "8104"
### INCONSISTENT-VALUES
The NSEC3 records returned from the two NS are not equal.
* Zone: "inconsistent-values.dnssec03.xa."
* Both NS give the same owner name of the NSEC3 record, but
ns1 gives standard values, whereas ns2 responds with an NSEC3 record with
the following values: (2, 11)
* Hash algo = 2
* Flags = 1
* Iteration = 1
* Salt = "8104"
### NSEC3-OPT-OUT-ENABLED-TLD
On a TLD, opt-out just gives an INFO message.
* Zone: "nsec3-opt-out-enabled-tld-dnssec03." (TLD)
* NSEC3 record with the following value: (11)
* Flags = 1
### SERVER-NO-DNSSEC-SUPPORT
One NS of two does not support DNSSEC (no DNSKEY)
* Zone: "server-no-dnssec-support.dnssec03.xa"
* ns2 does not return any DNSKEY record on DNSKEY query (2, 9)
### SERVER-NO-NSEC3
One NS of two does not have NSEC3
* Zone: "server-no-nsec3.dnssec03.xa"
* ns2 does not return any NSEC3 record on NSEC query (2, 10)
### UNASSIGNED-FLAG-USED
Unassigned flag used.
* Zone: "unassigned-flag-used.dnssec03.xa"
* NSEC3 record with the following value: (11)
* Flags = 2
### ERROR-RESPONSE-NSEC-QUERY
Error in response from one NS on NSEC query.
* Zone: "error-response-nsec-query.dnssec03.xa"
* Normal response on DNSKEY query from ns1.
* RCODE name SERVFAIL on NSEC query from ns1.
* Normal responses from ns2.
### NO-RESPONSE-NSEC-QUERY
No response from one NS on NSEC query.
* Zone: "no-response-nsec-query.dnssec03.xa"
* Normal responses from ns1.
* Normal response on DNSKEY query from ns2.
* No response on NSEC query from ns2.
### ERROR-NSEC-QUERY
No response and error in response on NSEC query, respectively, from two NS.
* Zone: "error-nsec-query.dnssec03.xa"
* Normal response on DNSKEY query from ns1 and ns2.
* RCODE name SERVFAIL on NSEC query from ns1.
* No response on NSEC query from ns2.
[DNSSEC03]: ../../tests/DNSSEC-TP/dnssec03.md
[RCODE Name]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6
[Test zone README file]: ../README.md
[Well Formed CDS Record]: #terminology
[Well Formed DNSKEY Record]: #terminology
[Zone setup for test scenarios]: #zone-setup-for-test-scenarios

350
zonemaster/docs/public/specifications/test-zones/DNSSEC-TP/dnssec05.md Normal file
View File

@@ -0,0 +1,350 @@
# Specification of Test Scenarios for DNSSEC05
## Table of contents
* [Background](#background)
* [Test Case](#test-case)
* [Test scenarios](#test-scenarios)
* [Test zone names](#test-zone-names)
* [All message tags](#all-message-tags)
* [Test scenarios and message tags](#test-scenarios-and-message-tags)
* [Test scenarios and setup of test zones]
## Background
See the [test scenario README file].
## Test Case
This document specifies defined test scenarios for test case [DNSSEC05].
## Test scenarios
The purpose of the test scenarios is to cover all reasonable contexts where
different message tags are outputted when [DNSSEC05] is run on a test zone. The
message tags are defined in the test case ([DNSSEC05]) and the scenarios are
defined below.
The test scenarios are structured as stated in the [test scenario README file].
## Test zone names
The test zone or zones for each test scenario in this document is a subdomain
(or lower zone) delegated from the base name (`dnssec05.xa`) and that subdomain
having the same name as the scenario. The names of those zones are given in
section "[Test scenarios and setup of test zones]" below.
## All message tags
The test case can output any of these message tags, but not necessarily in any
combination. See [DNSSEC05] for the specification of the tags.
* DS05_ALGO_DEPRECATED
* DS05_ALGO_NOT_RECOMMENDED
* DS05_ALGO_NOT_ZONE_SIGN
* DS05_ALGO_OK
* DS05_ALGO_PRIVATE
* DS05_ALGO_RESERVED
* DS05_ALGO_UNASSIGNED
* DS05_NO_RESPONSE
* DS05_SERVER_NO_DNSSEC
* DS05_ZONE_NO_DNSSEC
## Test scenarios and message tags
If a message tag is not listed for the scenario, its presence or non-presence is
irrelevant to the test scenario and must be ignored.
| Scenario name | Mandatory message tags | Forbidden message tags |
|:------------------------|:--------------------------------------------------------------|:-----------------------|
| ALGO-DEPRECATED-1 | DS05_ALGO_DEPRECATED | 2) |
| ALGO-DEPRECATED-3 | DS05_ALGO_DEPRECATED | 2) |
| ALGO-DEPRECATED-5 | DS05_ALGO_DEPRECATED | 2) |
| ALGO-DEPRECATED-6 | DS05_ALGO_DEPRECATED | 2) |
| ALGO-DEPRECATED-7 | DS05_ALGO_DEPRECATED | 2) |
| ALGO-DEPRECATED-12 | DS05_ALGO_DEPRECATED | 2) |
| ALGO-NOT-RECOMMENDED-10 | DS05_ALGO_NOT_RECOMMENDED | 2) |
| ALGO-NOT-ZONE-SIGN-0 | DS05_ALGO_NOT_ZONE_SIGN | 2) |
| ALGO-NOT-ZONE-SIGN-2 | DS05_ALGO_NOT_ZONE_SIGN | 2) |
| ALGO-NOT-ZONE-SIGN-252 | DS05_ALGO_NOT_ZONE_SIGN | 2) |
| ALGO-OK-8 | DS05_ALGO_OK | 2) |
| ALGO-OK-13 | DS05_ALGO_OK | 2) |
| ALGO-OK-14 | DS05_ALGO_OK | 2) |
| ALGO-OK-15 | DS05_ALGO_OK | 2) |
| ALGO-OK-16 | DS05_ALGO_OK | 2) |
| ALGO-OK-17 | DS05_ALGO_OK | 2) |
| ALGO-OK-23 | DS05_ALGO_OK | 2) |
| ALGO-PRIVATE-253 | DS05_ALGO_PRIVATE | 2) |
| ALGO-PRIVATE-254 | DS05_ALGO_PRIVATE | 2) |
| ALGO-RESERVED-4 | DS05_ALGO_RESERVED | 2) |
| ALGO-RESERVED-9 | DS05_ALGO_RESERVED | 2) |
| ALGO-RESERVED-11 | DS05_ALGO_RESERVED | 2) |
| ALGO-RESERVED-123 | DS05_ALGO_RESERVED | 2) |
| ALGO-RESERVED-251 | DS05_ALGO_RESERVED | 2) |
| ALGO-RESERVED-255 | DS05_ALGO_RESERVED | 2) |
| ALGO-UNASSIGNED-20 | DS05_ALGO_UNASSIGNED | 2) |
| ALGO-UNASSIGNED-122 | DS05_ALGO_UNASSIGNED | 2) |
| MIXED-ALGO-1 | DS05_ALGO_DEPRECATED, DS05_ALGO_NOT_RECOMMENDED, DS05_ALGO_OK | 2) |
| NO-RESPONSE-1 | DS05_NO_RESPONSE | 2) |
| NO-RESPONSE-2 | DS05_NO_RESPONSE | 2) |
| SERVER-NO-DNSSEC-1 | DS05_SERVER_NO_DNSSEC, DS05_ALGO_OK | 2) |
| SHARED-IP-1 | DS05_ALGO_OK | 2) |
| ZONE-NO-DNSSEC-1 | DS05_ZONE_NO_DNSSEC | 2) |
* (1) All tags except for those specified as "Forbidden message tags" (no instances for these test scenarios)
* (2) All tags except for those specified as "Mandatory message tags"
## Test scenarios and setup of test zones
### Default zone configuration
Unless otherwise specified in the specific scenario specification, the test zone
or zones for the scenario will follow the default setup as stated below. The
`child zone` is the zone to be tested for the scenario.
* The child zone is `SCENARIO.dnssec05.xa`.
* It is delegated to two name servers, `ns1.SCENARIO.dnssec05.xa`
and `ns2.SCENARIO.dnssec05.xa`.
* The name server names have A and AAAA records to avoid non-relevant error
messages.
* The delegation of the child zone is to an OOB NS.
* NS can be resolved through the `dnssec05.xa` zone.
* There is a zone file for the child zone.
* All child zone servers give the same response.
* The only responses that can be assumed are queries for
* DNSKEY
* NS
* SOA
* The zone will respond with one DNSKEY record.
* The parent zone is `dnssec05.xa`.
* It is served by two in-bailiwick NS (ns1 and ns2).
* ns1 and ns2 have the same zone content.
* ns1 and ns2 have both IPv4 and IPv6 glue.
* The records matching glue in the zone are complete.
* All responses will have the AA bit set.
* All responses will have the [RCODE Name] "NoError".
* The DNSKEY algorithm is 13 unless specified for the scenario.
* The DNSKEY record can be technically invalid. Only the format is valid and
only the algorithm value is checked.
* The zone is not signed.
### ALGO-DEPRECATED-1
The DNSKEY algo is 1
* Zone: "algo-deprecated-1.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 1.
### ALGO-DEPRECATED-3
The DNSKEY algo is 3
* Zone: "algo-deprecated-3.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 3.
### ALGO-DEPRECATED-5
The DNSKEY algo is 5
* Zone: "algo-deprecated-5.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 5.
### ALGO-DEPRECATED-6
The DNSKEY algo is 6
* Zone: "algo-deprecated-6.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 6.
### ALGO-DEPRECATED-7
The DNSKEY algo is 7
* Zone: "algo-deprecated-7.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 7.
### ALGO-DEPRECATED-12
The DNSKEY algo is 12
* Zone: "algo-deprecated-12.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 12.
### ALGO-RESERVED-4
The DNSKEY algo is 4
* Zone: "algo-reserved-4.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 4.
### ALGO-RESERVED-9
The DNSKEY algo is 9
* Zone: "algo-reserved-9.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 9.
### ALGO-RESERVED-11
The DNSKEY algo is 11
* Zone: "algo-reserved-11.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 11.
### ALGO-RESERVED-123
The DNSKEY algo is 123
* Zone: "algo-reserved-123.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 123.
### ALGO-RESERVED-251
The DNSKEY algo is 251
* Zone: "algo-reserved-251.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 251.
### ALGO-RESERVED-255
The DNSKEY algo is 255
* Zone: "algo-reserved-255.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 255.
### ALGO-UNASSIGNED-20
The DNSKEY algo is 20
* Zone: "algo-unassigned-17.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 17.
### ALGO-UNASSIGNED-122
The DNSKEY algo is 122
* Zone: "algo-unassigned-122.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 122.
### ALGO-PRIVATE-253
The DNSKEY algo is 253
* Zone: "algo-private-253.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 253.
### ALGO-PRIVATE-254
The DNSKEY algo is 254
* Zone: "algo-private-254.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 254.
### ALGO-NOT-ZONE-SIGN-0
The DNSKEY algo is 0
* Zone: "algo-not-zone-sign-0.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 0.
### ALGO-NOT-ZONE-SIGN-2
The DNSKEY algo is 2
* Zone: "algo-not-zone-sign-2.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 2.
### ALGO-NOT-ZONE-SIGN-252
The DNSKEY algo is 252
* Zone: "algo-not-zone-sign-252.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 252.
### ALGO-NOT-RECOMMENDED-10
The DNSKEY algo is 10
* Zone: "algo-not-recommended-10.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 10.
### ALGO-OK-8
The DNSKEY algo is 8
* Zone: "algo-ok-8.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 8.
### ALGO-OK-13
The DNSKEY algo is 13
* Zone: "algo-ok-13.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 13.
### ALGO-OK-14
The DNSKEY algo is 14
* Zone: "algo-ok-14.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 14.
### ALGO-OK-15
The DNSKEY algo is 15
* Zone: "algo-ok-15.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 15.
### ALGO-OK-16
The DNSKEY algo is 16
* Zone: "algo-ok-16.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 16.
### ALGO-OK-17
The DNSKEY algo is 17
* Zone: "algorithm-ok-17.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 17.
### ALGO-OK-23
The DNSKEY algo is 23
* Zone: "algorithm-ok-23.dnssec05.xa."
* The algorithm of the DNSKEY in the response is 23.
## MIXED-ALGO-1
Three DNSKEY with different algorithms.
* Zone: "mixed-algo-1.dnssec05.xa."
* The response has three DNSKEY with different algorithms:
* 7
* 10
* 13
### NO-RESPONSE-1
No valid response from any of the servers.
* Zone: "no-response-1.dnssec05.xa."
* No response at all from ns1.
* Response from ns2 does not have the AA bit set.
### NO-RESPONSE-2
No valid response from any of the servers.
* Zone: "no-response-2.dnssec05.xa."
* Response from ns1 has RCODE SERVFAIL.
* Response from ns2 has RCODE REFUSED.
### SERVER-NO-DNSSEC-1
No DNSKEY from ns1.
* Zone: "server-no-dnssec-1.dnssec05.xa."
* Response from ns1 is NODATA (no DNSKEY).
* Response from ns2 is normal.
### SHARED-IP-1
Two NS names, but only one IP. IPv4 only.
* Zone: "shared-ip-1.dnssec05.xa."
* ns1a and ns1b are in bailiwick, but use the same IP.
* IPv4 only.
* The message should list both name server names, both with the same IP.
### ZONE-NO-DNSSEC-1
No DNSKEY from neither ns1 nor ns2.
* Zone: "zone-no-dnssec-1.dnssec05.xa."
* Responses from ns1 and ns2 are NODATA (no DNSKEY).
[DNSSEC05]: ../../tests/DNSSEC-TP/dnssec05.md
[RCODE Name]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6
[Test scenario README file]: ../README.md
[Test scenarios and setup of test zones]: #test-scenarios-and-setup-of-test-zones
[Zone setup for test scenarios]: #zone-setup-for-test-scenarios

204
zonemaster/docs/public/specifications/test-zones/DNSSEC-TP/dnssec07.md Normal file
View File

@@ -0,0 +1,204 @@
# Specification of Test Scenarios for DNSSEC07
## Table of contents
* [Background](#background)
* [Test Case](#test-case)
* [Test scenarios](#test-scenarios)
* [Test zone names](#test-zone-names)
* [All message tags](#all-message-tags)
* [Test scenarios and message tags](#test-scenarios-and-message-tags)
* [Test scenarios and setup of test zones]
## Background
See the [test scenario README file].
## Test Case
This document specifies defined test scenarios for test case [DNSSEC07].
## Test scenarios
The purpose of the test scenarios is to cover all reasonable contexts where
different message tags are outputted when [DNSSEC07] is run on a test zone. The
message tags are defined in the test case ([DNSSEC07]) and the scenarios are
defined below.
The test scenarios are structured as stated in the [test scenario README file].
## Test zone names
The test zone or zones for each test scenario in this document is a subdomain
(or lower zone) delegated from the base name (`dnssec07.xa`) and that subdomain
having the same name as the scenario. The names of those zones are given in
section "[Test scenarios and setup of test zones]" below.
## All message tags
The test case can output any of these message tags, but not necessarily in any
combination. See [DNSSEC07] for the specification of the tags.
* DS07_DS_FOR_SIGNED_ZONE
* DS07_DS_ON_PARENT_SERVER
* DS07_INCONSISTENT_DS
* DS07_INCONSISTENT_SIGNED
* DS07_NON_AUTH_RESPONSE_DNSKEY
* DS07_NOT_SIGNED
* DS07_NOT_SIGNED_ON_SERVER
* DS07_NO_DS_ON_PARENT_SERVER
* DS07_NO_DS_FOR_SIGNED_ZONE
* DS07_NO_RESPONSE_DNSKEY
* DS07_SIGNED
* DS07_SIGNED_ON_SERVER
* DS07_UNEXP_RCODE_RESP_DNSKEY
## Test scenarios and message tags
If a message tag is not listed for the scenario, its presence or non-presence is
irrelevant to the test scenario and must be ignored.
| Scenario name | Mandatory tags | Forbidden tags |
|:---------------------------|:---------------------------------------------------------------------------------------------------------------------|:---------------|
| SIGNED-AND-DS-1 | DS07_DS_FOR_SIGNED_ZONE, DS07_DS_ON_PARENT_SERVER, DS07_SIGNED, DS07_SIGNED_ON_SERVER | 2) |
| SIGNED-NO-DS-1 | DS07_NO_DS_ON_PARENT_SERVER, DS07_NO_DS_FOR_SIGNED_ZONE, DS07_SIGNED, DS07_SIGNED_ON_SERVER | 2) |
| INCONSIST-SIGNED-AND-DS-1 | DS07_DS_ON_PARENT_SERVER, DS07_INCONSISTENT_SIGNED, DS07_NOT_SIGNED_ON_SERVER, DS07_SIGNED_ON_SERVER | 2) |
| INCONSIST-SIGNED-NO-DS-1 | DS07_INCONSISTENT_SIGNED, DS07_NOT_SIGNED_ON_SERVER, DS07_NO_DS_ON_PARENT_SERVER, DS07_SIGNED_ON_SERVER | 2) |
| SIGNED-AND-INCONSIST-DS-1 | DS07_DS_ON_PARENT_SERVER, DS07_INCONSISTENT_DS, DS07_NO_DS_ON_PARENT_SERVER, DS07_SIGNED, DS07_SIGNED_ON_SERVER | 2) |
| UNSIGNED-AND-DS-1 | DS07_NOT_SIGNED, DS07_NOT_SIGNED_ON_SERVER | 2) |
| UNSIGNED-NO-DS-1 | DS07_NOT_SIGNED, DS07_NOT_SIGNED_ON_SERVER | 2) |
| NON-AUTH-RESPONSE-DNSKEY-1 | DS07_NON_AUTH_RESPONSE_DNSKEY, DS07_SIGNED, DS07_SIGNED_ON_SERVER, DS07_DS_ON_PARENT_SERVER, DS07_DS_FOR_SIGNED_ZONE | 2) |
| NO-RESPONSE-DNSKEY-1 | DS07_SIGNED, DS07_SIGNED_ON_SERVER, DS07_NO_RESPONSE_DNSKEY, DS07_DS_ON_PARENT_SERVER, DS07_DS_FOR_SIGNED_ZONE | 2) |
| UNEXP-RCODE-RESP-DNSKEY-1 | DS07_SIGNED, DS07_SIGNED_ON_SERVER, DS07_UNEXP_RCODE_RESP_DNSKEY, DS07_DS_ON_PARENT_SERVER, DS07_DS_FOR_SIGNED_ZONE | 2) |
* (1) All tags except for those specified as "Forbidden tags" (no instances for these test scenarios)
* (2) All tags except for those specified as "Mandatory tags"
## Test scenarios and setup of test zones
### Default zone configuration
Unless otherwise specified in the specific scenario specification, the test zone
or zones for the scenario will follow the default setup as stated below. The
`child zone` is the zone to be tested for the scenario.
* The child zone is `SCENARIO.dnssec07.xa`.
* It is delegated to two name servers, `ns1.SCENARIO.dnssec07.xa`
and `ns2.SCENARIO.dnssec07.xa`.
* The name server names have A and AAAA records to avoid non-relevant error
messages.
* The delegation of the child zone is to an IB NS.
* There is a zone file for the child zone.
* All child zone servers give the same response.
* The only responses, with data queried for, to the child zone that can be assumed are queries for
* NS
* SOA
* DNSKEY
* Response on DNSKEY query will include RRSIG, others will not.
* The parent zone is `dnssec07.xa`.
* It is served by two in-bailiwick NS (ns1 and ns2).
* ns1 and ns2 have the same zone content.
* ns1 and ns2 have both IPv4 and IPv6 glue.
* The records matching glue in the zone are complete.
* The parent zone will respond with one DS record per child zone.
* The only responses to the parent zone that can be assumed are queries for
* NS
* SOA
* DNSKEY
* delegation of the child
* DS for child
* Response on DS query will include RRSIG, others will not.
* All responses will have the AA bit set.
* All responses will have the [RCODE Name] "NoError".
* The DS digest algorithm is 2.
* The DS will not correctly match DNSKEY.
* The zones are not signed.
### SIGNED-AND-DS-1
All is good with signed zone and DS record in parent.
* Zone: signed-and-ds-1.dnssec07.xa.
* All default settings.
### SIGNED-NO-DS-1
The child zone is signed, but no DS in parent.
* Zone: signed-no-ds-1.dnssec07.xa.
* The child zone has default settings.
* The parent zone has no DS for the child zone.
### INCONSIST-SIGNED-AND-DS-1
The child is signed on ns1 but not on ns2.
* Zone: inconsist-signed-and-ds-1.dnssec07.xa.
* Response from ns1 with DNSKEY.
* Response from ns2 without DNSKEY.
### INCONSIST-SIGNED-NO-DS-1
The child is signed on ns1 but not on ns2.
* Zone: inconsist-signed-no-ds-1.dnssec07.xa.
* Response from ns1 with DNSKEY.
* Response from ns2 without DNSKEY.
* Parent provides no DS.
### SIGNED-AND-INCONSIST-DS-1
Parent provides DS on one server, but not the other.
* Zone: child.signed-and-inconsist-ds-1.dnssec07.xa.
* Grandparent zone is dnssec07.xa.
* Parent zone is signed-and-inconsist-ds-1.dnssec07.xa.
* ns1 provides DS, ns2 does not.
* Child zone is child.signed-and-inconsist-ds-1.dnssec07.xa.
* Child zone is signed.
### UNSIGNED-AND-DS-1
Both NS respond with no DNSKEY. Parent has NS but it is disregarded.
* Zone: unsigned-and-ds-1.dnssec07.xa.
* ns1 and ns2 respond with NO DATA on DNSKEY query.
* Parent provides DS record, but it is not expected to be queried for.
### UNSIGNED-NO-DS-1
Both NS respond with no DNSKEY. Parent has NS but it is disregarded.
* Zone: unsigned-no-ds-1.dnssec07.xa.
* ns1 and ns2 respond with NODATA on DNSKEY query.
* Parent provides no DS record, but it is not expected to be queried for.
### NON-AUTH-RESPONSE-DNSKEY-1
One server responds with non-authoritative DNSKEY response.
* Zone: non-auth-response-dnskey-1.dnssec07.xa.
* ns1 responds with AA bit unset on DNSKEY query.
* Other queries have normal responses.
* Normal responses from ns2.
### NO-RESPONSE-DNSKEY-1
One server does not respond on DNSKEY query.
* Zone: no-response-dnskey-1.dnssec07.xa.
* ns1 does not respond on the DNSKEY query.
* Other queries have normal responses.
* Normal responses from ns2.
### UNEXP-RCODE-RESP-DNSKEY-1
One server give unexpected RCODE in response on DNSKEY query.
* Zone: unexp-rcode-resp-dnskey-1.dnssec07.xa.
* ns1 responds with RCODE REFUSED on the DNSKEY query.
* Other queries have normal responses.
* Normal responses from ns2.
[DNSSEC07]: ../../tests/DNSSEC-TP/dnssec07.md
[RCODE Name]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6
[Test scenario README file]: ../README.md
[Test scenarios and setup of test zones]: #test-scenarios-and-setup-of-test-zones

634
zonemaster/docs/public/specifications/test-zones/DNSSEC-TP/dnssec10.md Normal file
View File

@@ -0,0 +1,634 @@
# Specification of Test Scenarios for DNSSEC10
## Table of contents
* [Background](#background)
* [Test Case](#test-case)
* [Test scenarios](#test-scenarios)
* [Test zone names](#test-zone-names)
* [All message tags](#all-message-tags)
* [Test scenarios and message tags](#test-scenarios-and-message-tags)
* [Test scenarios and setup of test zones]
## Background
See the [test scenario README file].
## Test Case
This document specifies defined test scenarios for test case [DNSSEC10].
## Test scenarios
The purpose of the test scenarios is to cover all reasonable contexts where
different message tags are outputted when [DNSSEC10] is run on a test zone.
The message tags are defined in the test case ([DNSSEC10]) and the scenarios
are defined below.
The test scenarios are structured as stated in the [test scenario README file].
## Test zone names
The test zone or zones for each test scenario in this document is a subdomain
(or lower zone) delegated from the base name (`dnssec10.xa`) and that subdomain
having the same name as the scenario. The names of those zones are given in
section "[Test scenarios and setup of test zones]" below.
## All message tags
The test case can output any of these message tags, but not necessarily in any
combination. See [DNSSEC10] for the specification of the tags.
* DS10_ALGO_NOT_SUPPORTED_BY_ZM
* DS10_ERR_MULT_NSEC
* DS10_ERR_MULT_NSEC3
* DS10_ERR_MULT_NSEC3PARAM
* DS10_EXPECTED_NSEC_NSEC3_MISSING
* DS10_HAS_NSEC
* DS10_HAS_NSEC3
* DS10_INCONSISTENT_NSEC
* DS10_INCONSISTENT_NSEC3
* DS10_INCONSISTENT_NSEC_NSEC3
* DS10_MIXED_NSEC_NSEC3
* DS10_NSEC3PARAM_GIVES_ERR_ANSWER
* DS10_NSEC3PARAM_MISMATCHES_APEX
* DS10_NSEC3PARAM_QUERY_RESPONSE_ERR
* DS10_NSEC3_ERR_TYPE_LIST
* DS10_NSEC3_MISMATCHES_APEX
* DS10_NSEC3_MISSING_SIGNATURE
* DS10_NSEC3_NODATA_MISSING_SOA
* DS10_NSEC3_NODATA_WRONG_SOA
* DS10_NSEC3_NO_VERIFIED_SIGNATURE
* DS10_NSEC3_RRSIG_EXPIRED
* DS10_NSEC3_RRSIG_NOT_YET_VALID
* DS10_NSEC3_RRSIG_NO_DNSKEY
* DS10_NSEC3_RRSIG_VERIFY_ERROR
* DS10_NSEC_ERR_TYPE_LIST
* DS10_NSEC_GIVES_ERR_ANSWER
* DS10_NSEC_MISMATCHES_APEX
* DS10_NSEC_MISSING_SIGNATURE
* DS10_NSEC_NODATA_MISSING_SOA
* DS10_NSEC_NODATA_WRONG_SOA
* DS10_NSEC_NO_VERIFIED_SIGNATURE
* DS10_NSEC_QUERY_RESPONSE_ERR
* DS10_NSEC_RRSIG_EXPIRED
* DS10_NSEC_RRSIG_NOT_YET_VALID
* DS10_NSEC_RRSIG_NO_DNSKEY
* DS10_NSEC_RRSIG_VERIFY_ERROR
* DS10_SERVER_NO_DNSSEC
* DS10_ZONE_NO_DNSSEC
## Test scenarios and message tags
If a message tag is not listed for the scenario, its presence or non-presence is
irrelevant to the test scenario and must be ignored.
Scenario name | Mandatory message tag | Forbidden message tags
:------------------------------|:-----------------------------------------------------------------------------|:--------------------
GOOD-NSEC-1 | DS10_HAS_NSEC | 2)
GOOD-NSEC-2 | DS10_HAS_NSEC | 2)
GOOD-NSEC-3 | DS10_HAS_NSEC | 2)
GOOD-NSEC3-1 | DS10_HAS_NSEC3 | 2)
GOOD-NSEC3-2 | DS10_HAS_NSEC3 | 2)
GOOD-NSEC3-3 | DS10_HAS_NSEC3 | 2)
ALGO-NOT-SUPP-BY-ZM-1 | DS10_ALGO_NOT_SUPPORTED_BY_ZM, DS10_HAS_NSEC | 2)
ALGO-NOT-SUPP-BY-ZM-2 | DS10_ALGO_NOT_SUPPORTED_BY_ZM, DS10_HAS_NSEC3 | 2)
BAD-SERVERS-BUT-GOOD-NSEC-1 | DS10_HAS_NSEC | 2)
ERR-MULT-NSEC-1 | DS10_ERR_MULT_NSEC, DS10_HAS_NSEC | 2)
ERR-MULT-NSEC-2 | DS10_ERR_MULT_NSEC, DS10_HAS_NSEC | 2)
ERR-MULT-NSEC3-1 | DS10_ERR_MULT_NSEC3, DS10_HAS_NSEC3 | 2)
ERR-MULT-NSEC3PARAM-1 | DS10_ERR_MULT_NSEC3PARAM, DS10_HAS_NSEC3 | 2)
EXP-NSEC-NSEC3-MISS-1 | DS10_EXPECTED_NSEC_NSEC3_MISSING | 2)
INCONSISTENT-NSEC-1 | DS10_INCONSISTENT_NSEC, DS10_HAS_NSEC | 2)
INCONSISTENT-NSEC3-1 | DS10_INCONSISTENT_NSEC3, DS10_HAS_NSEC3 | 2)
INCONSIST-NSEC-NSEC3-1 | DS10_INCONSISTENT_NSEC_NSEC3 | 2)
INCONSIST-NSEC-NSEC3-2 | DS10_INCONSISTENT_NSEC_NSEC3, DS10_INCONSISTENT_NSEC, DS10_INCONSISTENT_NSEC3| 2)
MIXED-NSEC-NSEC3-1 | DS10_MIXED_NSEC_NSEC3 | 2)
MIXED-NSEC-NSEC3-2 | DS10_MIXED_NSEC_NSEC3 | 2)
NSEC3PARAM-GIVES-ERR-ANSWER-1 | DS10_NSEC3PARAM_GIVES_ERR_ANSWER, DS10_HAS_NSEC3, DS10_INCONSISTENT_NSEC3 | 2)
NSEC3PARAM-GIVES-ERR-ANSWER-2 | DS10_NSEC3PARAM_GIVES_ERR_ANSWER, DS10_EXPECTED_NSEC_NSEC3_MISSING, DS10_INCONSISTENT_NSEC3, DS10_HAS_NSEC3 | 2)
NSEC3PARAM-MISMATCHES-APEX-1 | DS10_NSEC3PARAM_MISMATCHES_APEX, DS10_HAS_NSEC3 | 2)
NSEC3PARAM-Q-RESPONSE-ERR-1 | DS10_NSEC3PARAM_QUERY_RESPONSE_ERR, DS10_HAS_NSEC3, DS10_INCONSISTENT_NSEC3 | 2)
NSEC3PARAM-Q-RESPONSE-ERR-2 | DS10_NSEC3PARAM_QUERY_RESPONSE_ERR, DS10_HAS_NSEC3, DS10_INCONSISTENT_NSEC3 | 2)
NSEC3PARAM-Q-RESPONSE-ERR-3 | DS10_NSEC3PARAM_QUERY_RESPONSE_ERR, DS10_EXPECTED_NSEC_NSEC3_MISSING, DS10_INCONSISTENT_NSEC3 | 2)
NSEC3-ERR-TYPE-LIST-1 | DS10_NSEC3_ERR_TYPE_LIST, DS10_HAS_NSEC3 | 2)
NSEC3-ERR-TYPE-LIST-2 | DS10_NSEC3_ERR_TYPE_LIST, DS10_HAS_NSEC3 | 2)
NSEC3-MISMATCHES-APEX-1 | DS10_NSEC3_MISMATCHES_APEX, DS10_HAS_NSEC3 | 2)
NSEC3-MISSING-SIGNATURE-1 | DS10_NSEC3_MISSING_SIGNATURE, DS10_HAS_NSEC3 | 2)
NSEC3-NODATA-MISSING-SOA-1 | DS10_NSEC3_NODATA_MISSING_SOA, DS10_HAS_NSEC3 | 2)
NSEC3-NODATA-WRONG-SOA-1 | DS10_NSEC3_NODATA_WRONG_SOA, DS10_HAS_NSEC3 | 2)
NSEC3-NO-VERIFIED-SIGNATURE-1 | DS10_NSEC3_NO_VERIFIED_SIGNATURE, DS10_HAS_NSEC3, DS10_NSEC3_RRSIG_NO_DNSKEY | 2)
NSEC3-NO-VERIFIED-SIGNATURE-2 | DS10_NSEC3_NO_VERIFIED_SIGNATURE, DS10_HAS_NSEC3, DS10_NSEC3_RRSIG_EXPIRED | 2)
NSEC3-NO-VERIFIED-SIGNATURE-3 | DS10_NSEC3_NO_VERIFIED_SIGNATURE, DS10_HAS_NSEC3, DS10_NSEC3_RRSIG_NOT_YET_VALID | 2)
NSEC3-NO-VERIFIED-SIGNATURE-4 | DS10_NSEC3_NO_VERIFIED_SIGNATURE, DS10_HAS_NSEC3, DS10_NSEC3_RRSIG_VERIFY_ERROR | 2)
NSEC-ERR-TYPE-LIST-1 | DS10_NSEC_ERR_TYPE_LIST, DS10_HAS_NSEC | 2)
NSEC-ERR-TYPE-LIST-2 | DS10_NSEC_ERR_TYPE_LIST, DS10_HAS_NSEC | 2)
NSEC-GIVES-ERR-ANSWER-1 | DS10_NSEC_GIVES_ERR_ANSWER, DS10_HAS_NSEC, DS10_INCONSISTENT_NSEC | 2)
NSEC-GIVES-ERR-ANSWER-2 | DS10_NSEC_GIVES_ERR_ANSWER, DS10_EXPECTED_NSEC_NSEC3_MISSING, DS10_INCONSISTENT_NSEC, DS10_HAS_NSEC | 2)
NSEC-MISMATCHES-APEX-1 | DS10_NSEC_MISMATCHES_APEX, DS10_HAS_NSEC | 2)
NSEC-MISMATCHES-APEX-2 | DS10_NSEC_MISMATCHES_APEX, DS10_HAS_NSEC | 2)
NSEC-MISSING-SIGNATURE-1 | DS10_NSEC_MISSING_SIGNATURE, DS10_HAS_NSEC | 2)
NSEC-NODATA-MISSING-SOA-1 | DS10_NSEC_NODATA_MISSING_SOA, DS10_HAS_NSEC | 2)
NSEC-NODATA-WRONG-SOA-1 | DS10_NSEC_NODATA_WRONG_SOA, DS10_HAS_NSEC | 2)
NSEC-NO-VERIFIED-SIGNATURE-1 | DS10_NSEC_NO_VERIFIED_SIGNATURE, DS10_HAS_NSEC, DS10_NSEC_RRSIG_NO_DNSKEY | 2)
NSEC-NO-VERIFIED-SIGNATURE-2 | DS10_NSEC_NO_VERIFIED_SIGNATURE, DS10_HAS_NSEC, DS10_NSEC_RRSIG_EXPIRED | 2)
NSEC-NO-VERIFIED-SIGNATURE-3 | DS10_NSEC_NO_VERIFIED_SIGNATURE, DS10_HAS_NSEC, DS10_NSEC_RRSIG_NOT_YET_VALID| 2)
NSEC-NO-VERIFIED-SIGNATURE-4 | DS10_NSEC_NO_VERIFIED_SIGNATURE, DS10_HAS_NSEC, DS10_NSEC_RRSIG_VERIFY_ERROR | 2)
NSEC-QUERY-RESPONSE-ERR-1 | DS10_NSEC_QUERY_RESPONSE_ERR, DS10_HAS_NSEC, DS10_INCONSISTENT_NSEC | 2)
NSEC-QUERY-RESPONSE-ERR-2 | DS10_NSEC_QUERY_RESPONSE_ERR, DS10_HAS_NSEC, DS10_INCONSISTENT_NSEC | 2)
NSEC-QUERY-RESPONSE-ERR-3 | DS10_NSEC_QUERY_RESPONSE_ERR, DS10_EXPECTED_NSEC_NSEC3_MISSING, DS10_INCONSISTENT_NSEC | 2)
SERVER-NO-DNSSEC-1 | DS10_SERVER_NO_DNSSEC, DS10_HAS_NSEC | 2)
SERVER-NO-DNSSEC-2 | DS10_SERVER_NO_DNSSEC, DS10_HAS_NSEC3 | 2)
ZONE-NO-DNSSEC-1 | DS10_ZONE_NO_DNSSEC | 2)
* (1) All tags except for those specified as "Forbidden message tags" (no instances for these test scenarios)
* (2) All tags except for those specified as "Mandatory message tags"
## Test scenarios and setup of test zones
### Default zone configuration
Unless otherwise specified in the specific scenario specification, the test zone
or zones for the scenario will follow the default setup as stated below. The
`child zone` is the zone to be tested for the scenario.
* The child zone is `SCENARIO.dnssec10.xa`.
* It is delegated to two name servers, `ns1.SCENARIO.dnssec10.xa`
and `ns2.SCENARIO.dnssec10.xa`.
* The name server names have A and AAAA records to avoid non-relevant error
messages.
* The delegation of the child zone is complete with glue records.
* There is a zone file for the child zone.
* All child zone servers give the same response.
* The responses are either with NSEC record (NSEC zone) or NSEC3 record (NSEC3
zone), not mixed.
* The parent zone is `dnssec10.xa`.
* It is served by two in-bailiwick NS (ns1 and ns2).
* ns1 and ns2 have the same zone content.
* ns1 and ns2 have both IPv4 and IPv6 glue.
* The records matching glue in the zone are complete.
* If the child zone is an NSEC zone:
* Responds with an NSEC response on the NSEC3PARAM query.
* Responds with an NSEC record in answer section on the NSEC query.
* If the child zone is an NSEC3 zone:
* Responds with an NSEC3 response on the NSEC query.
* Responds with an NSEC3PARAM record in answer section on the NSEC3PARAM query.
* All responses will have the AA bit set.
* All responses will have the [RCODE Name] "NoError".
### GOOD-NSEC-1
An NSEC zone and a "happy path". Everything is fine.
* Zone: good-nsec-1.dnssec10.xa
### GOOD-NSEC-2
An NSEC zone and a "happy path". Everything is fine besides that the zone
is served on NS names with the same IP addresses which is fine for this test
case.
* Zone: good-nsec-2.dnssec10.xa
* The zone is delegated to ns1a, ns1b and ns1c.
* All three share the same IPv4 and IPv6 address, respectively.
### GOOD-NSEC-3
An NSEC zone and a "happy path". Everything is fine besides that the NS names
in delegation and zone are different. Fine for this test case.
* Zone: good-nsec-3.dnssec10.xa
* Zone NS are to dns1 and dns2.
* dns1 has the same IP addresses as ns1
* dns2 has the same IP addresses as ns2
### GOOD-NSEC3-1
An NSEC3 zone and a "happy path". Everything is fine.
* Zone: good-nsec3-1.dnssec10.xa
### GOOD-NSEC3-2
An NSEC3 zone and a "happy path". Everything is fine besides that the zone
is served on NS names with the same IP addresses which is fine for this test
case.
* Zone: good-nsec3-2.dnssec10.xa
* The zone is delegated to ns1a, ns1b and ns1c.
* All three share the same IPv4 and IPv6 address, respectively.
### GOOD-NSEC3-3
An NSEC3 zone and a "happy path". Everything is fine besides that the NS names
in delegation and zone are different. Fine for this test case.
* Zone: good-nsec3-3.dnssec10.xa
* Zone NS are to dns1 and dns2.
* dns1 has the same IP addresses as ns1
* dns2 has the same IP addresses as ns2
### ALGO-NOT-SUPP-BY-ZM-1
An NSEC zone. Unknown algorithm of a DNSKEY.
* Zone: algo-not-supp-by-zm-1.dnssec10.xa
* There is an extra RRSIG for the NSEC record (as the response to the
NSEC3PARAM query).
* That RRSIG has been created by [algorithm 255][IANA registry], which is
an unsupported private algorithm.
* A matching DNSKEY ([algorithm 255][IANA registry]) is available.
* For this test scenario a fake signature and a fake public key are used.
* The extra DNSKEY is in the DNSKEY RRset which is resigned by the valid
KSK.
### ALGO-NOT-SUPP-BY-ZM-2
An NSEC3 zone. Unknown algorithm of a DNSKEY.
* Zone: algo-not-supp-by-zm-2.dnssec10.xa
* There is an extra RRSIG for the NSEC3 record (as the response to the
NSEC query).
* That RRSIG has been created by [algorithm 255][IANA registry], which is
an unsupported private algorithm.
* A matching DNSKEY ([algorithm 255][IANA registry]) is available.
* For this test scenario a fake signature and a fake public key are used.
* The extra DNSKEY is in the DNSKEY RRset which is resigned by the valid
KSK.
### BAD-SERVERS-BUT-GOOD-NSEC-1
An NSEC zone. Everything is fine except some non-responsive servers.
* Zone: bad-servers-but-good-nsec-1.dnssec10.xa
* The child zone is delegated to ns1, ns2, ns3, ns4 and ns5, all
in-bailiwick with correct glue.
* ns1 and ns2 are correct and work as they should.
* ns3 does not respond on DNSKEY query.
* ns4 responds with REFUSED on DNSKEY query.
* ns5 responds with AA unset on DNSKEY query.
### ERR-MULT-NSEC-1
An NSEC zone. An extra NSEC record is returned on the NSEC3PARAM query.
* Zone: err-mult-nsec-1.dnssec10.xa
* An extra NSEC record is returned in the response to the NSEC3PARAM query.
* The extra NSEC record has the same owner name, but different value in
"Next Domain Name" field.
* RRSIG is recalculated.
### ERR-MULT-NSEC-2
An NSEC zone. An extra NSEC record is returned on the NSEC query.
* Zone: err-mult-nsec-2.dnssec10.xa
* An extra NSEC record is returned in the response to the NSEC query.
* The extra NSEC record has the same owner name, but different value in
"Type List" field.
* RRSIG is recalculated.
### ERR-MULT-NSEC3-1
An NSEC3 zone. An extra NSEC3 record is returned.
* Zone: err-mult-nsec3-1.dnssec10.xa
* An extra NSEC3 record is returned in the response to the NSEC query.
* The extra NSEC3 record has the same hash owner name, but different value in
"Next Hashed Owner Name" field.
* The NSEC3 RRset has been signed with a valid RRSIG.
### ERR-MULT-NSEC3PARAM-1
An NSEC3 zone. An extra NSEC3PARAM record is returned.
* Zone: err-mult-nsec3param-1.dnssec10.xa
* An extra NSEC3PARAM record is returned in the response to the NSEC query.
* The extra NSEC3PARAM record has the same owner name, but different number
of iterations.
* The NSEC3PARAM RRset has been signed with a valid RRSIG.
### EXP-NSEC-NSEC3-MISS-1
A zone without NSEC and NSEC3. There is no NSEC or NSEC3 function.
* Zone: exp-nsec-nsec3-miss-1.dnssec10.xa
* The NSEC query gives a NODATA response with no NSEC or NSEC3 record.
* The NSEC3PARAM query gives a NODATA response with no NSEC or NSEC3 record.
### INCONSISTENT-NSEC-1
An NSEC zone. Some errors in NSEC handling.
* Zone: inconsistent-nsec-1.dnssec10.xa
* ns1 includes no NSEC record in the NODATA response on the NSEC3PARAM query.
* ns2 includes no NSEC record in the NODATA response on the NSEC query.
### INCONSISTENT-NSEC3-1
An NSEC3 zone. Some errors in NSEC3 handling.
* Zone: inconsistent-nsec3-1.dnssec10.xa
* ns1 includes no NSEC3 record in the NODATA response on the NSEC query.
* ns2 includes no NSEC3PARAM or NSEC3 record in the NODATA response on the
NSEC3PARAM query.
### INCONSIST-NSEC-NSEC3-1
Mixing beteen NSEC and NSEC3.
* Zone: inconsist-nsec-nsec3-1.dnssec10.xa
* ns1 holds an NSEC version of the zone.
* ns2 holds an NSEC3 version of the zone.
### INCONSIST-NSEC-NSEC3-2
NSEC on one server and NSEC3 on the other plus errors in NSEC and NSEC3 handling.
* Zone: inconsist-nsec-nsec3-2.dnssec10.xa
* ns1 holds an NSEC version of the zone.
* It responds with a NODATA respond without NSEC record on the NSEC3PARAM
query.
* It does respond with an NSEC record to the NSEC query.
* ns2 holds an NSEC3 version of the zone.
* It responds with a NODATA respond without NSEC3 record on the NSEC query.
* It does respond with an NSEC3PARAM record to the NSEC3PARAM query.
### MIXED-NSEC-NSEC3-1
Servers gives both NSEC and NSEC3
* Zone: mixed-nsec-nsec3-1.dnssec10.xa
* The zone gives an NSEC record in response to NSEC query.
* The zone gives an NSEC3PARAM record in response to the NSEC3PARAM query.
### MIXED-NSEC-NSEC3-2
Servers gives both NSEC and NSEC3
* Zone: mixed-nsec-nsec3-2.dnssec10.xa
* The zone gives a NODATA response with NSEC3 record in response to NSEC
query.
* The zone gives a NODATA response with NSEC record in response to the
NSEC3PARAM query.
### NSEC3PARAM-GIVES-ERR-ANSWER-1
An NSEC3 zone. Error in response to NSEC3PARAM query.
* Zone: nsec3param-gives-err-answer-1.dnssec10.xa
* The zone gives a TXT record, but no NSEC3PARAM record, in response to the
NSEC3PARAM query.
### NSEC3PARAM-GIVES-ERR-ANSWER-2
An NSEC3 zone. Error in response to NSEC3PARAM query on ns1. No NSEC or NSEC3 on
ns2.
* Zone: nsec3param-gives-err-answer-1.dnssec10.xa
* On ns1, the zone gives a TXT record, but no NSEC3PARAM record, in response to
the NSEC3PARAM query.
* On ns2, the zone gives NODATA responses without NSEC or NSEC3 record for both
the NSEC3PARAM query and the NSEC query.
### NSEC3PARAM-MISMATCHES-APEX-1
An NSEC3 zone. The owner name of the NSEC3PARAM record is erroneous.
* Zone: nsec3param-mismatches-apex-1.dnssec10.xa
* The owner name of the NSEC3PARAM record in response to the NSEC3PARAM query is
erroneous and does not match apex.
* The owner name is `sub.nsec3param-mismatches-apex-1.dnssec10.xa` instead of
expected `nsec3param-mismatches-apex-1.dnssec10.xa`.
## NSEC3PARAM-Q-RESPONSE-ERR-1
An NSEC3 zone. Error in response to NSEC3PARAM query.
* Zone: nsec3param-q-response-err-1.dnssec10.xa
* No DNS response on the NSEC3PARAM query.
## NSEC3PARAM-Q-RESPONSE-ERR-2
An NSEC3 zone. Error in response to NSEC3PARAM query.
* Zone: nsec3param-q-response-err-2.dnssec10.xa
* The response on the NSEC3PARAM query has the [RCODE Name] "REFUSED".
## NSEC3PARAM-Q-RESPONSE-ERR-3
An NSEC3 zone. Error in response to NSEC3PARAM query on ns1. No NSEC or NSEC3 on
ns2.
* Zone: nsec3param-q-response-err-3.dnssec10.xa
* The response from ns1 on the NSEC3PARAM query has the AA flag unset.
* On ns2, the zone gives NODATA responses without NSEC or NSEC3 record for both
the NSEC3PARAM query and the NSEC query.
### NSEC3-ERR-TYPE-LIST-1
An NSEC3 zone. The type list of the NSEC3 record is erroneous.
* Zone: nsec3-err-type-list-1.dnssec10.xa
* The type list of the NSEC3 record includes NSEC.
### NSEC3-ERR-TYPE-LIST-2
An NSEC3 zone. The type list of the NSEC3 record is erroneous.
* Zone: nsec3-err-type-list-2.dnssec10.xa
* The type list of the NSEC3 record misses RRSIG.
### NSEC3-MISMATCHES-APEX-1
An NSEC3 zone. The hash owner name of the NSEC3 record is erroneous.
* Zone: nsec3-mismatches-apex-1.dnssec10.xa
* The hash owner name of the NSEC3 record in response to the NSEC query is
erroneous and does not match apex.
### NSEC3-MISSING-SIGNATURE-1
An NSEC3 zone. The RRSIG is missing
* Zone: nsec3-missing-signature-1.dnssec10.xa
* There is no RRSIG for the NSEC3 record in the response with NSEC3 record.
### NSEC3-NODATA-MISSING-SOA-1
An NSEC3 zone. The SOA record is missing in the NODATA response.
* Zone: nsec3-nodata-missing-soa-1.dnssec10.xa
* In the NODATA response to the NSEC query the SOA record is missing.
### NSEC3-NODATA-WRONG-SOA-1
An NSEC3 zone. In the NODATA response the SOA record has the wrong owner name.
* Zone: nsec3-nodata-wrong-soa-1.dnssec10.xa
* The owner name of the SOA record in the NODATA response to the NSEC query
is `sub.nsec3-nodata-wrong-soa-1.dnssec10.xa` instead of expected
`nsec3-nodata-wrong-soa-1.dnssec10.xa`.
### NSEC3-NO-VERIFIED-SIGNATURE-1
An NSEC3 zone. The RRSIG for the NSEC3 record cannot be verified.
* Zone: nsec3-no-verified-signature-1.dnssec10.xa
* The RRSIG record for the NSEC3 record in the NODATA response to the NSEC
query cannot be verified.
* There is no matching DNSKEY for the RRSIG for the NSEC3 record.
### NSEC3-NO-VERIFIED-SIGNATURE-2
An NSEC3 zone. The RRSIG for the NSEC3 record cannot be verified.
* Zone: nsec3-no-verified-signature-2.dnssec10.xa
* The RRSIG record for the NSEC3 record in the NODATA response to the NSEC
query cannot be verified.
* The RRSIG has expired, i.e. the current date-time is beyond the last valid
date-time.
### NSEC3-NO-VERIFIED-SIGNATURE-3
An NSEC3 zone. The RRSIG for the NSEC3 record cannot be verified.
* Zone: nsec3-no-verified-signature-3.dnssec10.xa
* The RRSIG record for the NSEC3 record in the NODATA response to the NSEC
query cannot be verified.
* The RRSIG it not yet valid, i.e. the current date-time is before the first
valid date-time.
### NSEC3-NO-VERIFIED-SIGNATURE-4
An NSEC3 zone. The RRSIG for the NSEC3 record cannot be verified.
* Zone: nsec3-no-verified-signature-4.dnssec10.xa
* The RRSIG record for the NSEC3 record in the NODATA response to the NSEC
query cannot be verified.
* The RRSIG signature does not match the NSEC record and appointed DNSKEY.
### NSEC-ERR-TYPE-LIST-1
An NSEC zone. The type list of the NSEC record is erroneous.
* Zone: nsec-err-type-list-1.dnssec10.xa
* The type list of the NSEC record includes NSEC3PARAM.
### NSEC-ERR-TYPE-LIST-2
An NSEC zone. The type list of the NSEC record is erroneous.
* Zone: nsec-err-type-list-2.dnssec10.xa
* The type list of the NSEC record misses RRSIG.
### NSEC-GIVES-ERR-ANSWER-1
An NSEC zone. Error in response to NSEC query.
* Zone: nsec-gives-err-answer-1.dnssec10.xa
* The zone gives a TXT record, but no NSEC record, in response to the NSEC
query.
### NSEC-GIVES-ERR-ANSWER-2
An NSEC zone. Error in response to NSEC query on ns1. No NSEC or NSEC3 on ns2.
* Zone: nsec-gives-err-answer-2.dnssec10.xa
* On ns1, the zone gives a TXT record, but no NSEC record, in response to the
NSEC query.
* On ns2, the zone gives NODATA responses without NSEC or NSEC3 record for both
the NSEC3PARAM query and the NSEC query.
### NSEC-MISMATCHES-APEX-1
An NSEC zone. The owner name of the NSEC record is errouneous.
* Zone: nsec-mismatches-apex-1.dnssec10.xa
* The owner name of the NSEC record in response to the NSEC3PARAM query is
errouneous and does not match apex.
* The owner name is `sub.nsec-mismatches-apex-1.dnssec10.xa` instead of
expected `nsec-mismatches-apex-1.dnssec10.xa`.
### NSEC-MISMATCHES-APEX-2
An NSEC zone. The owner name of the NSEC record is errouneous.
* Zone: nsec-mismatches-apex-2.dnssec10.xa
* The owner name of the NSEC record in response to the NSEC query is
errouneous and does not match apex.
* The owner name is `sub.nsec-mismatches-apex-2.dnssec10.xa` instead of
expected `nsec-mismatches-apex-2.dnssec10.xa`.
### NSEC-MISSING-SIGNATURE-1
An NSEC zone. The RRSIG is missing.
* Zone: nsec-missing-signature-1.dnssec10.xa
* There is no RRSIG for the NSEC record in the response with NSEC record on the
NSEC3PARAM query.
### NSEC-NODATA-MISSING-SOA-1
An NSEC zone. The SOA record is missing in the NODATA response.
* Zone: nsec-nodata-missing-soa-1.dnssec10.xa
* In the NODATA response to the NSEC3PARAM query the SOA record is missing.
### NSEC-NODATA-WRONG-SOA-1
An NSEC zone. In the NODATA response the SOA record has the wrong owner name.
* Zone: nsec-nodata-wrong-soa-1.dnssec10.xa
* The owner name of the SOA record in the NODATA response to the NSEC3PARAM
query is `sub.nsec-nodata-wrong-soa-1.dnssec10.xa` instead of expected
`nsec-nodata-wrong-soa-1.dnssec10.xa`.
### NSEC-NO-VERIFIED-SIGNATURE-1
An NSEC zone. The RRSIG for the NSEC record cannot be verified.
* Zone: nsec-no-verified-signature-1.dnssec10.xa
* The RRSIG record for the NSEC record in the NODATA response to the NSEC3PARAM
query cannot be verified.
* There is no matching DNSKEY for the RRSIG for that NSEC record.
### NSEC-NO-VERIFIED-SIGNATURE-2
An NSEC zone. The RRSIG for the NSEC record cannot be verified.
* Zone: nsec-no-verified-signature-2.dnssec10.xa
* The RRSIG record for the NSEC record in the NODATA response to the NSEC3PARAM
query cannot be verified.
* The RRSIG has expired, i.e. the current date-time is beyond the last valid
date-time.
### NSEC-NO-VERIFIED-SIGNATURE-3
An NSEC zone. The RRSIG for the NSEC record cannot be verified.
* Zone: nsec-no-verified-signature-3.dnssec10.xa
* The RRSIG record for the NSEC record in the NODATA response to the NSEC3PARAM
query cannot be verified.
* The RRSIG it not yet valid, i.e. the current date-time is before the first
valid date-time.
### NSEC-NO-VERIFIED-SIGNATURE-4
An NSEC zone. The RRSIG for the NSEC record cannot be verified.
* Zone: nsec-no-verified-signature-4.dnssec10.xa
* The RRSIG record for the NSEC record in the NODATA response to the NSEC3PARAM
query cannot be verified.
* The RRSIG signature does not match the RRSIG record and appointed DNSKEY.
### NSEC-QUERY-RESPONSE-ERR-1
An NSEC zone. Error in response to NSEC query.
* Zone: nsec-query-response-err-1.dnssec10.xa
* No DNS response on the NSEC query.
### NSEC-QUERY-RESPONSE-ERR-2
An NSEC zone. Error in response to NSEC query.
* Zone: nsec-query-response-err-2.dnssec10.xa
* The response on the NSEC query has the [RCODE Name] "REFUSED".
### NSEC-QUERY-RESPONSE-ERR-3
An NSEC zone. Error in response to NSEC query on ns1. No NSEC or NSEC3 in
responses from ns2.
* Zone: nsec-query-response-err-3.dnssec10.xa
* The response from ns1 on the NSEC query has the AA flag unset.
* On ns2, the zone gives NODATA responses without NSEC or NSEC3 record for both
the NSEC3PARAM query and the NSEC query.
### SERVER-NO-DNSSEC-1
An NSEC zone. No DNSKEY in response from ns1. Normal response from ns2.
* Zone: server-no-dnssec-1.dnssec10.xa
* The answer section in response from ns1 on the DNSKEY query is empty. Unsigned
NODATA response without NSEC or NSEC3.
* The NSEC and NSEC3PARAM queries are irrelevant, but they also give a Unsigned
NODATA response without NSEC or NSEC3 on ns1.
### SERVER-NO-DNSSEC-2
An NSEC3 zone. No DNSKEY in response from ns1. Normal response from ns2.
* Zone: server-no-dnssec-2.dnssec10.xa
* The answer section in response from ns1 on the DNSKEY query is empty. Unsigned
NODATA response without NSEC or NSEC3.
* The NSEC and NSEC3PARAM queries are irrelevant, but they also give a Unsigned
NODATA response without NSEC or NSEC3 on ns1.
### ZONE-NO-DNSSEC-1
No DNSKEY in response.
* Zone: zone-no-dnssec-1.dnssec10.xa
* The answer section in response on the DNSKEY query is empty. Unsigned NODATA
response without NSEC or NSEC3.
* The NSEC and NSEC3PARAM queries are irrelevant, but they also give a Unsigned
NODATA response without NSEC or NSEC3.
[DNSSEC10]: ../../tests/DNSSEC-TP/dnssec10.md
[IANA registry]: https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xml
[RCODE Name]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6
[Test scenario README file]: ../README.md
[Test scenarios and setup of test zones]: #test-scenarios-and-setup-of-test-zones

190
zonemaster/docs/public/specifications/test-zones/DNSSEC-TP/dnssec16.md Normal file
View File

@@ -0,0 +1,190 @@
# Specification of test zones for DNSSEC16
## Table of contents
* [Background](#background)
* [Test Case](#test-case)
* [Test scenarios](#test-scenarios)
* [Test zone names](#test-zone-names)
* [Test scenarios and message tags](#test-scenarios-and-message-tags)
* [Zone setup for test scenarios]
* [Terminology](#terminology)
## Background
See the [test zone README file].
## Test Case
This document specifies defined test zones for test case [DNSSEC16].
## Test scenarios
The purpose of the test scenarios is to cover all reasonable contexts where
different message tags are outputted when [DNSSEC16] is run on a test zone. The
message tags are defined in the test case ([DNSSEC16]) and the scenarios are
defined below.
The test scenarios are structured as stated in the [test zone README file].
## Test zone names
The test zone for each test scenario in this document is a subdomain delegated
from the base name (`dnssec16.xa`) and that subdomain having the same name as the
scenario except where the test domain must be the root zone, a TLD or a domain
under `.arpa`. The names of those zones are given in section
"[Zone setup for test scenarios]" below.
## Test scenarios and message tags
If a message tag is not listed for the scenario, its presence or non-presence is
irrelevant to the test scenario and must be ignored.
Scenario name | Mandatory message tags | Forbidden message tags
:----------------------------|:--------------------------------------------------|:-------------------------------------------
CDS-INVALID-RRSIG | DS16_CDS_INVALID_RRSIG | DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
CDS-MATCHES-NO-DNSKEY | DS16_CDS_MATCHES_NO_DNSKEY | DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
CDS-MATCHES-NON-SEP-DNSKEY | DS16_CDS_MATCHES_NON_SEP_DNSKEY | DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
CDS-MATCHES-NON-ZONE-DNSKEY | DS16_CDS_MATCHES_NON_ZONE_DNSKEY | DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
CDS-NOT-SIGNED_BY_CDS | DS16_CDS_NOT_SIGNED_BY_CDS | DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
CDS-SIGNED-BY-UNKNOWN-DNSKEY | DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY | DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
CDS-UNSIGNED | DS16_CDS_UNSIGNED, DS16_CDS_NOT_SIGNED_BY_CDS | DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
CDS-WITHOUT-DNSKEY | DS16_CDS_WITHOUT_DNSKEY | DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
DELETE-CDS | DS16_DELETE_CDS | DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
DNSKEY-NOT-SIGNED-BY-CDS | DS16_DNSKEY_NOT_SIGNED_BY_CDS | DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_MIXED_DELETE_CDS
MIXED-DELETE-CDS | DS16_MIXED_DELETE_CDS | DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS
NO-CDS | (none) | DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
NOT-AA | (none) | DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
VALID-CDS | (none) | DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
## Zone setup for test scenarios
Assumptions for the scenario specifications:
* Only CDS or DNSKEY records in apex are considered.
* Unless stated otherwise, all name servers respond authoritatively with
[RCODE Name] "NoError" on all queries.
* Unless stated otherwise, all name servers respond authoritatively with (or
without) CDS records on CDS queries and DNSKEY records on DNSKEY queries,
respectively.
* Unless stated otherwise, all RRSIGs are present where expected and are valid.
* Each zone is served by two nameservers and both respond consistently.
* No DS record is published at parent zone (`dnssec16.xa`).
### CDS-INVALID-RRSIG
* Zone: "cds-invalid-rrsig.dnssec16.xa."
* The zone has a [Well Formed DNSKEY Record] (key 1).
* The zone has one [Well Formed CDS Record], that matches key 1, but the RRSIG
of the CDS RRset has expired.
### CDS-MATCHES-NO-DNSKEY
* Zone: "cds-matches-no-dnskey.dnssec16.xa."
* The zone has one [Well Formed DNSKEY Record] (key 1).
* The zone has one [Well Formed CDS Record] that matches key 1.
* The zone has a second [Well Formed CDS Record] that matches no key by key
tag.
### CDS-MATCHES-NON-SEP-DNSKEY
* Zone: "cds-matches-non-sep-dnskey.dnssec16.xa."
* The zone has a [Well Formed DNSKEY Record], but flag bit 15 is unset (key
1).
* The zone has one [Well Formed CDS Record] that matches key 1.
### CDS-MATCHES-NON-ZONE-DNSKEY
* Zone: "cds-matches-non-zone-dnskey.dnssec16.xa."
* The zone has one [Well Formed DNSKEY Record] (key 1).
* The zone has a second [Well Formed DNSKEY Record], but flag bit 7 is unset
and the key has not signed the DNSKEY RRset (key 2).
* The zone has one [Well Formed CDS Record] and matches key 1 (CDS 1).
* The zone has a second [Well Formed CDS Record], matching key 2, but the key
has not signed the CDS RRset.
### CDS-NOT-SIGNED-BY-CDS
* Zone: "cds-not-signed-by-cds.dnssec16.xa."
* The zone has two [Well Formed DNSKEY Record] (key 1 and 2).
* The zone has one [Well Formed CDS Record] that matches key 1.
* The zone has a second [Well Formed CDS Record] that matches key 2, but its
DNSKEY has not signed the CDS RRset.
### CDS-SIGNED-BY-UNKNOWN-DNSKEY
* Zone: "cds-signed-by-unknown-dnskey.dnssec16.xa."
* The zone has a [Well Formed DNSKEY Record] (key 1).
* The zone has one [Well Formed CDS Record], and it matches key 1.
* The CDS RRset has an additional RRSIG that matches no DNSKEY by key tag.
### CDS-UNSIGNED
* Zone: "cds-unsigned.dnssec16.xa."
* The zone has a [Well Formed DNSKEY Record] (key 1).
* The zone has one [Well Formed CDS Record], and it matches key 1, but the CDS
RRset is not signed.
### CDS-WITHOUT-DNSKEY
* Zone: "cds-without-dnskey.dnssec16.xa."
* The zone has no DNSKEY.
* The zone has one [Well Formed CDS Record] that matches no DNSKEY.
### DELETE-CDS
* Zone: "delete-cds.dnssec16.xa."
* The zone has a [Well Formed DNSKEY Record].
* The zone has one CDS RR that is a Delete CDS.
### DNSKEY-NOT-SIGNED-BY-CDS
* Zone: "dnskey-not-signed-by-cds.dnssec16.xa."
* The zone has a [Well Formed DNSKEY Record] (key 1), but the key has not
signed the DNSKEY RRset.
* The zone has one [Well Formed CDS Record], and it matches key 1.
### MIXED-DELETE-CDS
* Zone: "mixed-delete-cds.dnssec16.xa."
* The zone has a [Well Formed DNSKEY Record] (key 1).
* The zone has one [Well Formed CDS Record], and it matches key 1.
* The zone has a second CDS RR that is a Delete CDS.
### NO-CDS
* Zone: "no-cds.dnssec16.xa."
* The name servers give no CDS RRset on CDS query (NODATA).
### NOT-AA
* Zone: "not-aa.dnssec16.xa."
* The name servers give non-AA response on CDS queries.
### VALID-CDS
* Zone: "valid-cds.dnssec16.xa."
* The zone has a [Well Formed DNSKEY Record] (key 1).
* The zone has one [Well Formed CDS Record], and it matches key 1.
## Terminology
* "Well Formed DNSKEY Record" - The term is used, in this document, for a DNSKEY
record that meets the following requirements:
* It is a DNSKEY record in apex.
* It uses algorithm 10 (RSA/SHA-512) with a 2048-bit key length, see
[DNSSEC05] and [DNSSEC14].
* Flag bit 7 (zone key) and bit 15 (SEP) are set.
* The DNSKEY RRset has been signed by the key and the RRSIG is valid.
* "Well Formed CDS Record" - The term is used, in this document, for a CDS record
that meets the following requirements:
* It is a CDS record in apex.
* It uses hash digest 2 (SHA-256), see [DNSSEC01].
* Its digest is a digest of a [Well Formed DNSKEY Record].
* The CDS RRset has been signed by the its DNSKEY and the RRSIG is valid.
[DNSSEC01]: ../../tests/DNSSEC-TP/dnssec01.md
[DNSSEC05]: ../../tests/DNSSEC-TP/dnssec05.md
[DNSSEC14]: ../../tests/DNSSEC-TP/dnssec14.md
[DNSSEC16]: ../../tests/DNSSEC-TP/dnssec16.md
[RCODE Name]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6
[Test zone README file]: ../README.md
[Well Formed CDS Record]: #terminology
[Well Formed DNSKEY Record]: #terminology
[Zone setup for test scenarios]: #zone-setup-for-test-scenarios