CloudHost/zonemaster.es
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
zonemaster.es/zonemaster/docs/public/specifications/test-zones/DNSSEC-TP/dnssec16.md
Malin 8d4eaa1489 feat: add full Zonemaster stack with Docker and Spanish UI 
- Clone all 5 Zonemaster component repos (LDNS, Engine, CLI, Backend, GUI)
- Dockerfile.backend: 8-stage multi-stage build LDNS→Engine→CLI→Backend
- Dockerfile.gui: Astro static build served via nginx
- docker-compose.yml: backend (internal) + frontend (port 5353)
- nginx.conf: root redirects to /es/, /api/ proxied to backend
- zonemaster-gui/config.ts: defaultLanguage set to 'es' (Spanish)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-21 08:19:24 +02:00

191 lines
12 KiB
Markdown
Raw Permalink Blame History

# Specification of test zones for DNSSEC16
## Table of contents
* [Background](#background)
* [Test Case](#test-case)
* [Test scenarios](#test-scenarios)
* [Test zone names](#test-zone-names)
* [Test scenarios and message tags](#test-scenarios-and-message-tags)
* [Zone setup for test scenarios]
* [Terminology](#terminology)
## Background
See the [test zone README file].
## Test Case
This document specifies defined test zones for test case [DNSSEC16].
## Test scenarios
The purpose of the test scenarios is to cover all reasonable contexts where
different message tags are outputted when [DNSSEC16] is run on a test zone. The
message tags are defined in the test case ([DNSSEC16]) and the scenarios are
defined below.
The test scenarios are structured as stated in the [test zone README file].
## Test zone names
The test zone for each test scenario in this document is a subdomain delegated
from the base name (`dnssec16.xa`) and that subdomain having the same name as the
scenario except where the test domain must be the root zone, a TLD or a domain
under `.arpa`. The names of those zones are given in section
"[Zone setup for test scenarios]" below.
## Test scenarios and message tags
If a message tag is not listed for the scenario, its presence or non-presence is
irrelevant to the test scenario and must be ignored.
Scenario name | Mandatory message tags | Forbidden message tags
:----------------------------|:--------------------------------------------------|:-------------------------------------------
CDS-INVALID-RRSIG | DS16_CDS_INVALID_RRSIG | DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
CDS-MATCHES-NO-DNSKEY | DS16_CDS_MATCHES_NO_DNSKEY | DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
CDS-MATCHES-NON-SEP-DNSKEY | DS16_CDS_MATCHES_NON_SEP_DNSKEY | DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
CDS-MATCHES-NON-ZONE-DNSKEY | DS16_CDS_MATCHES_NON_ZONE_DNSKEY | DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
CDS-NOT-SIGNED_BY_CDS | DS16_CDS_NOT_SIGNED_BY_CDS | DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
CDS-SIGNED-BY-UNKNOWN-DNSKEY | DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY | DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
CDS-UNSIGNED | DS16_CDS_UNSIGNED, DS16_CDS_NOT_SIGNED_BY_CDS | DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
CDS-WITHOUT-DNSKEY | DS16_CDS_WITHOUT_DNSKEY | DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
DELETE-CDS | DS16_DELETE_CDS | DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
DNSKEY-NOT-SIGNED-BY-CDS | DS16_DNSKEY_NOT_SIGNED_BY_CDS | DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_MIXED_DELETE_CDS
MIXED-DELETE-CDS | DS16_MIXED_DELETE_CDS | DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS
NO-CDS | (none) | DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
NOT-AA | (none) | DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
VALID-CDS | (none) | DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
## Zone setup for test scenarios
Assumptions for the scenario specifications:
* Only CDS or DNSKEY records in apex are considered.
* Unless stated otherwise, all name servers respond authoritatively with
[RCODE Name] "NoError" on all queries.
* Unless stated otherwise, all name servers respond authoritatively with (or
without) CDS records on CDS queries and DNSKEY records on DNSKEY queries,
respectively.
* Unless stated otherwise, all RRSIGs are present where expected and are valid.
* Each zone is served by two nameservers and both respond consistently.
* No DS record is published at parent zone (`dnssec16.xa`).
### CDS-INVALID-RRSIG
* Zone: "cds-invalid-rrsig.dnssec16.xa."
* The zone has a [Well Formed DNSKEY Record] (key 1).
* The zone has one [Well Formed CDS Record], that matches key 1, but the RRSIG
of the CDS RRset has expired.
### CDS-MATCHES-NO-DNSKEY
* Zone: "cds-matches-no-dnskey.dnssec16.xa."
* The zone has one [Well Formed DNSKEY Record] (key 1).
* The zone has one [Well Formed CDS Record] that matches key 1.
* The zone has a second [Well Formed CDS Record] that matches no key by key
tag.
### CDS-MATCHES-NON-SEP-DNSKEY
* Zone: "cds-matches-non-sep-dnskey.dnssec16.xa."
* The zone has a [Well Formed DNSKEY Record], but flag bit 15 is unset (key
1).
* The zone has one [Well Formed CDS Record] that matches key 1.
### CDS-MATCHES-NON-ZONE-DNSKEY
* Zone: "cds-matches-non-zone-dnskey.dnssec16.xa."
* The zone has one [Well Formed DNSKEY Record] (key 1).
* The zone has a second [Well Formed DNSKEY Record], but flag bit 7 is unset
and the key has not signed the DNSKEY RRset (key 2).
* The zone has one [Well Formed CDS Record] and matches key 1 (CDS 1).
* The zone has a second [Well Formed CDS Record], matching key 2, but the key
has not signed the CDS RRset.
### CDS-NOT-SIGNED-BY-CDS
* Zone: "cds-not-signed-by-cds.dnssec16.xa."
* The zone has two [Well Formed DNSKEY Record] (key 1 and 2).
* The zone has one [Well Formed CDS Record] that matches key 1.
* The zone has a second [Well Formed CDS Record] that matches key 2, but its
DNSKEY has not signed the CDS RRset.
### CDS-SIGNED-BY-UNKNOWN-DNSKEY
* Zone: "cds-signed-by-unknown-dnskey.dnssec16.xa."
* The zone has a [Well Formed DNSKEY Record] (key 1).
* The zone has one [Well Formed CDS Record], and it matches key 1.
* The CDS RRset has an additional RRSIG that matches no DNSKEY by key tag.
### CDS-UNSIGNED
* Zone: "cds-unsigned.dnssec16.xa."
* The zone has a [Well Formed DNSKEY Record] (key 1).
* The zone has one [Well Formed CDS Record], and it matches key 1, but the CDS
RRset is not signed.
### CDS-WITHOUT-DNSKEY
* Zone: "cds-without-dnskey.dnssec16.xa."
* The zone has no DNSKEY.
* The zone has one [Well Formed CDS Record] that matches no DNSKEY.
### DELETE-CDS
* Zone: "delete-cds.dnssec16.xa."
* The zone has a [Well Formed DNSKEY Record].
* The zone has one CDS RR that is a Delete CDS.
### DNSKEY-NOT-SIGNED-BY-CDS
* Zone: "dnskey-not-signed-by-cds.dnssec16.xa."
* The zone has a [Well Formed DNSKEY Record] (key 1), but the key has not
signed the DNSKEY RRset.
* The zone has one [Well Formed CDS Record], and it matches key 1.
### MIXED-DELETE-CDS
* Zone: "mixed-delete-cds.dnssec16.xa."
* The zone has a [Well Formed DNSKEY Record] (key 1).
* The zone has one [Well Formed CDS Record], and it matches key 1.
* The zone has a second CDS RR that is a Delete CDS.
### NO-CDS
* Zone: "no-cds.dnssec16.xa."
* The name servers give no CDS RRset on CDS query (NODATA).
### NOT-AA
* Zone: "not-aa.dnssec16.xa."
* The name servers give non-AA response on CDS queries.
### VALID-CDS
* Zone: "valid-cds.dnssec16.xa."
* The zone has a [Well Formed DNSKEY Record] (key 1).
* The zone has one [Well Formed CDS Record], and it matches key 1.
## Terminology
* "Well Formed DNSKEY Record" - The term is used, in this document, for a DNSKEY
record that meets the following requirements:
* It is a DNSKEY record in apex.
* It uses algorithm 10 (RSA/SHA-512) with a 2048-bit key length, see
[DNSSEC05] and [DNSSEC14].
* Flag bit 7 (zone key) and bit 15 (SEP) are set.
* The DNSKEY RRset has been signed by the key and the RRSIG is valid.
* "Well Formed CDS Record" - The term is used, in this document, for a CDS record
that meets the following requirements:
* It is a CDS record in apex.
* It uses hash digest 2 (SHA-256), see [DNSSEC01].
* Its digest is a digest of a [Well Formed DNSKEY Record].
* The CDS RRset has been signed by the its DNSKEY and the RRSIG is valid.
[DNSSEC01]: ../../tests/DNSSEC-TP/dnssec01.md
[DNSSEC05]: ../../tests/DNSSEC-TP/dnssec05.md
[DNSSEC14]: ../../tests/DNSSEC-TP/dnssec14.md
[DNSSEC16]: ../../tests/DNSSEC-TP/dnssec16.md
[RCODE Name]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6
[Test zone README file]: ../README.md
[Well Formed CDS Record]: #terminology
[Well Formed DNSKEY Record]: #terminology
[Zone setup for test scenarios]: #zone-setup-for-test-scenarios
Reference in New Issue View Git Blame Copy Permalink