DNSSEC09: RRSIG(SOA) must be valid and created by a valid DNSKEY

Test case identifier

DNSSEC09

Table of contents

Objective

If the zone is signed, the SOA RR should be signed with a valid RRSIG using a DNSKEY from the DNSKEY RR set. This is described in RFC 4035, section 2.2.

This test case will verify if the Child Zone meets that requirement.

Scope

It is assumed that Child Zone is tested and reported by Connectivity01. This test case will just ignore non-responsive name servers or name servers not giving a correct DNS response for an authoritative name server.

Inconsistencies in the SOA record are expected to be caught by Consistency01, Consistency02, Consistency03 and Consistency06.

Inconsistencies in the DNSKEY RRset are expected to be caught by DNSSEC08.

This test case is only relevant if the zone has been DNSSEC signed.

Inputs

  • "Child Zone" - The domain name to be tested.

Summary

  • If no DNSKEY records are found, then further investigation will not be done and no messages will be outputted.
Message Tag outputtedLevelArgumentsDescription of when message tag is outputted
DS09_ALGO_NOT_SUPPORTED_BY_ZMNOTICEns_ip_list, algo_mnemo, algo_num, keytagThis installation of Zonemaster does not support the DNSKEY algorithm.
DS09_MISSING_RRSIG_IN_RESPONSEERRORns_ip_listSOA is unsigned which is against expectation
DS09_NO_MATCHING_DNSKEYERRORns_ip_list, keytagSOA is signed with an RRSIG that does not match any DNSKEY
DS09_RRSIG_NOT_VALID_BY_DNSKEYERRORns_ip_list, keytagSOA is signed with an RRSIG that cannot be validated by the matching DNSKEY
DS09_SOA_RRSIG_EXPIREDERRORns_ip_list, keytagSOA is signed with an RRSIG that has expired
DS09_SOA_RRSIG_NOT_YET_VALIDERRORns_ip_list, keytagSOA is signed with a not yet valid RRSIG

The value in the Level column is the default severity level of the message. The severity level can be changed in the Zonemaster-Engine profile. Also see the Severity Level Definitions document.

The argument names in the Arguments column lists the arguments used in the message. The argument names are defined in the argument list.

Test procedure

  1. Create a DNSKEY query with DO flag set for Child Zone ("DNSKEY Query").

  2. Create an SOA query with DO flag set for Child Zone ("SOA Query").

  3. Retrieve all name server IP addresses for the Child Zone using Method4 and Method5 ("NS IP").

  4. Create the following empty sets:

    1. Name server IP address ("SOA without RRSIG").
    2. Name server IP address and RRSIG key tag ("SOA RRSIG not yet valid").
    3. Name server IP address and RRSIG key tag ("SOA RRSIG expired").
    4. Name server IP address and RRSIG key tag ("No matching DNSKEY").
    5. Name server IP address and RRSIG key tag ("RRSIG not valid by DNSKEY").
    6. Name server IP address, DNSKEY record key tag and DNSKEY algorithm code ("Algo Not Supported By ZM").

  5. For each name server IP address in NS IP do:

    1. Send DNSKEY Query to the name server IP.
    2. If at least one of the following criteria is met, then go to next name server IP:
      1. There is no DNS response.
      2. The RCODE of response is not "NoError" (IANA RCODE List).
      3. The AA flag is not set in the response.
      4. There is no DNSKEY record with matching owner name in the answer section.
    3. Retrieve the DNSKEY records with matching owner name from the answer section (any DNSKEY records with non-matching owner name are ignored).
    4. Send SOA Query over UDP to the name server IP.
    5. If at least one of the following criteria is met, then go to next name server IP:
      1. There is no DNS response.
      2. The RCODE of response is not "NoError" (IANA RCODE List).
      3. The AA flag is not set in the response.
      4. There is no SOA record with matching owner name in the answer section.
    6. Retrieve the SOA record with matching owner name and its RRSIG record.
      • Retrieve only one SOA record if there are multiple records. Any SOA records with non-matching owner name are ignored.
    7. If there is no RRSIG for the SOA record, then add the name server IP address to the SOA without RRSIG set and go to next name server IP.
    8. Else, for each SOA RRSIG record do:
      1. If the RRSIG record start of validity is after the time of the test, then add name server IP and RRSIG key tag to the SOA RRSIG not yet valid set.
      2. Else, if the RRSIG record end of validity is before the time of the test, then add name server IP and RRSIG key tag to the SOA RRSIG expired set.
      3. Else, if the Zonemaster installation does not have support for the DNSKEY algorithm that created the RRSIG, then add name server IP, DNSKEY algorithm and DNSKEY key tag to the Algo Not Supported By ZM set.
      4. Else, if the RRSIG does not match any DNSKEY, then add the name server IP and the RRSIG key tag to the No matching DNSKEY set.
      5. Else, if the RRSIG cannot be validated by the matching DNSKEY record, then add the name server IP and the RRSIG key tag to the RRSIG not valid by DNSKEY set.

  6. If the SOA without RRSIG set is non-empty, then output DS09_MISSING_RRSIG_IN_RESPONSE with the name servers IP addresses from the set.

  7. If the SOA RRSIG not yet valid set is non-empty, then for each RRSIG key tag from the set output DS09_SOA_RRSIG_NOT_YET_VALID with the key tag and the name servers IP addresses from the set.

  8. If the SOA RRSIG expired set is non-empty, then for each RRSIG key tag from the set output DS09_SOA_RRSIG_EXPIRED with the key tag and the name servers IP addresses from the set.

  9. If the No matching DNSKEY set is non-empty, then for each RRSIG key tag from the set output DS09_NO_MATCHING_DNSKEY with the key tag and the name servers IP addresses from the set.

  10. If the RRSIG not valid by DNSKEY set is non-empty, then for each RRSIG key ID from the set output DS09_RRSIG_NOT_VALID_BY_DNSKEY with the key tag and the name servers IP addresses from the set.

  11. If the Algo Not Supported By ZM set is non-empty, then output DS09_ALGO_NOT_SUPPORTED_BY_ZM for each DNSKEY key tag with the name server IP addresses, the key tag and the algorithm name and code from the set.

Outcome(s)

The outcome of this Test Case is "fail" if there is at least one message with the severity level ERROR or CRITICAL.

The outcome of this Test Case is "warning" if there is at least one message with the severity level WARNING, but no message with severity level ERROR or CRITICAL.

In other cases, no message or only messages with severity level INFO or NOTICE, the outcome of this Test Case is "pass".

Special procedural requirements

If either IPv4 or IPv6 transport is disabled, ignore the evaluation of the result of any test using this transport protocol. Log a message reporting on the ignored result.

See the DNSSEC README document about DNSSEC algorithms.

Intercase dependencies

None.

Terminology

No special terminology for this test case.