DNSSEC02: DS must match a valid DNSKEY in the child zone

Test case identifier

DNSSEC02

Objective
Scope
Inputs
Summary
Test procedure
Outcome(s)
Special procedural requirements
Intercase dependencies
Terminology

Objective

DNS delegations from a parent to a child are secured with DNSSEC by publishing one or several Delegation Signer (DS) records in the parent zone, along with the NS records for the delegation.

For the secure delegation to work, at least one DS record must match a DNSKEY record in the child zone (RFC 4035, section 5). Each DS record should match a DNSKEY record in the child zone. More than one DS may match the same DNSKEY. The DNSKEY that the DS record refer to must be used to sign the DNSKEY RRset in the child zone (RFC 4035, section 5).

The DNSKEY record that the DS record refer to must have bit 7 ("Zone Key flag") set in the DNSKEY RR Flags (RFC 4034, section 5.2).

Bit 15 ("Secure Entry Point flag") on a DNSKEY record signals that it is meant to be a KSK and pointed out by a DS record. It is noted if the DNSKEY record that the DS points at does not have that flag set (RFC 4034, section 2.1.1).

Scope

This test case will just ignore non-responsive name servers or name servers not giving a correct DNS response for an authoritative name server (handled by Connectivity01).

If no DS record is found in the parent zone or no DNSKEY record is found in the Child Zone then this test case will be terminated (also see DNSSEC11).

This test case does not report if the parent servers are unresponsive or inconsistent.

Inputs

"Child Zone" - The domain name to be tested.
"Test Type" - The test type with value "undelegated" or "normal".
"Undelegated DS" - The DS record or records submitted (only if Test Type is undelegated).

Summary

Both DS record and DNSKEY record must be found, or else no further investigation will be done and no messages will be outputted.
No messages will be outputted due to errors in the responses from the parent name servers.

Message Tag outputted	Level	Arguments	Description of when message tag is outputted
DS02_ALGO_NOT_SUPPORTED_BY_ZM	NOTICE	ns_ip_list, algo_mnemo, algo_num, keytag	DNSKEY with tag {keytag} uses unsupported algorithm {algo_num} ({algo_mnemo}) by this installation of Zonemaster. Fetched from the nameservers with IP addresses "{ns_ip_list}".
DS02_DNSKEY_NOT_FOR_ZONE_SIGNING	ERROR	ns_ip_list, keytag	Flags field of DNSKEY record with tag {keytag} does not have ZONE bit set although DS with same tag is present in parent. Fetched from the nameservers with IP addresses "{ns_ip_list}".
DS02_DNSKEY_NOT_SEP	NOTICE	ns_ip_list, keytag	Flags field of DNSKEY record with tag {keytag} does not have SEP bit set although DS with same tag is present in parent. Fetched from the nameservers with IP addresses "{ns_ip_list}".
DS02_DNSKEY_NOT_SIGNED_BY_ANY_DS	ERROR	ns_ip_list	The DNSKEY RRset has not been signed by any DNSKEY matched by a DS record. Fetched from the nameservers with IP addresses "{ns_ip_list}".
DS02_NO_DNSKEY_FOR_DS	WARNING	ns_ip_list, keytag	The DNSKEY record with tag {keytag} that the DS refers to does not exist in the DNSKEY RRset. Fetched from the nameservers with IP "{ns_ip_list}".
DS02_NO_MATCHING_DNSKEY_RRSIG	WARNING	ns_ip_list, keytag	The DNSKEY RRset is not signed by the DNSKEY with tag {keytag} that the DS record refers to. Fetched from the nameservers with IP "{ns_ip_list}".
DS02_NO_MATCH_DS_DNSKEY	ERROR	ns_ip_list, keytag	The DS record does not match the DNSKEY with tag {keytag} by algorithm or digest. Fetched from the nameservers with IP "{ns_ip_list}".
DS02_NO_VALID_DNSKEY_FOR_ANY_DS	ERROR	ns_ip_list	There is no valid DNSKEY matched by any of the DS records. Fetched from the nameservers with IP addresses "{ns_ip_list}".
DS02_RRSIG_NOT_VALID_BY_DNSKEY	ERROR	ns_ip_list, keytag	The DNSKEY RRset is signed with an RRSIG with tag {keytag} which cannot be validated by the matching DNSKEY. Fetched from the nameservers with IP addresses "{ns_ip_list}".

The value in the Level column is the default severity level of the message. The severity level can be overridden in the Zonemaster-Engine profile. Also see the Severity Level Definitions document.

The argument names in the Arguments column lists the arguments used in the message. The argument names are defined in the argument list.

Test procedure

In this section and unless otherwise specified below, the term "DNSSEC Query" follows the specification for DNS queries as specified in DNS Query and Response Defaults. The handling of the DNS responses on the DNS queries follow, unless otherwise specified below, what is specified for DNSSEC Response in the same specification.

Create the following empty sets:
1. DS record RDATA ("DS Record").
2. Name server IP and key tag from DS record ("No DNSKEY for DS").
3. Name server IP and key tag from DS record ("No Match DS DNSKEY").
4. Name server IP and DNSKEY record key tag ("DNSKEY Not for Zone Signing").
5. Name server IP and DNSKEY record key tag ("DNSKEY not SEP").
6. Name server IP and DNSKEY record key tag ("No Matching DNSKEY RRSIG").
7. Name server IP address, DNSKEY record key tag and DNSKEY algorithm code ("Algo Not Supported By ZM").
8. Name server IP and key tag from RRSIG record ("RRSIG Not Valid by DNSKEY").
9. Name server IP ("Responding Child Name Servers").
10. DNSKEY record and key tag ("DNSKEY Matching DS").
11. Name server IP ("Has DNSKEY Match DS").
12. Name server IP ("Has DNSKEY RRSIG Match DS").
If the Test Type is "undelegated" do:
1. If Undelegated DS is empty then do terminate this test case.
2. Else add Undelegated DS as DS records to the DS Record set.
If Test Type is "normal", then:
1. Create a DNSSEC Query with query type DS and query name Child Zone ("DS Query").
2. Retrieve all name server IP addresses for the parent zone of Child Zone using Method1 (store as "Parent NS IP").
3. For each parent name server in Parent NS IP do:
  1. Send DS Query to the name server IP.
  2. If at least one of the following criteria is met, then go to next parent name server:
    1. There is no DNSSEC Response.
    2. The RCODE in the DNSSEC Response is not "NoError" (IANA RCODE List).
    3. The OPT record is absent in the DNSSEC Response.
    4. The DO flag is unset in the DNSSEC Response.
    5. The AA flag is not set in the DNSSEC Response.
    6. There is no DS record with matching owner name in the answer section of the DNSSEC Response.
  3. Retrieve the DS records from the DNSSEC Response and add them to the DS Record set.
4. If the DS Record set is empty exit this test case.
Create a DNSSEC Query with query type DNSKEY and query name Child Zone ("DNSKEY Query").
Obtain the set of child name server IP addresses using Method4 and Method5 (store as "Child NS IP").
For each child name server in Child NS IP do:
1. Send DNSKEY Query to the name server IP and collect the response.
2. If at least one of the following criteria is met, then go to next child name server:
  1. There is no DNSSEC Response.
  2. The RCODE in the DNSSEC Response is not "NoError" (IANA RCODE List).
  3. The OPT record is absent in the DNSSEC Response.
  4. The DO flag is unset in the DNSSEC Response.
  5. The AA flag is not set in the DNSSEC Response.
  6. There is no DNSKEY record with matching owner name in the answer section of the DNSSEC Response.
3. Add the name server IP address to the Responding Child Name Servers set.
4. Retrieve the DNSKEY RRset (store as "DNSKEY RRs") from the DNSSEC Response.
5. Retrieve the RRSIG records covering the DNSKEY RRset, possibly none (store as "DNSKEY RRSIG") from the DNSSEC Response.
6. Empty the DNSKEY Matching DS set.
7. For each DS in DS Records, do:
  1. Find the equivalent DNSKEY in DNSKEY RRs by key ID (key tag). If there is more than one such DNSKEY, select the correct one.
  2. If matching DNSKEY is not found add DS key tag and name server IP to the No DNSKEY for DS set and go to next DS.
  3. Verify if the Zonemaster installation has support for the digest algorithm that created the DS:
    1. If no support, then ignore the following test if the DS matches the DNSKEY.
    2. Else, if the DS values (algorithm and digest) do not match the DNSKEY record then add DS key tag and name server IP to the No Match DS DNSKEY set.
  4. If bit 7 of the DNSKEY flags field is unset (value 0), then do:
    1. Add DS key tag and name server IP to the DNSKEY Not for Zone Signing set.
    2. Go to next DS.
  5. If bit 15 of the DNSKEY flags field is unset (value 0), then add the DNSKEY record key tag and name server IP to the DNSKEY not SEP set.
  6. Add the DNSKEY record and key tag to the DNSKEY Matching DS set.
  7. Add the name server IP to the Has DNSKEY Match DS set.
8. For each DNSKEY in the DNSKEY Matching DS set, do:
  1. Look for an RRSIG record created by the DNSKEY in DNSKEY RRSIG.
    - Use key ID (key tag) to identify the corresponding RRSIG record.
    - If there is more than one such RRSIG record, select the correct one by verifying the signature against the DNSKEY.
  2. If a matching RRSIG is not found, add DNSKEY record key tag and name server IP to the No Matching DNSKEY RRSIG set.
  3. Else, if the Zonemaster installation does not have support for the DNSKEY algorithm that created the RRSIG, then add name server IP, DNSKEY algorithm and DNSKEY key tag to the Algo Not Supported By ZM set.
  4. Else, if the RRSIG values (algorithm and signature) do not match the DNSKEY then add the key tag from the RRSIG record and name server IP to the RRSIG Not Valid by DNSKEY set.
  5. Else add the name server IP address to the Has DNSKEY RRSIG Match DS set.
If the No DNSKEY for DS set is non-empty, then for each key tag from the DS record from the set output DS02_NO_DNSKEY_FOR_DS with the key tag and the name servers IP addresses from the set.
If the No Match DS DNSKEY set is non-empty, then for each key tag from the DS record from the set output DS02_NO_MATCH_DS_DNSKEY with the key tag and the name servers IP addresses from the set.
If the DNSKEY Not for Zone Signing set is non-empty, then for each DNSKEY key tag from the set output DS02_DNSKEY_NOT_FOR_ZONE_SIGNING with the key tag and the name servers IP addresses from the set.
If the DNSKEY not SEP set is non-empty, then for each DNSKEY key tag from the set output DS02_DNSKEY_NOT_SEP with the key tag and the name servers IP addresses from the set.
If the No Matching DNSKEY RRSIG set is non-empty, then for each DNSKEY key tag from the set output DS02_NO_MATCHING_DNSKEY_RRSIG with the key tag and the name servers IP addresses from the set.
If the Algo Not Supported By ZM set is non-empty, then output DS02_ALGO_NOT_SUPPORTED_BY_ZM for each DNSKEY key tag with the name server IP addresses, the key tag and the algorithm code from the set.
If the RRSIG Not Valid by DNSKEY set is non-empty, then for each key tag from the RRSIG record from the set output DS02_RRSIG_NOT_VALID_BY_DNSKEY with the key tag and the name servers IP addresses from the set.
Extract the name server IP addresses that are members of Responding Child Name Servers but are not members of Has DNSKEY Match DS set.
If the subset from previous step is non-empty, then output DS02_NO_VALID_DNSKEY_FOR_ANY_DS with the subset of name server IP addresses.
Else do:
1. Extract the name server IP addresses that are members of Responding Child Name Servers but are not members of Has DNSKEY RRSIG Match DS set.
2. If that subset is non-empty, then output DS02_DNSKEY_NOT_SIGNED_BY_ANY_DS with the subset of name server IP addresses.

Outcome(s)

The outcome of this Test Case is "fail" if there is at least one message with the severity level ERROR or CRITICAL.

The outcome of this Test Case is "warning" if there is at least one message with the severity level WARNING, but no message with severity level ERROR or CRITICAL.

In other cases, no message or only messages with severity level INFO or NOTICE, the outcome of this Test Case is "pass".