CONNECTIVITY02: TCP connectivity to name servers

Test case identifier

CONNECTIVITY02

Objective
Scope
Inputs
Summary
Test procedure
Outcome(s)
Special procedural requirements
Intercase dependencies
Terminology

Objective

TCP is a protocol to reach a general purpose name server hosting a zone, "All general-purpose DNS implementations MUST support [...] TCP transport" (RFC 7766, section 5).

This Test Case will verify if the name servers of Child Zone are reachable over TCP. The name servers tested are both those in the delegation of Child Zone and those in the NS records in the Child Zone itself.

This Test Case will mimic the tests done by Connectivity01, but over TCP instead:

Name Server responding to a query.
Name Server including SOA record of Child Zone in the answer section in the response on a SOA query for Child Zone.
Name Server including NS record of Child Zone in the answer section in the response on an NS query for Child Zone.
Name Server setting the AA flag in a response with SOA or NS in answer section.
Name Server responding with expected RCODE Name ("NoError") on query for SOA or NS for Child Zone.

Scope

The only TCP port defined for DNS is port 53 (RFC 1035, section 4.2.1), and that is the only port used by this and other Test Cases for DNS queries to the name servers.

UDP connectivity is tested by Test Case Connectivity01.

Inputs

"Child Zone" - The domain name to be tested.

Summary

Message Tag	Level	Arguments	Message ID for message tag
CN02_MISSING_NS_RECORD_TCP	WARNING	ns	Nameserver {ns} responds to a NS query with no NS records in the answer section over TCP.
CN02_MISSING_SOA_RECORD_TCP	WARNING	ns	Nameserver {ns} responds to a SOA query with no SOA records in the answer section over TCP.
CN02_NO_RESPONSE_NS_QUERY_TCP	WARNING	ns	Nameserver {ns} does not respond to NS queries over TCP.
CN02_NO_RESPONSE_SOA_QUERY_TCP	WARNING	ns	Nameserver {ns} does not respond to SOA queries over TCP.
CN02_NO_RESPONSE_TCP	WARNING	ns	Nameserver {ns} does not respond to any queries over TCP.
CN02_NS_RECORD_NOT_AA_TCP	WARNING	ns	Nameserver {ns} does not give an authoritative response on an NS query over TCP.
CN02_SOA_RECORD_NOT_AA_TCP	WARNING	ns	Nameserver {ns} does not give an authoritative response on an SOA query over TCP.
CN02_UNEXPECTED_RCODE_NS_QUERY_TCP	WARNING	ns, rcode	Nameserver {ns} responds with an unexpected RCODE ({rcode}) on an NS query over TCP.
CN02_UNEXPECTED_RCODE_SOA_QUERY_TCP	WARNING	ns, rcode	Nameserver {ns} responds with an unexpected RCODE ({rcode}) on an SOA query over TCP.
CN02_WRONG_NS_RECORD_TCP	WARNING	ns, , domain_found, domain_expected	Nameserver {ns} responds with a wrong owner name ({domain_found} instead of {domain_expected}) on NS queries over TCP.
CN02_WRONG_SOA_RECORD_TCP	WARNING	ns, , domain_found, domain_expected	Nameserver {ns} responds with a wrong owner name ({domain_found} instead of {domain_expected}) on SOA queries over TCP.

The value in the Level column is the default severity level of the message. The severity level can be changed in the Zonemaster-Engine profile. Also see the Severity Level Definitions document.

The argument names in the Arguments column lists the arguments used in the message. The argument names are defined in the argument list.

Test procedure

In this section and unless otherwise specified below, the term "DNS Query" follows the specification for DNS queries as specified in DNS Query and Response Defaults. The handling of the DNS responses on the DNS queries follow, unless otherwise specified below, what is specified for DNS Response in the same specification.

Create DNS Queries:
1. Query type SOA and query name Child Zone over TCP ("SOA Query TCP").
2. Query type NS and query name Child Zone over TCP ("NS Query TCP").
Obtain the set of name server IP addresses using Method4 and Method5 ("Name Server IP").
For each name server in Name Server IP do:
1. Send SOA Query TCP and NS Query TCP to the name server and collect the DNS Responses.
2. If there is no DNS response on neither query, then:
  1. Output CN02_NO_RESPONSE_TCP with name and IP address of the name server.
  2. Go to next name server.
3. Else:
  1. Process the response on SOA Query TCP:
    1. If there is no DNS response, then output CN02_NO_RESPONSE_SOA_QUERY_TCP with name and IP address of the name server.
    2. Else, if RCODE Name is not "NoError" then output CN02_UNEXPECTED_RCODE_SOA_QUERY_TCP with RCODE Name and name and IP address of the name server.
    3. Else, if there is no SOA record in the answer section, then output CN02_MISSING_SOA_RECORD_TCP with name and IP address of the name server.
    4. Else, if the SOA record has owner name other than Child Zone then output CN02_WRONG_SOA_RECORD_TCP with name and IP address of the name server, the SOA record owner name and Child Zone.
    5. Else, if AA flag is unset, then output CN02_SOA_RECORD_NOT_AA_TCP with name and IP address of the name server.
  2. Process the response on NS Query TCP:
    1. If there is no DNS Response, then output CN02_NO_RESPONSE_NS_QUERY_TCP with name and IP address of the name server.
    2. Else, if RCODE Name is not "NoError" then output CN02_UNEXPECTED_RCODE_NS_QUERY_TCP with RCODE Name and name and IP address of the name server.
    3. Else, if there is no NS record in the answer section, then output CN02_MISSING_NS_RECORD_TCP with name and IP address of the name server.
    4. Else, if the NS record has owner name other than Child Zone then output CN02_WRONG_NS_RECORD_TCP with name and IP address of the name server, the NS record owner name and Child Zone.
    5. Else, if AA flag is unset, then output CN02_NS_RECORD_NOT_AA_TCP with name and IP address of the name server.

Outcome(s)

The outcome of this Test Case is "fail" if there is at least one message with the severity level ERROR or CRITICAL.

The outcome of this Test Case is "warning" if there is at least one message with the severity level WARNING, but no message with severity level ERROR or CRITICAL.

In other cases, no message or only messages with severity level INFO or NOTICE, the outcome of this Test Case is "pass".