CloudHost/zonemaster.es
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add full Zonemaster stack with Docker and Spanish UI

Browse Source 
- Clone all 5 Zonemaster component repos (LDNS, Engine, CLI, Backend, GUI)
- Dockerfile.backend: 8-stage multi-stage build LDNS→Engine→CLI→Backend
- Dockerfile.gui: Astro static build served via nginx
- docker-compose.yml: backend (internal) + frontend (port 5353)
- nginx.conf: root redirects to /es/, /api/ proxied to backend
- zonemaster-gui/config.ts: defaultLanguage set to 'es' (Spanish)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Malin
2026-04-21 08:19:24 +02:00
commit 8d4eaa1489
1567 changed files with 204155 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
zonemaster/docs/public/specifications/tests/Nameserver-TP/README.md Normal file
View File

@@ -0,0 +1,30 @@
# Name Server Test Plan
These are tests of the properties of a name server.
This document uses the terminology defined in the [Master Test Plan].
[Master Test Plan]: ../MasterTestPlan.md
[Test Case README]: ../README.md
<!-- Content until EOF generated by script updateTestPlanReadme.pl from Zonemaster/Zonemaster utils directory -->
## Test cases list
|Test Case |Test Case Description|
|:---------|:--------------------|
|[NAMESERVER01](nameserver01.md)|A name server should not be a recursor|
|[NAMESERVER02](nameserver02.md)|Test of EDNS0 support|
|[NAMESERVER03](nameserver03.md)|Test availability of zone transfer (AXFR)|
|[NAMESERVER04](nameserver04.md)|Same source address|
|[NAMESERVER05](nameserver05.md)|Behaviour against AAAA query|
|[NAMESERVER06](nameserver06.md)|NS can be resolved|
|[NAMESERVER07](nameserver07.md)|To check whether authoritative name servers return an upward referral|
|[NAMESERVER08](nameserver08.md)|Testing QNAME case insensitivity |
|[NAMESERVER09](nameserver09.md)|Testing QNAME case sensitivity|
|[NAMESERVER10](nameserver10.md)|Test for undefined EDNS version|
|[NAMESERVER11](nameserver11.md)|Test for unknown EDNS OPTION-CODE|
|[NAMESERVER12](nameserver12.md)|Test for unknown EDNS flags|
|[NAMESERVER13](nameserver13.md)|Test for truncated response on EDNS query|
|[NAMESERVER15](nameserver15.md)|Checking for revealed software version|

99
zonemaster/docs/public/specifications/tests/Nameserver-TP/nameserver01.md Normal file
View File

@@ -0,0 +1,99 @@
# NAMESERVER01: A name server should not be a recursor
## Test case identifier
**NAMESERVER01**
## Objective
To ensure consistency in DNS, an authoritative name server should not be
configured to do recursive lookups. Also, open recursive resolvers are
considered bad internet practice due to their capability of assisting in
large scale DDoS attacks. The introduction to [RFC 5358] elaborates on
mixing recursor and authoritative functionality, and the issue is further
elaborated by [D.J. Bernstein].
Section 2.5 of [RFC 2870] have very specific requirement on disabling
recursion functionality on root name servers.
## Scope
It is assumed that *Child Zone* is also tested by [Connectivity01]. This test
case will set DEBUG level on messages for non-responsive name servers.
## Inputs
* The domain name to be tested ("Child Zone").
## Ordered description of steps to be taken to execute the test case
1. Create A queries for the following domain names:
1. xn--nameservertest.iis.se
2. xn--nameservertest.icann.org
3. xn--nameservertest.ripe.net
2. Retrieve all name server IPs for the *Child Zone* using
[Method4] and [Method5].
3. Repeat the following steps for each name server IP.
1. Send the three A queries over UDP.
2. For each query do the following steps:
1. If the name server does not respond with a DNS
response, then emit *[NO_RESPONSE]*.
2. If the DNS response comes with the RA flag set, then
emit *[IS_A_RECURSOR]*.
3. If the RCODE is NXDOMAIN in the responses for all three
queries then emit *[IS_A_RECURSOR]*.
4. If neither *[NO_RESPONSE]* nor *[IS_A_RECURSOR]* has been emitted
for that server, then emit *[NO_RECURSOR]*.
## Outcome(s)
The outcome of this Test Case is "fail" if there is at least one message
with the severity level *ERROR* or *CRITICAL*.
The outcome of this Test Case is "warning" if there is at least one message
with the severity level *WARNING*, but no message with severity level
*ERROR* or *CRITICAL*.
In other cases the outcome of this Test Case is "pass".
Message | Default severity level (if message is emitted)
:-----------------------------|:-----------------------------------
NO_RESPONSE | DEBUG
IS_A_RECURSOR | ERROR
NO_RECURSOR | INFO
## Special procedural requirements
If either IPv4 or IPv6 transport is disabled, ignore the evaluation of the
result of any test using this transport protocol. Log a message reporting
on the ignored result.
The domain names used in the queries are selected to be almost certainly
nonexistent name since the names are chosen to violate the
[IDNA 2008 specification] under SLDs (second-level domains) expected to
respect that specification. The SLDs are selected so that the chance that
they are all hosted on the same servers is low.
## Intercase dependencies
None.
## Terminology
Valid domain names according to the "IDNA 2008 specification" is found in
[RFC 5890], section 2.3.1, page 7.
[Connectivity01]: ../Connectivity-TP/connectivity01.md
[D.J. Bernstein]: https://cr.yp.to/djbdns/separation.html
[IDNA 2008 specification]: #terminology
[IS_A_RECURSOR]: #outcomes
[Method4]: ../Methods.md#method-4-obtain-glue-address-records-from-parent
[Method5]: ../Methods.md#method-5-obtain-the-name-server-address-records-from-child
[NO_RECURSOR]: #outcomes
[NO_RESPONSE]: #outcomes
[RFC 2870]: https://datatracker.ietf.org/doc/html/rfc2870
[RFC 5358]: https://datatracker.ietf.org/doc/html/rfc5358
[RFC 5890]: https://datatracker.ietf.org/doc/html/rfc5890

128
zonemaster/docs/public/specifications/tests/Nameserver-TP/nameserver02.md Normal file
View File

@@ -0,0 +1,128 @@
# NAMESERVER02: Test of EDNS0 support
## Test case identifier
**NAMESERVER02**
## Objective
EDNS(0) is a mechanism to announce capabilities of a DNS implementation,
and is now basically required by any new functionality in DNS such as
DNSSEC. EDNS(0) is standardized in [RFC 6891].
This test case checks that all name servers has the capability to do
EDNS(0) or if not, correctly replies to queries containing EDNS
(OPT record).
Servers not supporting EDNS(0) must return FORMERR
([RFC 6891, section 7]):
> Responders that choose not to implement the protocol extensions
> defined in this document MUST respond with a return code (RCODE) of
> FORMERR to messages containing an OPT record in the additional
> section and MUST NOT include an OPT record in the response.
Servers supporting EDNS(0) must reply with EDNS(0)
([RFC 6891, section 6.1.1]):
> If an OPT record is present in a received request, compliant
> responders MUST include an OPT record in their respective responses.
To eliminating the risk of falsely classifying the server as not supporting
EDNS due e.g. firewall issues, the UDP buffer size is set to 512 bytes
(octets).
## Scope
It is assumed that *Child Zone* is also tested by [Connectivity01]. This test
case will set DEBUG level on messages for non-responsive name servers.
## Inputs
* "Child Zone" - The domain name to be tested.
## Ordered description of steps to be taken to execute the test case
1. Created an SOA query for the *Child Zone* with an OPT record with
EDNS version set to "0" and with EDNS(0) option of payload size ("bufsize")
set to 512 and "DO" bit unset.
2. Create a second SOA query for the *Child Zone* without any OPT record.
3. Obtain the set of name server IP addresses using [Method4] and [Method5]
("Name Server IP").
4. For each name server in *Name Server IP* do:
1. Send the SOA query **with** OPT record to the name server and collect
the response.
2. If there is no DNS response, then:
1. Send the SOA query **without** OPT record to the name server and
collect the response.
2. If there is no DNS response, then output *[NO_RESPONSE]* and
go to next server.
3. Else (there is a DNS response), then output
*[BREAKS_ON_EDNS]* and go to next server.
3. Else, if the DNS response meet the following two criteria,
then output *[NO_EDNS_SUPPORT]*:
1. It has the RCODE "FORMERR"
2. It has no OPT record.
4. Else, if the DNS response meet the following criteria (compliant
server), then go to the next name server:
1. It has the RCODE "NOERROR".
2. The answer section contains the SOA record for *Child Zone*.
3. It has OPT record with EDNS version 0.
5. Else, if the DNS response meet the following criteria,
then output *[EDNS_RESPONSE_WITHOUT_EDNS]* and go to next server.
1. It has the RCODE "NOERROR".
2. It has no OPT record.
6. Else, if the DNS response meet the following criteria,
then output *[EDNS_VERSION_ERROR]* and go to next server.
1. It has the RCODE "NOERROR".
2. It has OPT record with EDNS version other than 0.
7. Else output *[NS_ERROR]* (i.e. other erroneous or unexpected
response).
## Outcome(s)
The outcome of this Test Case is "fail" if there is at least one message
with the severity level *ERROR* or *CRITICAL*.
The outcome of this Test Case is "warning" if there is at least one message
with the severity level *WARNING*, but no message with severity level
*ERROR* or *CRITICAL*.
The outcome of this Test case is "pass" in all other cases.
Message | Default severity level (when message is outputted)
:---------------------------------|:-----------------------------------
NO_RESPONSE | DEBUG
NO_EDNS_SUPPORT | WARNING
BREAKS_ON_EDNS | ERROR
EDNS_RESPONSE_WITHOUT_EDNS | ERROR
EDNS_VERSION_ERROR | ERROR
NS_ERROR | WARNING
## Special procedural requirements
If either IPv4 or IPv6 transport is disabled, ignore the evaluation of the
result of any test using this transport protocol and log a message reporting
the ignored result.
## Intercase dependencies
None
[Connectivity01]: ../Connectivity-TP/connectivity01.md
[BREAKS_ON_EDNS]: #outcomes
[EDNS_RESPONSE_WITHOUT_EDNS]: #outcomes
[EDNS_VERSION_ERROR]: #outcomes
[Method4]: ../Methods.md#method-4-obtain-glue-address-records-from-parent
[Method5]: ../Methods.md#method-5-obtain-the-name-server-address-records-from-child
[NO_EDNS_SUPPORT]: #outcomes
[NO_RESPONSE]: #outcomes
[NS_ERROR]: #outcomes
[RFC 6891, section 6.1.1]: https://datatracker.ietf.org/doc/html/rfc6891#section-6.1.1
[RFC 6891, section 7]: https://datatracker.ietf.org/doc/html/rfc6891#section-7
[RFC 6891]: https://datatracker.ietf.org/doc/html/rfc6891

39
zonemaster/docs/public/specifications/tests/Nameserver-TP/nameserver03.md Normal file
View File

@@ -0,0 +1,39 @@
## NAMESERVER03: Test availability of zone transfer (AXFR)
### Test case identifier
**NAMESERVER03** Test availability of zone transfer (AXFR)
### Objective
AXFR is a mechanism to transfer the whole content of a zone from a name
server. Some people prefer to not disclose the whole content of a zone
for various reasons, and thus wants the public name server infrastructure
not do disclose the whole zone content to the public. This test case
checks the availability of the AXFR mechanism.
AXFR is defined in its latest revision in
[RFC 5936](https://datatracker.ietf.org/doc/html/rfc5936).
### Inputs
The domain name to be tested.
### Ordered description of steps to be taken to execute the test case
1. Retrieve all address records for all the name servers using [Method
4](../Methods.md) and [Method 5](../Methods.md).
2. Send an AXFR query to each name server IP address found in step 1.
3. If any answer to the AXFR query is starting with the SOA record
for the domain, this test case fails.
### Outcome(s)
If any name server for the domain allows a zone transfer using AXFR,
this test case fails.
### Special procedural requirements
None.
### Intercase dependencies
None.

38
zonemaster/docs/public/specifications/tests/Nameserver-TP/nameserver04.md Normal file
View File

@@ -0,0 +1,38 @@
## NAMESERVER04: Same source address
### Test case identifier
**NAMESERVER04** Same source address
### Objective
Responses from the authoritative name servers must contain same source IP
address as the destination IP address of the initial query. This has been
clarified in section 4 of
[RFC 2181](https://datatracker.ietf.org/doc/html/rfc2181#section-4).
### Inputs
The domain name to be tested.
### Ordered description of steps to be taken to execute the test case
1. Retrieve all address records for all the name servers using [Method
4](../Methods.md) and [Method 5](../Methods.md).
2. A SOA query for the domain name sent to the each name server IP address
found in step 1.
3. Any answer received from the SOA query must come from the same source IP address
as the query was sent to. If there is a mismatch, this test case fails.
### Outcome(s)
If any response comes from another IP address than the query was sent to,
this test case fails.
### Special procedural requirements
If there are many authoritative DNS nodes behind the IP address the query
is sent to, there could be multiple answers with possibly different source
addresses for the query. This special case is currently ignored.
### Intercase dependencies
None.

103
zonemaster/docs/public/specifications/tests/Nameserver-TP/nameserver05.md Normal file
View File

@@ -0,0 +1,103 @@
# NAMESERVER05: Behaviour against AAAA query
## Test case identifier
**NAMESERVER05**
## Objective
Older implementations of authoritative name servers have shown different
misbehaviours trying to answer queries for AAAA records, as described in
[RFC 4074]. This test case is intended to find out if the name server
authoritative for the domain shows any of these behaviours.
## Scope
It is assumed that *Child Zone* is also tested by [Connectivity01]. This test
case will set DEBUG level on messages for non-responsive name servers.
## Inputs
* "Child Zone" - The domain name to be tested.
## Ordered description of steps to be taken to execute the test case
1. Create an A query for the apex of the *Child Zone*.
2. Create a AAAA query for the apex of the *Child Zone*.
3. Create an empty set "AAAA OK".
4. Retrieve all name server IP addresses for the
*Child Zone* using [Method4] and [Method5] ("NS IP").
5. For each name server IP address in *NS IP* do:
1. Send the A query over UDP to the name server IP.
2. If no DNS response is returned, then output *[NO_RESPONSE]*.
3. Else, if DNS response does not have RCODE NOERROR, then output
*[A_UNEXPECTED_RCODE]*.
4. Else, do:
1. Send the AAAA query over UDP to the name server IP.
2. If no DNS response is returned, then output *[AAAA_QUERY_DROPPED]*.
3. Else, if the RCODE of the response is not NOERROR, then output
*[AAAA_UNEXPECTED_RCODE]*.
4. Else, if the answer section contains an AAAA record with incorrect
RDATA length (e.g. 4 instead of 16 octets), then output
*[AAAA_BAD_RDATA]*.
5. Else, add the name server IP to *AAAA OK*.
6. If *AAAA OK* is non-empty and no messages *[AAAA_QUERY_DROPPED]*,
*[AAAA_UNEXPECTED_RCODE]* or *[AAAA_BAD_RDATA]* have been outputted for any
name server IP, then output *[AAAA_WELL_PROCESSED]*.
## Outcome(s)
The outcome of this Test Case is "fail" if there is at least one message
with the severity level *ERROR* or *CRITICAL*.
The outcome of this Test Case is "warning" if there is at least one message
with the severity level *WARNING*, but no message with severity level
*ERROR* or *CRITICAL*.
In other cases the outcome of this Test Case is "pass".
Message | Default severity level
:-----------------------------|:-----------------------------------
AAAA_BAD_RDATA | ERROR
AAAA_QUERY_DROPPED | ERROR
AAAA_UNEXPECTED_RCODE | ERROR
AAAA_WELL_PROCESSED | INFO
A_UNEXPECTED_RCODE | WARNING
NO_RESPONSE | DEBUG
## Special procedural requirements
If either IPv4 or IPv6 transport is disabled, ignore the evaluation of the
result of any test using this transport protocol. Log a message reporting
on the ignored result.
## Intercase dependencies
None.
[AAAA_BAD_RDATA]: #outcomes
[AAAA_QUERY_DROPPED]: #outcomes
[AAAA_UNEXPECTED_RCODE]: #outcomes
[AAAA_WELL_PROCESSED]: #outcomes
[A_UNEXPECTED_RCODE]: #outcomes
[Connectivity01]: ../Connectivity-TP/connectivity01.md
[Method4]: ../Methods.md#method-4-obtain-glue-address-records-from-parent
[Method5]: ../Methods.md#method-5-obtain-the-name-server-address-records-from-child
[NO_RESPONSE]: #outcomes
[RFC 4074]: https://datatracker.ietf.org/doc/html/rfc4074

47
zonemaster/docs/public/specifications/tests/Nameserver-TP/nameserver06.md Normal file
View File

@@ -0,0 +1,47 @@
## NAMESERVER06: NS can be resolved
### Test case identifier
**NAMESERVER06** NS can be resolved
### Objective
All name servers names listed for a delegation must be resolvable in DNS.
If they are not resolvable using DNS this is a sign of misconfiguration,
and raises the risk of unreachability for the domain. It could also lower
the performance for any resolver trying to resolve the name.
The objective of this test is to resolve the domain using all the listed
name servers used in the delegation. More information about resolver
behavior is in section 7 of [RFC 1035](https://datatracker.ietf.org/doc/html/rfc1035).
### Inputs
The domain name to be tested.
### Ordered description of steps to be taken to execute the test case
1. Obtain the list of name servers for the domain using [Method 2](
../Methods.md#method-2-obtain-glue-name-records-from-parent) and [Method 3](
../Methods.md#method-3-obtain-name-servers-from-child).
2. Use [Method 4](
../Methods.md#method-4-obtain-glue-address-records-from-parent) and
[Method 5](
../Methods.md#method-5-obtain-the-name-server-address-records-from-child)
to resolve all the name server names obtained in step 1.
3. If any name does not resolve to either an A RR or AAAA RR, this test
case fails.
### Outcome(s)
If any of the name server names fails to resolve to an IP address, this
test case fails.
### Special procedural requirements
If either IPv4 or IPv6 transport is disabled, ignore the evaluation of
the result of any test using this transport protocol. Log a message
reporting on the ignored result.
### Intercase dependencies
None.

34
zonemaster/docs/public/specifications/tests/Nameserver-TP/nameserver07.md Normal file
View File

@@ -0,0 +1,34 @@
## NAMESERVER07: To check whether authoritative name servers return an upward referral
### Test case identifier
NAMESERVER07 To check whether authoritative name servers return an upward
referral
### Objective
The configuration and/or implementation of some authoritative name servers
causes them to return an upward referral to the root zone. There are proofs that
such a [behaviour could be used for DDoS attacks](
https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-harmful)
### Inputs
The domain name to be tested.
### Ordered description of steps to be taken to execute the test case
1. If the input domain to be tested is the root, exit from the test.
2. Retrieve all address records for all the name servers using [Method
4](../Methods.md) and [Method 5](../Methods.md).
3. An NS query is sent to each name server IP address found in step 2,
with the root “.” as the destination
4. If any of the query returns with one or more responses in the
authority section, then this test case fails.
### Outcome(s)
The test case is Ok only if there are no responses in the authority section
### Special procedural requirements
None.
### Intercase dependencies
None.

44
zonemaster/docs/public/specifications/tests/Nameserver-TP/nameserver08.md Normal file
View File

@@ -0,0 +1,44 @@
## NAMESERVER08: Testing QNAME case insensitivity
### Test case identifier
NAMESERVER08 Verify whether the authoritative nameserver response match the
case of every letter in the query name
### Objective
The DNS standards require that nameservers treat names with case insensitivity.
That is, the names example.com and EXAMPLE.COM should resolve to the same IP
address. However, in the response, most nameservers echo back the name as it
appeared in the request, preserving the original case.
Therefore, another way to add entropy to requests is to randomly vary the case
of letters in domain names queried. This technique, also known as "0x20" because
bit 0x20 is used to set the case of of US-ASCII letters, was first proposed in
the [IETF internet draft](https://datatracker.ietf.org/doc/html/draft-vixie-dnsext-dns0x20-00) Use of Bit 0x20 in DNS Labels to Improve Transaction
Identity. With this technique, the nameserver response must match not only the
query name, but the case of every letter in the name string; for example,
wWw.eXaMpLe.CoM or WwW.ExamPLe.COm. This may add little or no entropy to queries
for the top-level and root domains, but it's effective for most hostnames.
### Inputs
The domain name to be tested.
### Ordered description of steps to be taken to execute the test case
1. Retrieve all address records for all the name servers using [Method
4](../Methods.md) and [Method 5](../Methods.md).
2. A random query with mixed case (e.G Www.iETf.Org) is sent to each unique name
server IP address found in step 1.
3. Remember the case of the QNAME in the query sent.
4. Compare the QNAME in the question section of the response with the string in step3.
5. If the string in step3 and step4 are not equal with respect to case in
sensitivity, the test fails.
### Outcome(s)
The test case is Ok only if there are no responses in the authority section
### Special procedural requirements
None.
### Intercase dependencies
None.

39
zonemaster/docs/public/specifications/tests/Nameserver-TP/nameserver09.md Normal file
View File

@@ -0,0 +1,39 @@
## NAMESERVER09: Testing QNAME case sensitivity
### Test case identifier
NAMESERVER09 Verify whether the authoritative nameserver returns same results
for equivalent names with different cases in the request.
### Objective
There has been cases where the nameservers respond with complete
case-sensitivity (in violation of the DNS standards): that is, they match the
exact case of the name in the response; but return different results for
equivalent names with different cases in the request (typically NXDOMAIN).
### Inputs
The domain name to be tested.
### Ordered description of steps to be taken to execute the test case
1. Retrieve all address records for all the name servers using [Method
4](../Methods.md) and [Method 5](../Methods.md).
2. Send a query with the input string in a mixed case (e.g. wWW.iETF.oRG) to
each of the name server IP address found in step 1.
3. If the "answer" flag is greater than 0, remember the "answer" section, else
remember the status flag.
4. Send another query with an alternative mixed case (e.g. Www.Ietf.Org) to each
of the name server found in step 1.
5. If the "answer" flag is greater than 0, remember the "answer" section, else
remember the status flag.
6. Compare the results remembered in step3 and step5.
7. If the results in step 6 are not equal, the test case fails.
### Outcome(s)
The test case passes only if the results of all queries are exactly the same.
### Special procedural requirements
None.
### Intercase dependencies
None.

164
zonemaster/docs/public/specifications/tests/Nameserver-TP/nameserver10.md Normal file
View File

@@ -0,0 +1,164 @@
# NAMESERVER10: Test for undefined EDNS version
## Test case identifier
**NAMESERVER10**
## Table of contents
* [Objective](#objective)
* [Scope](#scope)
* [Inputs](#inputs)
* [Summary](#summary)
* [Test procedure](#test-procedure)
* [Outcome(s)](#outcomes)
* [Special procedural requirements](#special-procedural-requirements)
* [Intercase dependencies](#intercase-dependencies)
* [Terminology](#terminology)
## Objective
EDNS ([RFC 6891]) is a mechanism to announce capabilities of a DNS
implementation, and is required by new functionality in DNS such as DNSSEC
([RFC 4033][RFC 4033#section-3], section 3).
[RFC 6891][RFC 6891#section-6.1.3], section 6.1.3, states that if a nameserver
has implemented EDNS but has not implemented the version level of the request,
then it MUST respond with RCODE "BADVERS". Only version "0" has been defined for
EDNS.
Note that RCODE "BADVERS" is an extended RCODE which is calculated from the
combination of the normal RCODE field in the DNS package header
([RFC 1035][RFC 1035#section-4.1.1], section 4.1.1) and the OPT record
EXTENDED-RCODE field ([RFC 6891][RFC 6891#section-6.1.3], section 6.1.3). Also
see [IANA RCODE Registry].
## Scope
Issues covered by [Connectivity01] (basic name server issues) or [Nameserver02] (basic
EDNS issues) will not result in messages from this test case.
## Inputs
* "Child Zone" - The domain name to be tested.
## Summary
* Only relevant for a zone whose name servers correctly support EDNS, version 0.
Message Tag outputted | Level | Arguments | Description of when message tag is outputted
:-----------------------------|:--------|:------------------|:--------------------------------------------
N10_NO_RESPONSE_EDNS1_QUERY | WARNING | ns_ip_list | Response when EDNS ver=0, but not when 1.
N10_UNEXPECTED_RCODE | WARNING | ns_ip_list, rcode | Unexpected RCODE value when EDNS ver=1.
N10_EDNS_RESPONSE_ERROR | WARNING | ns_ip_list | Expected RCODE value when EDNS ver=1, but error in response.
The value in the Level column is the default severity level of the message. The
severity level can be changed in the [Zonemaster-Engine profile]. Also see the
[Severity Level Definitions] document.
The argument names in the Arguments column lists the arguments used in the
message. The argument names are defined in the [argument list].
## Test procedure
1. Create the following empty sets:
1. Name server IP ("No Response EDNS1 Query").
2. Name server IP and associated RCODE ("Unexpected RCODE").
3. Name server IP ("EDNS Response Error").
2. Create an SOA query for the *Child Zone* with an OPT record with EDNS version
set to "0" and with EDNS option of payload size ("bufsize") set to 512 and
other EDNS options and flags unset ("Query One").
3. Create an SOA query for the *Child Zone* with an OPT record with EDNS version
set to "1" and with EDNS option of payload size ("bufsize") set to 512 and
other EDNS options and flags unset ("Query Two").
4. Obtain the set of name server IP addresses using [Method4] and [Method5]
("Name Server IP").
5. For each name server in *Name Server IP* do:
1. Send *Query One* over UDP to the name server, collect the response and do:
1. If there is no DNS response then go to next name server.
2. Else, if the RCODE value is not "NOERROR" then go to next name server.
2. Send *Query Two* over UDP to the name server, collect the response and do:
1. If there is no DNS response, then add the name server IP to the
*No Response EDNS1 Query* set.
2. Else, if the DNS response does not have RCODE with value "BADVERS", then
add the name server IP and RCODE value to the *Unexpected RCODE* set.
3. Else, if the DNS response meet all the following three criteria, then
just go to the next name server (correct response):
1. It has the RCODE "BADVERS".
2. It has EDNS version 0.
3. The answer section is empty.
4. Else add the name server IP to the *EDNS Response Error* set.
6. If the *No Response EDNS1 Query* set is non-empty, then output
*[N10_NO_RESPONSE_EDNS1_QUERY]* with the name server IP addresses from the
set.
7. If the *Unexpected RCODE* set is non-empty, then for each RCODE value in the
set do:
* Output *[N10_UNEXPECTED_RCODE]* with the RCODE value and the name server
IP addresses for that RCODE value.
8. If the *EDNS Response Error* set is non-empty, then output
*[N10_EDNS_RESPONSE_ERROR]* with the name server IP addresses from the set.
## Outcome(s)
The outcome of this Test Case is "fail" if there is at least one message
with the severity level *[ERROR]* or *[CRITICAL]*.
The outcome of this Test Case is "warning" if there is at least one message
with the severity level *[WARNING]*, but no message with severity level
*ERROR* or *CRITICAL*.
In other cases, no message or only messages with severity level
*[INFO]* or *[NOTICE]*, the outcome of this Test Case is "pass".
## Special procedural requirements
If either IPv4 or IPv6 transport is disabled, ignore the evaluation of the
result of any test using this transport protocol and log a message reporting
the ignored result.
## Intercase dependencies
None
## Terminology
No special terminology for this test case.
[Argument list]: ../ArgumentsForTestCaseMessages.md
[Connectivity01]: ../Connectivity-TP/connectivity01.md
[CRITICAL]: ../SeverityLevelDefinitions.md#critical
[ERROR]: ../SeverityLevelDefinitions.md#error
[IANA RCODE Registry]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6
[INFO]: ../SeverityLevelDefinitions.md#info
[Method4]: ../Methods.md#method-4-obtain-glue-address-records-from-parent
[Method5]: ../Methods.md#method-5-obtain-the-name-server-address-records-from-child
[N10_EDNS_RESPONSE_ERROR]: #summary
[N10_NO_RESPONSE_EDNS1_QUERY]: #summary
[N10_UNEXPECTED_RCODE]: #summary
[NOTICE]: ../SeverityLevelDefinitions.md#notice
[Nameserver02]: ../Nameserver-TP/nameserver02.md
[RFC 1035#section-4.1.1]: https://datatracker.ietf.org/doc/html/rfc1035#section-4.1.1
[RFC 4033#section-3]: https://datatracker.ietf.org/doc/html/rfc4033#section-3
[RFC 6891#section-6.1.3]: https://datatracker.ietf.org/doc/html/rfc6891#section-6.1.3
[RFC 6891]: https://datatracker.ietf.org/doc/html/rfc6891
[Severity Level Definitions]: ../SeverityLevelDefinitions.md
[WARNING]: ../SeverityLevelDefinitions.md#warning
[Zonemaster-Engine profile]: ../../../configuration/profiles.md

195
zonemaster/docs/public/specifications/tests/Nameserver-TP/nameserver11.md Normal file
View File

@@ -0,0 +1,195 @@
# NAMESERVER11: Test for unknown EDNS OPTION-CODE
## Test case identifier
**NAMESERVER11**
## Table of contents
* [Objective](#objective)
* [Scope](#scope)
* [Inputs](#inputs)
* [Summary](#summary)
* [Test procedure](#test-procedure)
* [Outcome(s)](#outcomes)
* [Special procedural requirements](#special-procedural-requirements)
* [Intercase dependencies](#intercase-dependencies)
* [Terminology](#terminology)
## Objective
EDNS is a mechanism to announce capabilities of a DNS implementation,
and is now basically required by any new functionality in DNS such as
DNSSEC ([RFC 6891]).
[RFC 6891][RFC 6891, section 6.1.2], section 6.1.2, states that any OPTION-CODE values
not understood by a responder or requestor MUST be ignored. Unknown OPTION-CODE values
must be processed as though the OPTION-CODE was not even there.
In this test case, we will query with an unknown EDNS OPTION-CODE and expect
that the OPTION-CODE is not present in the response for the query.
## Scope
It is assumed that *Child Zone* is also tested and reported by [Connectivity01]. This
test case will just ignore non-responsive name servers or name servers not
giving a correct DNS response for an authoritative name server.
It is assumed that *Child Zone* has been tested and reported by [Nameserver02].
Running this test case without running [Nameserver02] can give an incomplete
report status of *Child Zone*.
## Inputs
"Child Zone" - The domain name to be tested.
## Summary
Message Tag | Level | Arguments | Message ID for message tag
:---------------------------------|:--------|-------------------|---------------------------------------------
N11_NO_EDNS | WARNING | ns_ip_list | The DNS response, on query with unknown EDNS option-code, does not contain any EDNS from name servers "{ns_ip_list}".
N11_NO_RESPONSE | WARNING | ns_ip_list | There is no response on query with unknown EDNS option-code from name servers "{ns_ip_list}".
N11_RETURNS_UNKNOWN_OPTION_CODE | WARNING | ns_ip_list | The DNS response, on query with unknown EDNS option-code, contains an unknown EDNS option-code from name servers "{ns_ip_list}".
N11_UNEXPECTED_ANSWER_SECTION | WARNING | ns_ip_list | The DNS response, on query with unknown EDNS option-code, does not contain the expected SOA record in the answer section from name servers "{ns_ip_list}".
N11_UNEXPECTED_RCODE | WARNING | ns_ip_list, rcode | The DNS response, on query with unknown EDNS option-code, has unexpected RCODE name "{rcode}" from name servers "{ns_ip_list}".
N11_UNSET_AA | WARNING | ns_ip_list | The DNS response, on query with unknown EDNS option-code, is unexpectedly not authoritative from name servers "{ns_ip_list}".
The value in the Level column is the default severity level of the message. The
severity level can be changed in the [Zonemaster-Engine profile]. Also see the
[Severity Level Definitions] document.
The argument names in the Arguments column lists the arguments used in the
message. The argument names are defined in the [argument list].
## Test procedure
In this section and unless otherwise specified below, the term "[EDNS Query]"
follows the specification for DNS queries as specified in [DNS Query and Response Defaults].
The handling of the DNS responses on the DNS queries follow, unless otherwise specified below,
what is specified for [EDNS Response] in the same specification.
1. Create the following empty sets:
1. Name server IP address ("No Response on Unknown Option Code")
2. Name server IP address and [RCODE Name] ("Unexpected RCODE on Unknown Option Code")
3. Name server IP address ("No EDNS on Unknown Option Code")
4. Name server IP address ("Unexpected Answer Section on Unknown Option Code")
5. Name server IP address ("Unset AA on Unknown Option Code")
6. Name server IP address ("Returns Unknown Option Code")
2. Create a [EDNS Query] with query type SOA, *Child Zone* as query name and with
no EDNS options or flags ("SOA Query").
3. Create a [EDNS Query] with query type SOA, *Child Zone* as query name and with
EDNS OPTION-CODE set to anything other than what is already assigned in
the [IANA-DNSSYSTEM-PARAMETERS] and no other EDNS options or flags
("SOA Query with EDNS Option").
4. Obtain the set of name server IP addresses using [Method4] and [Method5]
("Name Server IP").
5. For each name server in *Name Server IP* do:
1. Send *SOA Query* to the name server and collect the response.
2. Go to next name server if at least one of the following criteria is met:
1. There is no DNS response from the server.
2. EDNS is unset in the response.
3. The [RCODE Name] in the response is not "NoError".
4. The AA flag is unset in the response.
5. The answer section has no SOA record with *Child Zone* as owner name.
3. Send *SOA Query with EDNS Option* to the name server and collect the
response.
1. If there is no DNS response from the server then add the name server to
the *No Response on Unknown Option Code* set.
2. Else, if the [RCODE Name] in the response is not "NoError" then add the
name server and [RCODE Name] to the
*Unexpected RCODE on Unknown Option Code* set.
server.
3. Else, if EDNS is unset in the response then add the name server to
the *No EDNS on Unknown Option Code* set.
4. Else, if the answer section has no SOA record with *Child Zone* as owner
name then add the name server to the
*Unexpected Answer Section on Unknown Option Code* set.
5. Else, if the AA flag is unset in the response then add the name server
to the *Unset AA on Unknown Option Code* set.
6. Else, if the "OPTION-CODE" from the query is present in the response,
then add name server to the *Returns Unknown Option Code* set.
7. Else, no issues were found.
5. If the *No Response on Unknown Option Code* set is non-empty, then output
*[N11_NO_RESPONSE]* with the name servers IP addresses from the set.
6. If the *Unexpected RCODE on Unknown Option Code* set is non-empty, then for
each [RCODE NAME] in the set output *[N11_UNEXPECTED_RCODE]* with the
[RCODE Name] and the name servers IP addresses for that [RCODE NAME] in the
set.
7. If the *No EDNS on Unknown Option Code* set is non-empty, then output
*[N11_NO_EDNS]* with the name servers IP addresses from the set.
8. If the *Unexpected Answer Section on Unknown Option Code* set is non-empty,
then output *[N11_UNEXPECTED_ANSWER_SECTION]* with the name servers IP
addresses from the set.
9. If the *Unset AA on Unknown Option Code* set is non-empty, then output
*[N11_UNSET_AA]* with the name servers IP addresses from the set.
11. If the *Returns Unknown Option Code* set is non-empty, then output
*[N11_RETURNS_UNKNOWN_OPTION_CODE]* with the name servers IP addresses from
the set.
## Outcome(s)
The outcome of this Test Case is "fail" if there is at least one message
with the severity level *[ERROR]* or *[CRITICAL]*.
The outcome of this Test Case is "warning" if there is at least one message
with the severity level *[WARNING]*, but no message with severity level
*ERROR* or *CRITICAL*.
In other cases, no message or only messages with severity level
*[INFO]* or *[NOTICE]*, the outcome of this Test Case is "pass".
## Special procedural requirements
If either IPv4 or IPv6 transport is disabled, skip sending queries over that
transport protocol. A message will be outputted reporting that the transport
protocol has been skipped.
## Intercase dependencies
None.
## Terminology
No special terminology for this test case.
[Argument list]: ../ArgumentsForTestCaseMessages.md
[Connectivity01]: ../Connectivity-TP/connectivity01.md
[CRITICAL]: ../SeverityLevelDefinitions.md#critical
[DNS Query and Response Defaults]: ../DNSQueryAndResponseDefaults.md
[EDNS Query]: ../DNSQueryAndResponseDefaults.md#default-setting-in-edns-query
[EDNS Response]: ../DNSQueryAndResponseDefaults.md#default-handling-of-an-edns-response
[ERROR]: ../SeverityLevelDefinitions.md#error
[IANA-DNSSYSTEM-PARAMETERS]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-11
[INFO]: ../SeverityLevelDefinitions.md#info
[Message Tag Specification]: MessageTagSpecification.md
[Method4]: ../Methods.md#method-4-obtain-glue-address-records-from-parent
[Method5]: ../Methods.md#method-5-obtain-the-name-server-address-records-from-child
[Methods]: ../Methods.md
[N11_NO_EDNS]: #summary
[N11_NO_RESPONSE]: #summary
[N11_RETURNS_UNKNOWN_OPTION_CODE]: #summary
[N11_UNEXPECTED_ANSWER_SECTION]: #summary
[N11_UNEXPECTED_RCODE]: #summary
[N11_UNSET_AA]: #summary
[NOTICE]: ../SeverityLevelDefinitions.md#notice
[Nameserver02]: ../Nameserver-TP/nameserver02.md
[RCODE Name]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6
[RFC 6891, section 6.1.2]: https://datatracker.ietf.org/doc/html/rfc6891#section-6.1.2
[RFC 6891]: https://datatracker.ietf.org/doc/html/rfc6891
[Severity Level Definitions]: ../SeverityLevelDefinitions.md
[Test Case Identifier Specification]: TestCaseIdentifierSpecification.md
[WARNING]: ../SeverityLevelDefinitions.md#warning
[Zonemaster-Engine profile]: ../../../configuration/profiles.md

95
zonemaster/docs/public/specifications/tests/Nameserver-TP/nameserver12.md Normal file
View File

@@ -0,0 +1,95 @@
# NAMESERVER12: Test for unknown EDNS flags
## Test case identifier
**NAMESERVER12**
## Objective
EDNS is a mechanism to announce capabilities of a dns implementation,
and is now basically required by any new functionality in dns such as
DNSSEC ([RFC 6891]).
[RFC 6891][RCF 6891#section-6.1.4], section 6.1.4, states that "Z"
flag bits must be set to zero by senders and ignored by receiver.
[IANA] lists the flags in the [EDNS Header Flags] assignment list.
In this test case, the query will have an unknown EDNS flag set, i.e.
one of the Z flag bits set to "1", and it is expected that all "Z"
bits to be clear in the response (set to "0").
## Scope
It is assumed that *Child Zone* is also tested by [Connectivity01]. This test
case will set DEBUG level on messages for non-responsive name servers.
## Inputs
"Child Zone" - The domain name to be tested.
## Ordered description of steps to be taken to execute the test case
1. Create a SOA query for the *Child Zone* with an OPT record with
one of the EDNS flag "Z" bits set to "1" and no other EDNS options or
flags set.
2. Obtain the set of name server IP addresses using [Method4] and [Method5]
("Name Server IP").
3. For each name server in *Name Server IP* do:
1. Send the SOA query to the name server and collect the response.
2. If there is no DNS response, output *[NO_RESPONSE]* and go to
next server.
3. Else, if the DNS response has the RCODE "FORMERR" then output
*[NO_EDNS_SUPPORT]*.
4. Else, if the pseudo-section has an OPT record with one or more Z
flag bits being set to "1", then output [Z_FLAGS_NOTCLEAR].
5. Else, if the DNS response meet the following four criteria,
then just go to the next name server (no error):
1. The SOA is obtained as response in the ANSWER section.
2. If the DNS response has the RCODE "NOERROR".
3. The pseudo-section response has an OPT record with version set to 0.
4. The "Z" bits are clear in the response
6. Else output *[NS_ERROR]*.
## Outcome(s)
The outcome of this Test Case is "fail" if there is at least one message
with the severity level *ERROR* or *CRITICAL*.
The outcome of this Test Case is "warning" if there is at least one message
with the severity level *WARNING*, but no message with severity level
*ERROR* or *CRITICAL*.
The outcome of this Test case is "pass" in all other cases.
Message | Default severity level
:---------------------------------|:----------------------------
NO_RESPONSE | DEBUG
NO_EDNS_SUPPORT | WARNING
NS_ERROR | WARNING
Z_FLAGS_NOTCLEAR | WARNING
## Special procedural requirements
If either IPv4 or IPv6 transport is disabled, ignore the evaluation of the
result of any test using this transport protocol and log a message reporting
the ignored result.
## Intercase dependencies
None.
[Connectivity01]: ../Connectivity-TP/connectivity01.md
[EDNS Header Flags]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-13
[IANA]: https://www.iana.org/
[Method4]: ../Methods.md#method-4-obtain-glue-address-records-from-parent
[Method5]: ../Methods.md#method-5-obtain-the-name-server-address-records-from-child
[NO_EDNS_SUPPORT]: #outcomes
[NO_RESPONSE]: #outcomes
[NS_ERROR]: #outcomes
[RCF 6891#section-6.1.4]: https://datatracker.ietf.org/doc/html/rfc6891#section-6.1.4
[RFC 6891]: https://datatracker.ietf.org/doc/html/rfc6891
[Z_FLAGS_NOTCLEAR]: #outcomes

95
zonemaster/docs/public/specifications/tests/Nameserver-TP/nameserver13.md Normal file
View File

@@ -0,0 +1,95 @@
# NAMESERVER13: Test for truncated response on EDNS query
## Test case identifier
**NAMESERVER13**
## Objective
EDNS is a mechanism to announce capabilities of a DNS implementation,
and is now basically required by any new functionality in DNS such as
DNSSEC ([RFC 6891]).
[RFC 6891, section 7] states that an OPT record must be included
in a truncated response, if the query includes an OPT pseudo record.
This Test Case will try to verify that if the response to a query with an OPT
record is truncated, then the response will contain an OPT record.
To trigger a truncated response, the OPT pseudo record 'DO' bit is set and the
buffer size is limited to 512 bytes. If the zone is not signed with DNSSEC, the
response will probably not be truncated anyway.
## Scope
It is assumed that *Child Zone* is also tested by [Connectivity01]. This test
case will set DEBUG level on messages for non-responsive name servers.
## Inputs
"Child Zone" - The domain name to be tested.
## Ordered description of steps to be taken to execute the test case
1. Create a DNSKEY query for the *Child Zone* that is signed with 'DO' bit
set to '1' and setting the buffer size to 512 bytes
2. Obtain the set of name server IP addresses using [Method4] and [Method5]
("Name Server IP").
3. For each name server in *Name Server IP* do:
1. Send the query to the name server and collect the response.
2. If there is no DNS response, output *[NO_RESPONSE]* and go to
next server.
3. Else, if the DNS response has the RCODE "FORMERR" then output
*[NO_EDNS_SUPPORT]* and go to the next server.
4. Else, if the DNS response meet the following criteria output
*[MISSING_OPT_IN_TRUNCATED]*:
1. The DNS response is truncated (the "TC" flag is set).
2. The DNS response has no OPT record.
5. Else, if the DNS response meet the following criteria,
then just go to the next name server (no error):
1. The DNS response has the RCODE "NOERROR".
2. The pseudo-section response has an OPT record with version set to 0.
6. Else output *[NS_ERROR]*.
## Outcome(s)
The outcome of this Test Case is "fail" if there is at least one message
with the severity level *ERROR* or *CRITICAL*.
The outcome of this Test Case is "warning" if there is at least one message
with the severity level *WARNING*, but no message with severity level
*ERROR* or *CRITICAL*.
The outcome of this Test case is "pass" in all other cases.
Message | Default severity level (when message is outputted)
:---------------------------------|:--------------------------------------------------
NO_RESPONSE | DEBUG
NO_EDNS_SUPPORT | WARNING
NS_ERROR | WARNING
MISSING_OPT_IN_TRUNCATED | WARNING
## Special procedural requirements
If either IPv4 or IPv6 transport is disabled, ignore the evaluation of the
result of any test using this transport protocol and log a message reporting
the ignored result.
## Intercase dependencies
None.
[Connectivity01]: ../Connectivity-TP/connectivity01.md
[MISSING_OPT_IN_TRUNCATED]: #outcomes
[Method4]: ../Methods.md#method-4-obtain-glue-address-records-from-parent
[Method5]: ../Methods.md#method-5-obtain-the-name-server-address-records-from-child
[NO_EDNS_SUPPORT]: #outcomes
[NO_RESPONSE]: #outcomes
[NS_ERROR]: #outcomes
[RFC 6891, section 7]: https://datatracker.ietf.org/doc/html/rfc6891#section-7
[RFC 6891]: https://datatracker.ietf.org/doc/html/rfc6891

189
zonemaster/docs/public/specifications/tests/Nameserver-TP/nameserver15.md Normal file
View File

@@ -0,0 +1,189 @@
# NAMESERVER15: Checking for revealed software version
## Test case identifier
**NAMESERVER15**
## Table of contents
* [Objective](#objective)
* [Scope](#scope)
* [Inputs](#inputs)
* [Summary](#summary)
* [Test procedure](#test-procedure)
* [Outcome(s)](#outcomes)
* [Special procedural requirements](#special-procedural-requirements)
* [Intercase dependencies](#intercase-dependencies)
* [Terminology](#terminology)
## Objective
This Test Case verifies if a name server responds to TXT queries in the CHAOS
[DNS Class], specifically about its software version as it may sometimes be
desirable not to reveal that information. The CHAOS class identifier is usually
abbreviated as "CH".
A list of DNS classes and references for those are found in the
[IANA DNS Class database][DNS Class].
## Scope
It is assumed that *Child Zone* is also tested and reported by [Connectivity01].
This Test Case will just ignore non-responsive name servers or name servers not
giving a correct DNS response for an authoritative name server.
## Inputs
* "Child Zone" - The domain name to be tested.
## Summary
Message Tag | Level | Arguments | Message ID for message tag
:--------------------------|:--------|:----------------------------|:----------------------------------------------------------------------------------------------------------------------------
N15_ERROR_ON_VERSION_QUERY | NOTICE | ns_list, query_name | The following name server(s) do not respond or respond with SERVFAIL to software version query "{query_name}". Returned from name servers: "{ns_list}"
N15_NO_VERSION_REVEALED | INFO | ns_list | The following name server(s) do not reveal the software version. Returned from name servers: "{ns_list}"
N15_SOFTWARE_VERSION | NOTICE | ns_list, query_name, string | The following name server(s) respond to software version query "{query_name}" with string "{string}". Returned from name servers: "{ns_list}"
N15_WRONG_CLASS | WARNING | ns_list | The following name server(s) do not return CH class record(s) on CH class query. Returned from name servers: "{ns_list}"
The value in the Level column is the default severity level of the message. The
severity level can be changed in the [Zonemaster-Engine Profile]. Also see the
[Severity Level Definitions] document.
The argument names in the Arguments column lists the arguments used in the
message. The argument names are defined in the [Argument List].
The name server names are assumed to be available at the time when the msgid
is created, if the argument name is "ns" or "ns_list" even when in the
"[Test procedure]" below it is only referred to the IP address of the name
servers.
## Test procedure
1. Create the following empty sets:
1. Name server IP, query name and string ("TXT Data")
2. Name server IP and query name ("Error On Version Query")
3. Name server IP ("Sending Version Query")
4. Name server IP ("Wrong Record Class")
2. Create a [DNS Query] with query type SOA and query name *Child Zone*
("SOA Query").
3. Create a [DNS Query] with query type TXT and [query class][DNS Class] CH
("TXT Query").
4. Create the set of query names with values "version.bind"
and "version.server" ("Query Names").
5. Obtain the set of name server IP addresses using [Method4] and
[Method5] ("Name Server IP").
6. For each name server in *Name Server IP* do:
1. Send *SOA Query* to the name server IP.
2. If there is no DNS response, then go to next name server IP.
3. Add the name server IP to the *Sending Version Query* set.
4. For each query name in *Query Names* do:
1. [Send] *TXT Query* with query name to the name server and collect the
response.
2. If there is no DNS response or the response has the [RCODE Name]
ServFail, add name server and query name to the
*Error On Version Query* set and go to next query name.
3. If the [DNS Response] does not have any TXT record in the answer
section with query name as owner name, go to next query name.
4. For each TXT record in the answer section of the [DNS Response] do:
1. If [DNS Class] of the TXT record is not CH, then add name server
to the *Wrong Record Class* set.
2. Extract and [concatenate] the string(s) from the RDATA of the
record.
3. Remove any leading or trailing [SPACE] (U+0020) or
[CHARACTER TABULATION] (horizontal tab, U+0009) characters from the
concatenated string.
4. If the extracted string is non-empty, add name server, query name
and the string to the *TXT Data* set.
7. If the *TXT Data* set is non-empty, then, for each unique string and query
name pair in the set, output *[N15_SOFTWARE_VERSION]* with name server IP
list, query name and string.
8. If the *Error On Version Query* set is non-empty, then for each query name
in the set output *[N15_ERROR_ON_VERSION_QUERY]* with the query name
and the list of name server IP addresses.
9. For each name server IP in the *Sending Version Query* set, remove that name
server IP from the set if the name server IP is also a member of the
*TXT Data* set.
10. If the *Sending Version Query* set is non-empty then output
*[N15_NO_VERSION_REVEALED]* with the list of the name servers in the
*Sending Version Query* set.
11. If the *Wrong Record Class* set is non-empty then output
*[N15_WRONG_CLASS]* with the list of the name servers in the
*Wrong Record Class* set.
## Outcome(s)
The outcome of this Test Case is "fail" if there is at least one message
with the severity level *[ERROR]* or *[CRITICAL]*.
The outcome of this Test Case is "warning" if there is at least one message
with the severity level *[WARNING]*, but no message with severity level
*[ERROR]* or *[CRITICAL]*.
In other cases, no message or only messages with severity level
*[INFO]* or *[NOTICE]*, the outcome of this Test Case is "pass".
## Special procedural requirements
The *Child Zone* must be a valid name meeting
"[Requirements and normalization of domain names in input]".
## Intercase dependencies
None
## Terminology
* "Concatenate" - The term is used to refer to the conversion of a TXT
resource records data to a single contiguous string, as specified in [RFC
7208, section 3.3][RFC7208#3.3].
* "Send" - The term is used when a DNS query is sent to
a specific name server (name server IP address).
[Argument List]: ../ArgumentsForTestCaseMessages.md
[CRITICAL]: ../SeverityLevelDefinitions.md#critical
[CHARACTER TABULATION]: https://codepoints.net/U+0009
[Concatenate]: #terminology
[Connectivity01]: ../Connectivity-TP/connectivity01.md
[DEBUG]: ../SeverityLevelDefinitions.md#notice
[DNS Class]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-2
[DNS Query and Response Defaults]: ../DNSQueryAndResponseDefaults.md
[DNS Query]: ../DNSQueryAndResponseDefaults.md#default-setting-in-dns-query
[DNS Response]: ../DNSQueryAndResponseDefaults.md#default-handling-of-a-dns-response
[ERROR]: ../SeverityLevelDefinitions.md#error
[INFO]: ../SeverityLevelDefinitions.md#info
[Message Tag Specification]: ../../../../internal/templates/specifications/tests/MessageTagSpecification.md
[Method4]: ../Methods.md#method-4-obtain-glue-address-records-from-parent
[Method5]: ../Methods.md#method-5-obtain-the-name-server-address-records-from-child
[Methods]: ../Methods.md
[N15_ERROR_ON_VERSION_QUERY]: #summary
[N15_NO_VERSION_REVEALED]: #summary
[N15_SOFTWARE_VERSION]: #summary
[N15_WRONG_CLASS]: #summary
[NOTICE]: ../SeverityLevelDefinitions.md#notice
[RCODE Name]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6
[RFC2929]: https://datatracker.ietf.org/doc/html/rfc2929#section-3.2
[RFC7208#3.3]: https://datatracker.ietf.org/doc/html/rfc7208#section-3.3
[Requirements and normalization of domain names in input]: ../RequirementsAndNormalizationOfDomainNames.md
[SPACE]: https://codepoints.net/U+0020
[Send]: #terminology
[Severity Level Definitions]: ../SeverityLevelDefinitions.md
[Test Case Identifier Specification]: ../../../../internal/templates/specifications/tests/TestCaseIdentifierSpecification.md
[Test procedure]: #test-procedure
[WARNING]: ../SeverityLevelDefinitions.md#warning
[Zonemaster-Engine Profile]: ../../../configuration/profiles.md