Malin
8d4eaa1489
- Clone all 5 Zonemaster component repos (LDNS, Engine, CLI, Backend, GUI) - Dockerfile.backend: 8-stage multi-stage build LDNS→Engine→CLI→Backend - Dockerfile.gui: Astro static build served via nginx - docker-compose.yml: backend (internal) + frontend (port 5353) - nginx.conf: root redirects to /es/, /api/ proxied to backend - zonemaster-gui/config.ts: defaultLanguage set to 'es' (Spanish) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
22 KiB
22 KiB
Test requirements
Overview
Zonemaster is implemented as a number of test cases. Behind the test cases are requirements on a DNS zone and its name servers. The requirements are derived from the DNS protocol specifications and best practices. Each test case is meant to verify one or a few of the requirements.
Requirements
In the table below, all requirements behind the Zonemaster test cases are listed. For each requirement there is a link to a reference and a link to the specification of the Zonemaster test case that verifies that requirement. In the defined specifications more details are found.
Note that there is one defined specification that is generic enough not to be considered a test case: Normalization.
This is not a static document. As DNS evolves and new issues are pointed at requirements will be added, removed or modified just as the test cases.
| Req ID | Requirement specification | Reference | Defined specification |
|---|---|---|---|
| R00100 | A name server IP address should be globally routable on Internet. | ADDRESS01 | |
| R00200 | A name server IP address should be registered in the DNS reverse lookup tree. | ADDRESS02 | |
| R00300 | A name server IP address reverse lookup entry should be valid. | RFC1912 | ADDRESS03 |
| R00400 | The zone name should consists of valid IDN or non-IDN ASCII labels (names). | Normalization | |
| R00500 | IDN labels (names) should be valid. | RFC5890 | Normalization |
| R00600 | Non-IDN ASCII labels (names) should be valid. | RFC1123 RFC2782 | Normalization |
| R00700 | A DNS zone should have a parent zone from which it is delegated. | Normalization | |
| R00800 | A DNS zone should have at least one accessible name server that hosts it. | Normalization | |
| R00900 | A name server for a zone should respond on a query. | CONNECTIVITY01 CONNECTIVITY02 | |
| R01000 | A name server for a zone should respond with SOA record on SOA query. | RFC2181 | CONNECTIVITY01 CONNECTIVITY02 DELEGATION06 |
| R01100 | A name server for a zone should respond with RCODE NoError on SOA query. | CONNECTIVITY01 CONNECTIVITY02 | |
| R01200 | A name server for a zone should respond with AA flag set on SOA query. | RFC2181 | CONNECTIVITY01 CONNECTIVITY02 |
| R01300 | A name server for a zone should respond with NS RRset on NS query. | RFC2181 | CONNECTIVITY01 CONNECTIVITY02 |
| R01400 | A name server for a zone should respond with RCODE NoError on NS query. | CONNECTIVITY01 CONNECTIVITY02 | |
| R01500 | A name server for a zone should respond with AA flag set on NS query. | RFC2181 | CONNECTIVITY01 CONNECTIVITY02 |
| R01600 | A name server should respond on port 53 over UDP. | RFC1035 | CONNECTIVITY01 |
| R01700 | A name server should respond on port 53 over TCP. | RFC7766 | CONNECTIVITY02 |
| R01800 | The name server IP addresses should be announce from different ASNs. | RFC2182 | CONNECTIVITY03 |
| R01900 | The name server IP addresses should not be on the same subnet. | CONNECTIVITY04 | |
| R02000 | All name servers for a zone should respond with the same SOA serial number. | RFC1034 | CONSISTENCY01 |
| R02100 | All name servers for a zone should respond with the same SOA RNAME value. | RFC1034 | CONSISTENCY02 |
| R02200 | All name servers for a zone should respond with the same SOA REFRESH value. | RFC1034 | CONSISTENCY03 |
| R02300 | All name servers for a zone should respond with the same SOA RETRY value. | RFC1034 | CONSISTENCY03 |
| R02400 | All name servers for a zone should respond with the same SOA EXPIRE value. | RFC1034 | CONSISTENCY03 |
| R02500 | All name servers for a zone should respond with the same SOA MINIMUM value. | RFC1034 | CONSISTENCY03 |
| R02600 | All name servers for a zone should respond with the same NS RRset. | RFC1034 | CONSISTENCY04 |
| R02700 | The NS RRset in the delegation should be identical to the NS RRset in the zone. | RFC1034 IANA | CONSISTENCY05 DELEGATION07 |
| R02800 | All name servers for a zone should respond with the same SOA MNAME value. | RFC1034 | CONSISTENCY06 |
| R02900 | The SOA MNAME value should point at the primary master server of the zone. | RFC1035 | CONSISTENCY06 |
| R03000 | A zone should be hosted by at least two names servers (on IPv4). | RFC1034 | DELEGATION01 |
| R03100 | A zone should be hosted by at least two names servers (on IPv6). | DELEGATION01 | |
| R03200 | A zone should be hosted on IPv4. | RFC3901 RFC4472 | DELEGATION01 |
| R03300 | Name servers for a zone should have distinct IP addresses. | DELEGATION02 | |
| R03400 | Referral from parent name servers should fit into 512 octets. | IANA | DELEGATION03 |
| R03500 | The name server for the zone should respond authoritatively for the zone. | RFC2181 | DELEGATION04 |
| R03600 | The name server name should not point at a CNAME. | RFC2181 | DELEGATION05 |
| R03700 | Signed zone must have DNSKEY. | ||
| R03800 | Only valid DS hash algorithm should be used. | RFC8624 | DNSSEC01 |
| R03900 | If child zone is signed then parent zone should have DS record(s). | RFC4035 | DNSSEC07 |
| R04000 | DS at parent must match a DNSKEY at child. | RFC4035 RFC6840 | DNSSEC02 |
| R04100 | Parent name server should respond with NoError on DS query. | DNSSEC02 | |
| R04200 | Parent name server should respond with AA on DS query. | DNSSEC02 | |
| R04300 | DNSKEY RRset should be signed by DNSKEY from RRset. | DNSSEC02 | |
| R04400 | DNSKEY(DS) should have SEP flag set. | DNSSEC02 | |
| R04500 | RRSIG(DNSKEY RRset) should match appointed DNSKEY from DNSKEY RRset. | DNSSEC02 DNSSEC08 | |
| R04600 | The number of NSEC3 iterations should be limited. | RFC5155 | DNSSEC03 |
| R04700 | RRSIG lifetime should not be too short. | RFC6781 | DNSSEC04 |
| R04800 | RRSIG lifetime should not be too long. | RFC6781 | DNSSEC04 |
| R04900 | Only valid DNSKEY algorithms should be used. | RFC8624 | DNSSEC05 |
| R05000 | Query with DO set should include RRSIG in response for signed zone. | RFC4035 | DNSSEC06 |
| R05100 | If the zone is signed, then there should be a DS record in the delegation. | RFC4035 | DNSSEC07 |
| R05200 | Name servers should respond with NoError on DNSKEY query. | DNSSEC08 | |
| R05300 | Name servers should respond with AA on DNSKEY query. | DNSSEC08 | |
| R05400 | Name servers should respond with one DNSKEY RRset. | DNSSEC08 | |
| R05500 | RRSIG(SOA) should match appointed DNSKEY from DNSKEY RRset. | RFC4035 | DNSSEC09 |
| R05600 | NXDOMAIN response should include NSEC/NSEC3 for signed zone. | RFC4035 RFC5155 | DNSSEC10 |
| R05700 | NSEC and NSEC3 should not be mixed in responses. | DNSSEC10 | |
| R05800 | NSEC/NSEC3 record should be signed by RRSIG. | DNSSEC10 | |
| R05900 | If parent zone has DS record(s) then child zone must be signed. | DNSSEC11 | |
| R06000 | It should be possible to verify SOA using DS from parent as trust anchor. | DNSSEC12 | |
| R06100 | It should be possible to verify NS using DS from parent as trust anchor. | DNSSEC12 | |
| R06200 | It should be possible to verify DNSKEY using DS as trust anchor. | DNSSEC12 | |
| R06300 | Every algorithm represented in DNSKEY RRset must be used to sign the entire zone. | RFC6840 | - |
| R06400 | Every algorithm represented in DNSKEY RRset must be used to sign the SOA RRset. | RFC6840 | DNSSEC13 |
| R06500 | Every algorithm represented in DNSKEY RRset must be used to sign the NS RRset. | RFC6840 | DNSSEC13 |
| R06600 | Every algorithm represented in DNSKEY RRset must be used to sign the DNSKEY RRset. | RFC6840 | DNSSEC13 |
| R06700 | DNSKEY of type RSASHA1 (5) should have a key size of 512 to 4096 bits. | RFC3110 | DNSSEC14 |
| R06800 | DNSKEY of type RSASHA1-NSEC3-SHA1 (7) should have a key size of 512 to 4096 bits. | RFC5155 | DNSSEC14 |
| R06900 | DNSKEY of type RSASHA256 (8) should have a key size of 512 to 4096 bits. | RFC5702 | DNSSEC14 |
| R07000 | DNSKEY of type RSASHA512 (10) should have a key size of 1024 to 4096 bits. | RFC5702 | DNSSEC14 |
| R07100 | A name server hosting a zone should not also be a recursive name server. | RFC5358 RFC2870 | NAMESERVER01 |
| R07200 | A name server should support EDNS. | NAMESERVER02 | |
| R07300 | A name server not supporting EDNS should respond with FORMERR. | RFC6891 | NAMESERVER02 |
| R07400 | A name server should not support open zone transfer for its zone or zones. | NAMESERVER03 | |
| R07500 | A name server should respond with the same source IP as the query was sent to. | RFC2181 | NAMESERVER04 |
| R07600 | A name server should handle queries for AAAA correctly. | RFC4074 | NAMESERVER05 |
| R07700 | The name of the name server, as given in the NS record, must be resolvable in DNS. | RFC1035 | NAMESERVER06 |
| R07800 | A name server should not return a referral to root on queries for zones not hosted. | NAMESERVER07 | |
| R07900 | A name server should preserve case of query name when creating response. | Ref? | NAMESERVER08 |
| R08000 | A name server should treat query name without considering character case. | Ref? | NAMESERVER09 |
| R08100 | A name server should respond with BADVERS on unsupported EDNS version. | RFC6891 | NAMESERVER10 |
| R08200 | A name server should completely ignore unsupported EDNS OPTION-CODE. | RFC6891 | NAMESERVER11 |
| R08300 | A name server should completely ignore unsupported EDNS flag bit (Z flag bits). | RFC6891 | NAMESERVER12 |
| R08400 | A name server with EDNS support should include OPT record in truncated response. | RFC6891 | NAMESERVER13 |
| R08600 | The zone (domain) name should only contain legal characters. | RFC1035 RFC1123 RFC2182 RFC3696 | SYNTAX01 |
| R08700 | No label of the zone name should start or end with hyphen ("-"). | RFC1035 RFC1123 RFC2182 RFC3696 | SYNTAX02 |
| R08800 | No label of the zone name should have "--" in positions 3 and 4 unless it starts with "xn--". | RFC3696 | SYNTAX03 |
| R08900 | If the zone name has a label that starts with "xn--" it should be a valid A-label. | ||
| R09000 | If the zone name has an IDN label, its U-label should be valid. | ||
| R09100 | If the zone name has an IDN label, its U-label should not start or end with hyphen ("-"). | ||
| R09200 | If the zone name has an IDN label, its U-label should not have "--" om positions 3 and 4. | ||
| R09300 | If the zone name has an IDN label, its U-label should not have UNASSIGNED or DISALLOWED characters. | ||
| R09400 | If the zone name has an IDN label, any CONTEXTO or CONTEXTJ character in its U-label must follow the rules. | ||
| R09500 | The names of the server names of the zone must be valid hostnames. | RFC0952 RFC1123 RFC2182 RFC3696 | SYNTAX04 |
| R09600 | In the SOA RNAME field there should be no "@" character. | RFC1035 | SYNTAX05 |
| R09700 | The SOA RNAME field should, after conversion, be a valid email address. | RFC1035 RFC1912 RIPE-203 | SYNTAX06 |
| R09800 | The SOA MNAME should be a valid hostname. | RFC0952 RFC1123 RFC2182 RFC3696 | SYNTAX07 |
| R09900 | The MX record or records of apex, if any, should have valid domain names for the mail target. | RFC0952 RFC1123 RFC2182 RFC3696 | SYNTAX08 |
| R10000 | The SOA MNAME field should be a fully qualified master name server of the zone. | RFC1035 RIPE-203 | ZONE01 |
| R11000 | The SOA REFRESH value should be at least 4 hours. | RFC1912 RIPE-203 | ZONE02 |
| R12000 | The SOA RETRY value should be lower than the REFRESH value. | RFC1912 RIPE-203 | ZONE03 |
| R13000 | The SOA RETRY value should be at least 1 hour. | RFC1912 RIPE-203 | ZONE04 |
| R14000 | The SOA EXPIRE value should be at least 2 weeks (1,209,600 sec). | RFC1912 RIPE-203 | ZONE05 |
| R15000 | The SOA MINUMUM value should be at least 300 sec and not more than 86400 sec. | RFC1912 RIPE-203 | ZONE06 |
| R16000 | The SOA MNAME field should not point at a CNAME. | ZONE07 | |
| R17000 | The mail exchange field in MX records should not point at a CNAME. | RFC2181 RFC5321 | ZONE08 |
| R18000 | Apex of every zone should be a valid mail domain. | RFC2142 | ZONE09 |
| R19000 | The should be exactly one SOA record in every zone. | RFC1035 | ZONE10 |