Specification of Test Scenarios for DNSSEC01

Table of contents

• Background
• Test Case
• Test scenarios
• Test zone names
• All message tags
• Test scenarios and message tags
• Test scenarios and setup of test zones

Background

See the test scenario README file.

Test Case

This document specifies defined test scenarios for test case DNSSEC01.

Test scenarios

The purpose of the test scenarios is to cover all reasonable contexts where different message tags are outputted when DNSSEC01 is run on a test zone. The message tags are defined in the test case (DNSSEC01) and the scenarios are defined below.

The test scenarios are structured as stated in the test scenario README file.

Test zone names

The test zone or zones for each test scenario in this document is a subdomain (or lower zone) delegated from the base name (dnssec01.xa) and that subdomain having the same name as the scenario. The names of those zones are given in section "Test scenarios and setup of test zones" below.

All message tags

The test case can output any of these message tags, but not necessarily in any combination. See DNSSEC01 for the specification of the tags.

• DS01_DS_ALGO_2_MISSING
• DS01_DS_ALGO_DEPRECATED
• DS01_DS_ALGO_NOT_DS
• DS01_DS_ALGO_OK
• DS01_DS_ALGO_PRIVATE
• DS01_DS_ALGO_RESERVED
• DS01_DS_ALGO_UNASSIGNED
• DS01_NO_RESPONSE
• DS01_PARENT_SERVER_NO_DS
• DS01_PARENT_ZONE_NO_DS
• DS01_ROOT_N_NO_UNDEL_DS
• DS01_UNDEL_N_NO_UNDEL_DS

Test scenarios and message tags

If a message tag is not listed for the scenario, its presence or non-presence is irrelevant to the test scenario and must be ignored.

• (1) All tags except for those specified as "Forbidden tags" (no instances for these test scenarios)
• (2) All tags except for those specified as "Mandatory tags"

Test scenarios and setup of test zones

Default zone configuration

Unless otherwise specified in the specific scenario specification, the test zone or zones for the scenario will follow the default setup as stated below. The child zone is the zone to be tested for the scenario.

• The child zone is SCENARIO.dnssec01.xa.
  • It is delegated to two name servers, ns1.SCENARIO.dnssec01.xa and ns2.SCENARIO.dnssec01.xa.
    • The name server names have A and AAAA records to avoid non-relevant error messages.
    • The delegation of the child zone is to an OOB NS.
      • NS can be resolved through the dnssec01.xa zone.
  • There is a zone file for the child zone.
  • All child zone servers give the same response.
  • The only responses that can be assumed are queries for
    • NS
    • SOA
  • The parent zone will respond with one DS record per child zone.
• The parent zone is dnssec01.xa.
  • It is served by two in-bailiwick NS (ns1 and ns2).
  • ns1 and ns2 have the same zone content.
  • ns1 and ns2 have both IPv4 and IPv6 glue.
  • The records matching glue in the zone are complete.
• All responses will have the AA bit set.
• All responses will have the RCODE Name "NoError".
• The DS digest algorithm is 2 unless specified for the scenario.
  • The DS record can be technically invalid. Only the format is valid and only the digest algorithm value is checked.
• The zone is not signed.

ALGO-DEPRECATED-1

The DS digest algorithm number is 1

• Zone: algo-deprecated-1.dnssec01.xa.
  • The algorithm of the DS digest in the response is 1.

ALGO-DEPRECATED-3

The DS digest algorithm number is 3

• Zone: algo-deprecated-3.dnssec01.xa.
  • The algorithm of the DS digest in the response is 3.

ALGO-RESERVED-128

The DS digest algorithm number is 128

• Zone: algo-reserved-128.dnssec01.xa.
  • The algorithm of the DS digest in the response is 128.

ALGO-RESERVED-188

The DS digest algorithm number is 188

• Zone: algo-reserved-188.dnssec01.xa.
  • The algorithm of the DS digest in the response is 188.

ALGO-RESERVED-252

The DS digest algorithm number is 252

• Zone: algo-reserved-252.dnssec01.xa.
  • The algorithm of the DS digest in the response is 252.

ALGO-UNASSIGNED-7

The DS digest algorithm number is 7

• Zone: algo-unassigned-7.dnssec01.xa.
  • The algorithm of the DS digest in the response is 7.

ALGO-UNASSIGNED-67

The DS digest algorithm number is 67

• Zone: algo-unassigned-67.dnssec01.xa.
  • The algorithm of the DS digest in the response is 67.

ALGO-UNASSIGNED-127

The DS digest algorithm number is 127

• Zone: algo-unassigned-127.dnssec01.xa.
  • The algorithm of the DS digest in the response is 127.

ALGO-PRIVATE-253

The DS digest algorithm number is 253

• Zone: algo-private-253.dnssec01.xa.
  • The algorithm of the DS digest in the response is 253.

ALGO-PRIVATE-254

The DS digest algorithm number is 254

• Zone: algo-private-254.dnssec01.xa.
  • The algorithm of the DS digest in the response is 254.

ALGO-NOT-DS-0

The DS digest algorithm number is 0

• Zone: algo-not-ds-0.dnssec01.xa.
  • The algorithm of the DS digest in the response is 0.

ALGO-OK-2

The DS digest algorithm number is 2

• Zone: algo-ok-2.dnssec01.xa.
  • The algorithm of the DS digest in the response is 2.

ALGO-OK-4

The DS digest algorithm number is 4

• Zone: algo-ok-4.dnssec01.xa.
  • The algorithm of the DS digest in the response is 4.

ALGO-OK-5

The DS digest algorithm number is 5

• Zone: algo-ok-5.dnssec01.xa.
  • The algorithm of the DS digest in the response is 5.

ALGO-OK-6

The DS digest algorithm number is 6

• Zone: algo-ok-6.dnssec01.xa.
  • The algorithm of the DS digest in the response is 6.

MIXED-ALGO-1

Three DS with different algorithms.

• Zone: mixed-algo-1.dnssec01.xa.
  • The response has three DS with different algorithms:
    • 1
    • 2
    • 253

SHARED-IP-1

Two parent name servers resolv to the same IP address.

• Zone: child.shared-ip-1.dnssec01.xa.
  • The parent zone is "shared-ip-1.dnssec01.xa" and the grandparent zone is "dnssec01.xa".
  • The parent is delegated to IB ns1a and ns1b with the same IPv4 and IPv6 addresses.

SHARED-IP-2

Delegation of parent does not use the same name server name as parent zone.

• Zone: child.shared-ip-2.dnssec01.xa.
  • The parent zone is "shared-ip-2.dnssec01.xa" and the grandparent zone is "dnssec01.xa".
  • The parent is delegated to IB ns1 and ns2, but in the parent zone the names are dns1 and dns2.
    • ns1 and dns1 resolve to the same IP addresses.
    • ns2 and dns2 resolve to the same IP addresses.

NO-RESPONSE-1

No response from any of the servers on the DS query.

• Zone: child.no-response-1.dnssec01.xa.
  • No response at all from parent ns1 and ns2.

NO-VALID-RESPONSE-1

No valid response from any of the servers on the DS query.

• Zone: child.no-valid-response-1.dnssec01.xa.
  • Response from parent ns1 has RCODE SERVFAIL.
  • Response from parent ns2 has RCODE REFUSED.
  • Child zone does not exist

PARENT-SERVER-NO-DS-1

No DS from parent ns1.

• Zone: child.parent-server-no-ds-1.dnssec01.xa.
  • Response from parent ns1 is NODATA (no DS).
  • Response from parent ns2 is normal.

PARENT-ZONE-NO-DS-1

No DS from neither parent ns1 nor parent ns2.

• Zone: parent-zone-no-ds-1.dnssec01.xa.
  • Responses from parent ns1 and parent ns2 are NODATA (no DS).

UNDEL-NO-UNDEL-DS-1

Zone is not delegated, but undelegated data is provided. No DS.

• Zone: undel-no-undel-ds-1.dnssec01.xa.
  • The zone is not delegated, but there is undelegated data.
  • ns1 and ns2 are OOB.
  • No undelegated DS is provided.

UNDEL-WITH-UNDEL-DS-1

Zone is not delegated, but undelegated data is provided with DS.

• Zone: undel-with-undel-ds-1.dnssec01.xa.
  • The zone is not delegated, but there is undelegated data.
  • ns1 and ns2 are OOB.
  • Undelegated DS is provided.

ROOT-NO-UNDEL-DS-1

Zone is the root zone, and no undelegated DS is provided.

• Zone: "."
  • ns1 and ns2 are IB.
  • The zone exists.

ROOT-WITH-UNDEL-DS-1

Zone is the root zone, and undelegated DS is provided.

• Zone: "."
  • ns1 and ns2 are IB.
  • The zone exists.