Malin
8d4eaa1489
- Clone all 5 Zonemaster component repos (LDNS, Engine, CLI, Backend, GUI) - Dockerfile.backend: 8-stage multi-stage build LDNS→Engine→CLI→Backend - Dockerfile.gui: Astro static build served via nginx - docker-compose.yml: backend (internal) + frontend (port 5353) - nginx.conf: root redirects to /es/, /api/ proxied to backend - zonemaster-gui/config.ts: defaultLanguage set to 'es' (Spanish) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
17 KiB
DNSSEC05: Check for invalid DNSKEY algorithms
Test case identifier
DNSSEC05
Table of contents
- Objective
- Scope
- Classification of algorithms
- Inputs
- Summary
- Test procedure
- Outcome(s)
- Special procedural requirements
- Intercase dependencies
- Terminology
Objective
A domain name (zone) should only use DNSKEY algorithms that are specified by RFC 8624, section 3.1 (including the update in RFC 9157) and the IANA registry of DNSSEC Algorithm Numbers to be used for DNSSEC signing. A public domain name (zone) should not use private algorithms.
Scope
It is assumed that Child Zone is also tested by Connectivity01. This test case will just ignore non-responsive name servers or name servers not giving a correct DNS response for an authoritative name server unless all such name servers fail, in which case a message is outputted.
The RDATA of a DNSKEY record consists of four fields. The third field specifies the algorithm number of the public key in the fourth field. This test case will only check which algorithm is used by checking the third field. It will not verify that the key is matching the algorithm.
Classification of algorithms
In the table below, the first three columns are copied from the IANA registry. The fourth column is for Zonemaster classification and it holds the relevant message tags listed in the "Summary" section below. In the table below "mnemonic" is defined by Zonemaster when undefined in the IANA table, which is available at IANA registry.
The "Zonemaster classification" is based on the "Use for DNSSEC signing" in the IANA registry of DNSSEC Algorithm Numbers.
| Algorithm no | Algorithm (or description) | Mnemonic | Zonemaster classification | Note |
|---|---|---|---|---|
| 0 | Delete DS | DELETE | DS05_ALGO_NOT_ZONE_SIGN | |
| 1 | RSA/MD5 | RSAMD5 | DS05_ALGO_DEPRECATED | |
| 2 | Diffie-Hellman | DH | DS05_ALGO_NOT_ZONE_SIGN | |
| 3 | DSA/SHA1 | DSA | DS05_ALGO_DEPRECATED | |
| 4 | Reserved | RESERVED | DS05_ALGO_RESERVED | (1) |
| 5 | RSA/SHA-1 | RSASHA1 | DS05_ALGO_DEPRECATED | |
| 6 | DSA-NSEC3-SHA1 | DSA-NSEC3-SHA1 | DS05_ALGO_DEPRECATED | |
| 7 | RSASHA1-NSEC3-SHA1 | RSASHA1-NSEC3-SHA1 | DS05_ALGO_DEPRECATED | |
| 8 | RSA/SHA-256 | RSASHA256 | DS05_ALGO_OK | |
| 9 | Reserved | RESERVED | DS05_ALGO_RESERVED | (1) |
| 10 | RSA/SHA-512 | RSASHA512 | DS05_ALGO_NOT_RECOMMENDED | |
| 11 | Reserved | RESERVED | DS05_ALGO_RESERVED | (1) |
| 12 | GOST R 34.10-2001 | ECC-GOST | DS05_ALGO_DEPRECATED | |
| 13 | ECDSA Curve P-256 with SHA-256 | ECDSAP256SHA256 | DS05_ALGO_OK | |
| 14 | ECDSA Curve P-384 with SHA-384 | ECDSAP384SHA384 | DS05_ALGO_OK | |
| 15 | Ed25519 | ED25519 | DS05_ALGO_OK | |
| 16 | Ed448 | ED448 | DS05_ALGO_OK | |
| 17 | SM2 signing algo w SM3 hash algo | SM2SM3 | DS05_ALGO_OK | |
| 18-22 | Unassigned | UNASSIGNED | DS05_ALGO_UNASSIGNED | (1) |
| 23 | GOST R 34.10-2012 | ECC-GOST12 | DS05_ALGO_OK | |
| 24-122 | Unassigned | UNASSIGNED | DS05_ALGO_UNASSIGNED | (1) |
| 123-251 | Reserved | RESERVED | DS05_ALGO_RESERVED | (1) |
| 252 | Reserved for Indirect Keys | INDIRECT | DS05_ALGO_NOT_ZONE_SIGN | |
| 253 | private algorithm | PRIVATEDNS | DS05_ALGO_PRIVATE | |
| 254 | private algorithm OID | PRIVATEOID | DS05_ALGO_PRIVATE | |
| 255 | Reserved | RESERVED | DS05_ALGO_RESERVED | (1) |
(1) Mnemonic defined for Zonemaster usage when undefined in the IANA table.
Inputs
- The domain name to be tested ("Child Zone").
- The table in section "Classification of algorithms" above.
Summary
| Message Tag | Level | Arguments | Message ID for message tag |
|---|---|---|---|
| DS05_ALGO_DEPRECATED | ERROR | ns_list, keytag, algo_num, algo_descr, algo_mnemo | The DNSKEY with tag {keytag} uses deprecated algorithm number {algo_num} ("{algo_descr}", {algo_mnemo}). Fetched from name servers "{ns_list}". |
| DS05_ALGO_NOT_RECOMMENDED | WARNING | ns_list, keytag, algo_num, algo_descr, algo_mnemo | The DNSKEY with tag {keytag} uses unrecommended algorithm number {algo_num} ("{algo_descr}", {algo_mnemo}). Fetched from name servers "{ns_list}". |
| DS05_ALGO_NOT_ZONE_SIGN | ERROR | ns_list, keytag, algo_num, algo_descr, algo_mnemo | The DNSKEY with tag {keytag} uses algorithm number {algo_num} ("{algo_descr}", {algo_mnemo}) which is not meant for zone signing. Fetched from name servers "{ns_list}". |
| DS05_ALGO_OK | INFO | ns_list, keytag, algo_num, algo_descr, algo_mnemo | The DNSKEY with tag {keytag} uses algorithm number {algo_num} ("{algo_descr}", {algo_mnemo}). Fetched from name servers "{ns_list}". |
| DS05_ALGO_PRIVATE | ERROR | ns_list, keytag, algo_num | The DNSKEY with tag {keytag} uses algorithm number {algo_num} which is reserved for private use. Fetched from name servers "{ns_list}". |
| DS05_ALGO_RESERVED | ERROR | ns_list, keytag, algo_num | The DNSKEY with tag {keytag} uses reserved algorithm number {algo_num}. Fetched from name servers "{ns_list}". |
| DS05_ALGO_UNASSIGNED | ERROR | ns_list, keytag, algo_num | The DNSKEY with tag {keytag} uses unassigned algorithm number {algo_num}. Fetched from name servers "{ns_list}". |
| DS05_NO_RESPONSE | WARNING | ns_list | No response or error in response from all name servers on the DNSKEY query. Failing name servers: "{ns_list}". |
| DS05_SERVER_NO_DNSSEC | ERROR | ns_list | Some name servers do not support DNSSEC or have not been properly configured. DNSKEY cannot be tested on those servers. Fetched from name servers "{ns_list}". |
| DS05_ZONE_NO_DNSSEC | NOTICE | ns_list | The zone is not DNSSEC signed or not properly DNSSEC signed. DNSKEY cannot be tested. Fetched from name servers "{ns_list}". |
The value in the Level column is the default severity level of the message. The severity level can be changed in the Zonemaster-Engine profile. Also see the Severity Level Definitions document.
The argument names in the Arguments column lists the arguments used in the message. The argument names are defined in the argument list.
The name server names are assumed to be available at the time when the msgid is created, if the argument name is "ns" or "ns_list" even when in the "Test procedure" below it is only referred to the IP address of the name servers.
Test procedure
In this section and unless otherwise specified below, the term "DNSSEC Query" follows the specification for DNS queries as specified in DNS Query and Response Defaults. The handling of the DNS responses on the DNS queries follow, unless otherwise specified below, what is specified for DNSSEC Response in the same specification.
A complete list of all DNS Resource Record types can be found in the IANA RR Type List.
-
Create a DNSSEC Query with query type DNSKEY and query name Child Zone ("DNSKEY Query").
-
Retrieve all name server names and IP addresses for Child Zone using methods Get-Del-NS-Names-and-IPs and Get-Zone-NS-Names-and-IPs ("NS Name and IP").
-
The name server names are assumed to be available at the time when a
msgidlisted above in Summary is created. If the argument name is "ns" or "ns_list" the name server name is extracted from NS Name and IP even though it is only referred to the IP address of the name servers in the steps below. Furthermore, if there are more than one name server names for the same IP address, one entry is created for each name. -
Create the following empty sets:
- Name server IP address ("Ignored NS IP")
- Name server IP address ("Responds without valid DNSKEY")
- Name server IP address ("Responds with DNSKEY")
- Name server IP address, key tag and DNSKEY algorithm code ("DS05_ALGO_DEPRECATED")
- Name server IP address, key tag and DNSKEY algorithm code ("DS05_ALGO_RESERVED")
- Name server IP address, key tag and DNSKEY algorithm code ("DS05_ALGO_UNASSIGNED")
- Name server IP address, key tag and DNSKEY algorithm code ("DS05_ALGO_NOT_RECOMMENDED")
- Name server IP address, key tag and DNSKEY algorithm code ("DS05_ALGO_PRIVATE")
- Name server IP address, key tag and DNSKEY algorithm code ("DS05_ALGO_NOT_ZONE_SIGN")
- Name server IP address, key tag and DNSKEY algorithm code ("DS05_ALGO_OK")
-
For each unique name server IP address in NS Name and IP do:
- Send DNSKEY Query to the name server IP.
- Add the name server IP to the Ignored NS IP set and go to next name
server IP if at least one of the following criteria is met:
- There is no DNS response.
- The RCODE Name in the response is not "NoError".
- The AA flag is not set in the response.
- If the response does not contain any valid DNSKEY record with owner name matching Child Zone in the answer section, add name server IP to the Responds without valid DNSKEY set and go to next server.
- Else, add name server IP to the Responds with DNSKEY set and retrieve valid DNSKEY records from the answer section.
- For each DNSKEY record retrieved do:
- Extract algorithm number from the third field of RDATA of the DNSKEY record.
- Calculate the key tag for the DNSKEY record.
- From section "Classification of algorithms" retrieve the table and extract the row matching the algorithm number.
- From the row extract the message tag from column "Zonemaster classification".
- Add name server IP, key tag and the algorithm code to the set with the same name as the extracted message tag.
-
For each of the sets matching each of the following message tags do if the set is non-empty:
- For each combination of key tag and algorithm code do:
- Output the message tag matching the set name with the list of name server IP from the subset (key tag and code) plus the key tag, the algorithm number, algorithm description and algorithm mnemonic from the table in section "Classification of algorithms". Exclude algorithm description and algorithm mnemonic if not listed for the tag in Summary.
- Sets:
- For each combination of key tag and algorithm code do:
-
If the Responds without valid DNSKEY and Responds with DNSKEY sets are empty then output DS05_NO_RESPONSE with the list of name server IP addresses from the Ignored NS IP set.
-
If the Responds without valid DNSKEY is non-empty then do:
- If Responds with DNSKEY sets is empty then output DS05_ZONE_NO_DNSSEC with name server IP from the Responds without valid DNSKEY set.
- Else, output DS05_SERVER_NO_DNSSEC with name server IP from the Responds without valid DNSKEY set.
Outcome(s)
The outcome of this Test Case is "fail" if there is at least one message with the severity level ERROR or CRITICAL.
The outcome of this Test Case is "warning" if there is at least one message with the severity level WARNING, but no message with severity level ERROR or CRITICAL.
In other cases, no message or only messages with severity level INFO or NOTICE, the outcome of this Test Case is "pass".
Special procedural requirements
If either IPv4 or IPv6 transport is disabled, skip sending queries over that transport protocol. A message will be outputted reporting that the transport protocol has been skipped.
See the DNSSEC README document about DNSSEC algorithms.
Intercase dependencies
None.
Terminology
No special terminology for this Test Case.