CONNECTIVITY03: AS Diversity
Test case identifier
CONNECTIVITY03
Objective
The objective in this test is to verify that all IP addresses of the domain's authoritative name servers are announced from different ASNs (autonomous system number). See RFC 1930 and Wikipedia for an explanation of AS (autonomous system).
This test is done separately on IPv4 and IPv6, and both must match the criterion.
RFC 2182, section 3.1, clearly specifies that distinct authoritative name servers for a child domain should be placed in different topological and geographical locations. The objective is to minimise the likelihood of a single failure disabling all of them.
Inputs
- "Child Zone" - The domain name to be tested.
- "ASN Database" - The database of ASN data to be used. Possible values are "RIPE" and "Cymru" (the default value).
- "Cymru Base Name" - If the ASN Database is "Cymru", the default value is "asnlookup.zonemaster.net".
- "Ris Whois Server" - If the ASN Database is "RIPE", the default value is "riswhois.ripe.net".
Ordered description of steps to be taken to execute the test case
-
Obtain the total set of IP addresses of the name servers for the Child Zone using Method4 and Method5 and split those IP addresses into one set of IPv4 addresses ("NS IPv4") and one set of IPv6 addresses ("NS IPv6"). (One of two sets may be empty.)
-
For each IP address in the set NS IPv4 and NS IPv6, respectively, determine the ASN set announcing the IP address using either the Cymru database or the RIPE database as described in separate sections below. Create two sets of ASN data ("NS IPv4 ASN" and "NS IPv6 ASN", respectively).
-
Analyze the NS IPv4 ASN set:
- If NS IPv4 ASN is empty (no IPv4 address) do nothing.
- Else, if all IPv4 addresses are announced from one and the same ASN, output IPV4_ONE_ASN.
- Else, if all IPv4 addresses are announced from the same set of multiple ASNs, output IPV4_SAME_ASN.
- Else, output IPV4_DIFFERENT_ASN.
-
Analyze the NS IPv6 ASN set:
- If NS IPv6 ASN is empty (no IPv6 address) do nothing.
- Else, if all IPv6 addresses are announced from one and the same ASN, output IPV6_ONE_ASN.
- Else, if all IPv6 addresses are announced from the same set of multiple ASNs, output IPV6_SAME_ASN.
- Else, output IPV6_DIFFERENT_ASN.
Outcome(s)
The outcome of this Test Case is "fail" if there is at least one message with the severity level ERROR or CRITICAL.
The outcome of this Test Case is "warning" if there is at least one message with the severity level WARNING, but no message with severity level ERROR or CRITICAL.
In other cases the outcome of this Test Case is "pass".
Message | Default severity level |
---|---|
EMPTY_ASN_SET | NOTICE |
ERROR_ASN_DATABASE | NOTICE |
IPV4_ONE_ASN | WARNING |
IPV4_SAME_ASN | NOTICE |
IPV4_DIFFERENT_ASN | INFO |
IPV6_ONE_ASN | WARNING |
IPV6_SAME_ASN | NOTICE |
IPV6_DIFFERENT_ASN | INFO |
Special procedural requirements
This test case is dependent on one of two possible services that can provide ASN lookup, RIPE or Cymru. The service must be available over the network.
Cymru ASN lookup
The Cymru lookup method is described on the Team Cymru IP to ASN Mapping
using DNS lookup, but the default data comes from bgp.tools (Port 179 Ltd
in England and Wales) and is continuously being mapped into
asnlookup.zonemaster.net
by the Zonemaster project. Data is fetched from
https://bgp.tools/table.txt. The Cymru source can also be used, if
requested.
- Prepend the Cymru Base Name with the label "origin" (IPv4) or "origin6" (IPv6). Example of expanded basenames ("expanded base name"):
origin.asnlookup.zonemaster.net
origin6.asnlookup.zonemaster.net
-
Reverse the IP address with the same method as is used for reverse lookup. For description see RFC 1035, section 3.5, for IPv4 and RFC 3596, section 2.5, for IPv6.
-
Prepend the expanded base name with the reversed IP address. For description see IP to ASN Mapping.
-
Send a DNS query for the TXT record of the full name created in step 3.
-
If either the DNS response has RCODE "NXDOMAIN" or the DNS response has RCODE "NOERROR" but empty answer section, output EMPTY_ASN_SET and end these steps for Cymru look-up of the specific IP address.
-
If there is no response (timeout) or the DNS response does not have the RCODE "NOERROR", output ERROR_ASN_DATABASE and end these steps for Cymru look-up of the specific IP address.
-
The expected response is a non-empty string in the TXT record or records. See IP to ASN Mapping for examples.
-
Do the following:
- Split the string or strings into fields.
- If there are multiple strings (TXT records), ignore all strings except for the string with the most specific subnet.
- Extract the ASN or ASNs.
- If it was not possible to extract the ASN or ASNs, output ERROR_ASN_DATABASE and end these steps for Cymru look-up of the specific IP address (the response was malformed).
-
Create the ASN set, for the IP address, from the ASN or ASNs from the steps above and use it for the further processing.
RIPE ASN lookup
The RIPE ASN lookup is described on the RIPE RISwhois page.
-
Construct a query string by prepending the IP address with " -F -M ". Using "192.0.2.10" as an example, the query string will be the following (the leading space is intentional)
" -F -M 192.0.2.10"
-
Send the query string to the Ris Whois Server on port 43 with the nicname (whois) protocol. Example of command line command on unix:
whois -h riswhois.ripe.net " -F -M 192.0.2.10"
-
Do the following:
- The non-empty line not prepended with "%" contains the string with data (no or one such line).
- Check if there is no string with data (empty reply). If so, output EMPTY_ASN_SET and end these steps for RIPE look-up of the specific IP address.
- If there is no response from the Ris Whois Server, output ERROR_ASN_DATABASE and end these steps for RIPE look-up of the specific IP address.
- The first field has the ASN or list of ASNs. Split that into ASNs.
- If it was not possible to extract the ASN or ASNs, output ERROR_ASN_DATABASE and end these steps (the response was malformed).
-
Create the ASN set, for the IP address, from the ASN or ASNs from the steps above and use it for the further processing.
Intercase dependencies
None