Specification of test zones for DNSSEC16

Background
Test Case
Test scenarios
Test zone names
Test scenarios and message tags
Zone setup for test scenarios
Terminology

Test Case

This document specifies defined test zones for test case DNSSEC16.

The purpose of the test scenarios is to cover all reasonable contexts where different message tags are outputted when DNSSEC16 is run on a test zone. The message tags are defined in the test case (DNSSEC16) and the scenarios are defined below.

The test scenarios are structured as stated in the test zone README file.

Test zone names

The test zone for each test scenario in this document is a subdomain delegated from the base name (dnssec16.xa) and that subdomain having the same name as the scenario except where the test domain must be the root zone, a TLD or a domain under .arpa. The names of those zones are given in section "Zone setup for test scenarios" below.

Test scenarios and message tags

If a message tag is not listed for the scenario, its presence or non-presence is irrelevant to the test scenario and must be ignored.

Scenario name	Mandatory message tags	Forbidden message tags
CDS-INVALID-RRSIG	DS16_CDS_INVALID_RRSIG	DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
CDS-MATCHES-NO-DNSKEY	DS16_CDS_MATCHES_NO_DNSKEY	DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
CDS-MATCHES-NON-SEP-DNSKEY	DS16_CDS_MATCHES_NON_SEP_DNSKEY	DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
CDS-MATCHES-NON-ZONE-DNSKEY	DS16_CDS_MATCHES_NON_ZONE_DNSKEY	DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
CDS-NOT-SIGNED_BY_CDS	DS16_CDS_NOT_SIGNED_BY_CDS	DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
CDS-SIGNED-BY-UNKNOWN-DNSKEY	DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY	DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
CDS-UNSIGNED	DS16_CDS_UNSIGNED, DS16_CDS_NOT_SIGNED_BY_CDS	DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
CDS-WITHOUT-DNSKEY	DS16_CDS_WITHOUT_DNSKEY	DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
DELETE-CDS	DS16_DELETE_CDS	DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
DNSKEY-NOT-SIGNED-BY-CDS	DS16_DNSKEY_NOT_SIGNED_BY_CDS	DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_MIXED_DELETE_CDS
MIXED-DELETE-CDS	DS16_MIXED_DELETE_CDS	DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS
NO-CDS	(none)	DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
NOT-AA	(none)	DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS
VALID-CDS	(none)	DS16_CDS_INVALID_RRSIG, DS16_CDS_MATCHES_NON_SEP_DNSKEY, DS16_CDS_MATCHES_NON_ZONE_DNSKEY, DS16_CDS_MATCHES_NO_DNSKEY, DS16_CDS_NOT_SIGNED_BY_CDS, DS16_CDS_SIGNED_BY_UNKNOWN_DNSKEY, DS16_CDS_UNSIGNED, DS16_CDS_WITHOUT_DNSKEY, DS16_DELETE_CDS, DS16_DNSKEY_NOT_SIGNED_BY_CDS, DS16_MIXED_DELETE_CDS

Zone setup for test scenarios

Assumptions for the scenario specifications:

Only CDS or DNSKEY records in apex are considered.
Unless stated otherwise, all name servers respond authoritatively with RCODE Name "NoError" on all queries.
Unless stated otherwise, all name servers respond authoritatively with (or without) CDS records on CDS queries and DNSKEY records on DNSKEY queries, respectively.
Unless stated otherwise, all RRSIGs are present where expected and are valid.
Each zone is served by two nameservers and both respond consistently.
No DS record is published at parent zone (dnssec16.xa).

CDS-INVALID-RRSIG

Zone: "cds-invalid-rrsig.dnssec16.xa."
- The zone has a Well Formed DNSKEY Record (key 1).
- The zone has one Well Formed CDS Record, that matches key 1, but the RRSIG of the CDS RRset has expired.

CDS-MATCHES-NO-DNSKEY

Zone: "cds-matches-no-dnskey.dnssec16.xa."
- The zone has one Well Formed DNSKEY Record (key 1).
- The zone has one Well Formed CDS Record that matches key 1.
- The zone has a second Well Formed CDS Record that matches no key by key tag.

CDS-MATCHES-NON-SEP-DNSKEY

Zone: "cds-matches-non-sep-dnskey.dnssec16.xa."
- The zone has a Well Formed DNSKEY Record, but flag bit 15 is unset (key 1).
- The zone has one Well Formed CDS Record that matches key 1.

CDS-MATCHES-NON-ZONE-DNSKEY

Zone: "cds-matches-non-zone-dnskey.dnssec16.xa."
- The zone has one Well Formed DNSKEY Record (key 1).
- The zone has a second Well Formed DNSKEY Record, but flag bit 7 is unset and the key has not signed the DNSKEY RRset (key 2).
- The zone has one Well Formed CDS Record and matches key 1 (CDS 1).
- The zone has a second Well Formed CDS Record, matching key 2, but the key has not signed the CDS RRset.

CDS-NOT-SIGNED-BY-CDS

Zone: "cds-not-signed-by-cds.dnssec16.xa."
- The zone has two Well Formed DNSKEY Record (key 1 and 2).
- The zone has one Well Formed CDS Record that matches key 1.
- The zone has a second Well Formed CDS Record that matches key 2, but its DNSKEY has not signed the CDS RRset.

CDS-SIGNED-BY-UNKNOWN-DNSKEY

Zone: "cds-signed-by-unknown-dnskey.dnssec16.xa."
- The zone has a Well Formed DNSKEY Record (key 1).
- The zone has one Well Formed CDS Record, and it matches key 1.
- The CDS RRset has an additional RRSIG that matches no DNSKEY by key tag.

CDS-UNSIGNED

Zone: "cds-unsigned.dnssec16.xa."
- The zone has a Well Formed DNSKEY Record (key 1).
- The zone has one Well Formed CDS Record, and it matches key 1, but the CDS RRset is not signed.

CDS-WITHOUT-DNSKEY

Zone: "cds-without-dnskey.dnssec16.xa."
- The zone has no DNSKEY.
- The zone has one Well Formed CDS Record that matches no DNSKEY.

DELETE-CDS

Zone: "delete-cds.dnssec16.xa."
- The zone has a Well Formed DNSKEY Record.
- The zone has one CDS RR that is a Delete CDS.

DNSKEY-NOT-SIGNED-BY-CDS

Zone: "dnskey-not-signed-by-cds.dnssec16.xa."
- The zone has a Well Formed DNSKEY Record (key 1), but the key has not signed the DNSKEY RRset.
- The zone has one Well Formed CDS Record, and it matches key 1.

MIXED-DELETE-CDS

Zone: "mixed-delete-cds.dnssec16.xa."
- The zone has a Well Formed DNSKEY Record (key 1).
- The zone has one Well Formed CDS Record, and it matches key 1.
- The zone has a second CDS RR that is a Delete CDS.

NO-CDS

Zone: "no-cds.dnssec16.xa."
- The name servers give no CDS RRset on CDS query (NODATA).

NOT-AA

Zone: "not-aa.dnssec16.xa."
- The name servers give non-AA response on CDS queries.

VALID-CDS

Zone: "valid-cds.dnssec16.xa."
- The zone has a Well Formed DNSKEY Record (key 1).
- The zone has one Well Formed CDS Record, and it matches key 1.

Terminology

"Well Formed DNSKEY Record" - The term is used, in this document, for a DNSKEY record that meets the following requirements:
- It is a DNSKEY record in apex.
- It uses algorithm 10 (RSA/SHA-512) with a 2048-bit key length, see DNSSEC05 and DNSSEC14.
- Flag bit 7 (zone key) and bit 15 (SEP) are set.
- The DNSKEY RRset has been signed by the key and the RRSIG is valid.
"Well Formed CDS Record" - The term is used, in this document, for a CDS record that meets the following requirements:
- It is a CDS record in apex.
- It uses hash digest 2 (SHA-256), see DNSSEC01.
- Its digest is a digest of a Well Formed DNSKEY Record.
- The CDS RRset has been signed by the its DNSKEY and the RRSIG is valid.