Specification of Test Scenarios for DNSSEC05

Table of contents

• Background
• Test Case
• Test scenarios
• Test zone names
• All message tags
• Test scenarios and message tags
• Test scenarios and setup of test zones

Background

See the test scenario README file.

Test Case

This document specifies defined test scenarios for test case DNSSEC05.

Test scenarios

The purpose of the test scenarios is to cover all reasonable contexts where different message tags are outputted when DNSSEC05 is run on a test zone. The message tags are defined in the test case (DNSSEC05) and the scenarios are defined below.

The test scenarios are structured as stated in the test scenario README file.

Test zone names

The test zone or zones for each test scenario in this document is a subdomain (or lower zone) delegated from the base name (dnssec05.xa) and that subdomain having the same name as the scenario. The names of those zones are given in section "Test scenarios and setup of test zones" below.

All message tags

The test case can output any of these message tags, but not necessarily in any combination. See DNSSEC05 for the specification of the tags.

• DS05_ALGO_DEPRECATED
• DS05_ALGO_NOT_RECOMMENDED
• DS05_ALGO_NOT_ZONE_SIGN
• DS05_ALGO_OK
• DS05_ALGO_PRIVATE
• DS05_ALGO_RESERVED
• DS05_ALGO_UNASSIGNED
• DS05_NO_RESPONSE
• DS05_SERVER_NO_DNSSEC
• DS05_ZONE_NO_DNSSEC

Test scenarios and message tags

If a message tag is not listed for the scenario, its presence or non-presence is irrelevant to the test scenario and must be ignored.

• (1) All tags except for those specified as "Forbidden message tags" (no instances for these test scenarios)
• (2) All tags except for those specified as "Mandatory message tags"

Test scenarios and setup of test zones

Default zone configuration

Unless otherwise specified in the specific scenario specification, the test zone or zones for the scenario will follow the default setup as stated below. The child zone is the zone to be tested for the scenario.

• The child zone is SCENARIO.dnssec05.xa.
  • It is delegated to two name servers, ns1.SCENARIO.dnssec05.xa and ns2.SCENARIO.dnssec05.xa.
    • The name server names have A and AAAA records to avoid non-relevant error messages.
    • The delegation of the child zone is to an OOB NS.
      • NS can be resolved through the dnssec05.xa zone.
  • There is a zone file for the child zone.
  • All child zone servers give the same response.
  • The only responses that can be assumed are queries for
    • DNSKEY
    • NS
    • SOA
  • The zone will respond with one DNSKEY record.
• The parent zone is dnssec05.xa.
  • It is served by two in-bailiwick NS (ns1 and ns2).
  • ns1 and ns2 have the same zone content.
  • ns1 and ns2 have both IPv4 and IPv6 glue.
  • The records matching glue in the zone are complete.
• All responses will have the AA bit set.
• All responses will have the RCODE Name "NoError".
• The DNSKEY algorithm is 13 unless specified for the scenario.
  • The DNSKEY record can be technically invalid. Only the format is valid and only the algorithm value is checked.
• The zone is not signed.

ALGO-DEPRECATED-1

The DNSKEY algo is 1

• Zone: "algo-deprecated-1.dnssec05.xa."
  • The algorithm of the DNSKEY in the response is 1.

ALGO-DEPRECATED-3

The DNSKEY algo is 3

• Zone: "algo-deprecated-3.dnssec05.xa."
  • The algorithm of the DNSKEY in the response is 3.

ALGO-DEPRECATED-5

The DNSKEY algo is 5

• Zone: "algo-deprecated-5.dnssec05.xa."
  • The algorithm of the DNSKEY in the response is 5.

ALGO-DEPRECATED-6

The DNSKEY algo is 6

• Zone: "algo-deprecated-6.dnssec05.xa."
  • The algorithm of the DNSKEY in the response is 6.

ALGO-DEPRECATED-7

The DNSKEY algo is 7

• Zone: "algo-deprecated-7.dnssec05.xa."
  • The algorithm of the DNSKEY in the response is 7.

ALGO-DEPRECATED-12

The DNSKEY algo is 12

• Zone: "algo-deprecated-12.dnssec05.xa."
  • The algorithm of the DNSKEY in the response is 12.

ALGO-RESERVED-4

The DNSKEY algo is 4

• Zone: "algo-reserved-4.dnssec05.xa."
  • The algorithm of the DNSKEY in the response is 4.

ALGO-RESERVED-9

The DNSKEY algo is 9

• Zone: "algo-reserved-9.dnssec05.xa."
  • The algorithm of the DNSKEY in the response is 9.

ALGO-RESERVED-11

The DNSKEY algo is 11

• Zone: "algo-reserved-11.dnssec05.xa."
  • The algorithm of the DNSKEY in the response is 11.

ALGO-RESERVED-123

The DNSKEY algo is 123

• Zone: "algo-reserved-123.dnssec05.xa."
  • The algorithm of the DNSKEY in the response is 123.

ALGO-RESERVED-251

The DNSKEY algo is 251

• Zone: "algo-reserved-251.dnssec05.xa."
  • The algorithm of the DNSKEY in the response is 251.

ALGO-RESERVED-255

The DNSKEY algo is 255

• Zone: "algo-reserved-255.dnssec05.xa."
  • The algorithm of the DNSKEY in the response is 255.

ALGO-UNASSIGNED-20

The DNSKEY algo is 20

• Zone: "algo-unassigned-17.dnssec05.xa."
  • The algorithm of the DNSKEY in the response is 17.

ALGO-UNASSIGNED-122

The DNSKEY algo is 122

• Zone: "algo-unassigned-122.dnssec05.xa."
  • The algorithm of the DNSKEY in the response is 122.

ALGO-PRIVATE-253

The DNSKEY algo is 253

• Zone: "algo-private-253.dnssec05.xa."
  • The algorithm of the DNSKEY in the response is 253.

ALGO-PRIVATE-254

The DNSKEY algo is 254

• Zone: "algo-private-254.dnssec05.xa."
  • The algorithm of the DNSKEY in the response is 254.

ALGO-NOT-ZONE-SIGN-0

The DNSKEY algo is 0

• Zone: "algo-not-zone-sign-0.dnssec05.xa."
  • The algorithm of the DNSKEY in the response is 0.

ALGO-NOT-ZONE-SIGN-2

The DNSKEY algo is 2

• Zone: "algo-not-zone-sign-2.dnssec05.xa."
  • The algorithm of the DNSKEY in the response is 2.

ALGO-NOT-ZONE-SIGN-252

The DNSKEY algo is 252

• Zone: "algo-not-zone-sign-252.dnssec05.xa."
  • The algorithm of the DNSKEY in the response is 252.

ALGO-NOT-RECOMMENDED-10

The DNSKEY algo is 10

• Zone: "algo-not-recommended-10.dnssec05.xa."
  • The algorithm of the DNSKEY in the response is 10.

ALGO-OK-8

The DNSKEY algo is 8

• Zone: "algo-ok-8.dnssec05.xa."
  • The algorithm of the DNSKEY in the response is 8.

ALGO-OK-13

The DNSKEY algo is 13

• Zone: "algo-ok-13.dnssec05.xa."
  • The algorithm of the DNSKEY in the response is 13.

ALGO-OK-14

The DNSKEY algo is 14

• Zone: "algo-ok-14.dnssec05.xa."
  • The algorithm of the DNSKEY in the response is 14.

ALGO-OK-15

The DNSKEY algo is 15

• Zone: "algo-ok-15.dnssec05.xa."
  • The algorithm of the DNSKEY in the response is 15.

ALGO-OK-16

The DNSKEY algo is 16

• Zone: "algo-ok-16.dnssec05.xa."
  • The algorithm of the DNSKEY in the response is 16.

ALGO-OK-17

The DNSKEY algo is 17

• Zone: "algorithm-ok-17.dnssec05.xa."
  • The algorithm of the DNSKEY in the response is 17.

ALGO-OK-23

The DNSKEY algo is 23

• Zone: "algorithm-ok-23.dnssec05.xa."
  • The algorithm of the DNSKEY in the response is 23.

MIXED-ALGO-1

Three DNSKEY with different algorithms.

• Zone: "mixed-algo-1.dnssec05.xa."
  • The response has three DNSKEY with different algorithms:
    • 7
    • 10
    • 13

NO-RESPONSE-1

No valid response from any of the servers.

• Zone: "no-response-1.dnssec05.xa."
  • No response at all from ns1.
  • Response from ns2 does not have the AA bit set.

NO-RESPONSE-2

No valid response from any of the servers.

• Zone: "no-response-2.dnssec05.xa."
  • Response from ns1 has RCODE SERVFAIL.
  • Response from ns2 has RCODE REFUSED.

SERVER-NO-DNSSEC-1

No DNSKEY from ns1.

• Zone: "server-no-dnssec-1.dnssec05.xa."
  • Response from ns1 is NODATA (no DNSKEY).
  • Response from ns2 is normal.

SHARED-IP-1

Two NS names, but only one IP. IPv4 only.

• Zone: "shared-ip-1.dnssec05.xa."
  • ns1a and ns1b are in bailiwick, but use the same IP.
    • IPv4 only.
  • The message should list both name server names, both with the same IP.

ZONE-NO-DNSSEC-1

No DNSKEY from neither ns1 nor ns2.

• Zone: "zone-no-dnssec-1.dnssec05.xa."
  • Responses from ns1 and ns2 are NODATA (no DNSKEY).