DNSSEC10: Zone contains NSEC or NSEC3 records

Test case identifier

DNSSEC10

Table of contents

Objective

When DNSSEC is enabled, NSEC or NSEC3 records provide a secure denial of existence for records not present in the zone. This Test Case verifies that correct NSEC or NSEC3 records with valid signatures are returned for a query for an RR type that does not exist for that specific name (node in the DNS tree). The existing RR types are listed in the IANA RR Type List.

Furthermore, it is verified that the name servers for the zone are consistent about NSEC and NSEC3, i.e. either all servers should use NSEC or all servers should use NSEC3. It is never permitted to serve both NSEC and NSEC3 for the same zone.

The NSEC3PARAM RR that must exist in the zone (in apex, and apex only) if NSEC3 is used, but must not exist in a zone using NSEC.

The use of the NSEC RR type is described in RFC 4035, section 3.1.3, and the description of the NSEC RR itself is in RFC 4034, section 4.

The description of the NSEC3 and NSEC3PARAM RRs are found in RFC 5155, section 3, and RFC 5155, section 4, respectively. The use of NSEC3 in the DNS response is described in RFC 5155, section 7.2.

Scope

This test case will just ignore non-responsive name servers or name servers not giving a correct DNS response for an authoritative name server (covered by Connectivity01).

This test case is only relevant if the zone has been DNSSEC signed.

Inputs

  • "Child Zone" - The domain name to be tested.

Summary

  • If no DNSKEY records are found, then further investigation will not be done and no messages will be outputted.
Message Tag outputtedLevelArgumentsMessage ID for message tag
DS10_ALGO_NOT_SUPPORTED_BY_ZMNOTICEns_list, algo_mnemo, algo_num, keytagDNSKEY with tag {keytag} uses unsupported algorithm {algo_num} ({algo_mnemo}) by this installation of Zonemaster. Fetched from name servers "{ns_list}".
DS10_ERR_MULT_NSECERRORns_listMultiple NSEC records when one is expected. Fetched from name servers "{ns_list}".
DS10_ERR_MULT_NSEC3ERRORns_listMultiple NSEC3 records when one is expected. Fetched from name servers "{ns_list}".
DS10_ERR_MULT_NSEC3PARAMERRORns_listMultiple NSEC3PARAM records when one is expected. Fetched from name servers "{ns_list}".
DS10_EXPECTED_NSEC_NSEC3_MISSINGERRORns_listThe server responded with DNSKEY but not with expected NSEC or NSEC3. Fetched from name servers "{ns_list}".
DS10_HAS_NSECINFOns_listThe zone has NSEC records. Fetched from name servers "{ns_list}".
DS10_HAS_NSEC3INFOns_listThe zone has NSEC3 records. Fetched from name servers "{ns_list}".
DS10_INCONSISTENT_NSECERRORns_listInconsistent responses from zone with NSEC. Fetched from name servers "{ns_list}".
DS10_INCONSISTENT_NSEC3ERRORns_listInconsistent responses from zone with NSEC3. Fetched from name servers "{ns_list}".
DS10_INCONSISTENT_NSEC_NSEC3ERRORns_list_nsec, ns_list_nsec3The zone is inconsistent on NSEC and NSEC3. NSEC is fetched from name servers "{ns_list_nsec}". NSEC3 is fetched from name servers "{ns_list_nsec3}".
DS10_MIXED_NSEC_NSEC3ERRORns_listThe zone responds with both NSEC and NSEC3, where only one of them is expected. Fetched from name servers "{ns_list}".
DS10_NSEC3PARAM_GIVES_ERR_ANSWERERRORns_listUnexpected DNS record in the answer section on an NSEC3PARAM query. Fetched from name servers "{ns_list}".
DS10_NSEC3PARAM_MISMATCHES_APEXERRORns_listThe returned NSEC3PARAM record has an unexpected non-apex owner name. Fetched from name servers "{ns_list}".
DS10_NSEC3PARAM_QUERY_RESPONSE_ERRERRORns_listNo response or error in response on query for NSEC3PARAM. Fetched from name servers "{ns_list}".
DS10_NSEC3_ERR_TYPE_LISTERRORns_listNSEC3 record for the zone apex with incorrect type list. Fetched from name servers "{ns_list}".
DS10_NSEC3_MISMATCHES_APEXERRORns_listThe returned NSEC3 record unexpectedly does not match the zone name. Fetched from name servers "{ns_list}".
DS10_NSEC3_MISSING_SIGNATUREERRORns_listMissing RRSIG (signature) for the NSEC3 record or records. Fetched from name servers "{ns_list}".
DS10_NSEC3_NODATA_MISSING_SOAERRORns_listMissing SOA record in NODATA response with NSEC3. Fetched from name servers "{ns_list}".
DS10_NSEC3_NODATA_WRONG_SOAERRORns_list, domainWrong owner name ("{domain}") on SOA record in NODATA response with NSEC3. Fetched from name servers "{ns_list}".
DS10_NSEC3_NO_VERIFIED_SIGNATUREERRORns_listThe RRSIG (signature) for the NSEC3 record cannot be verified. Fetched from name servers "{ns_list}".
DS10_NSEC3_RRSIG_EXPIREDERRORns_list, keytagThe RRSIG (signature) with tag {keytag} for the NSEC3 record has expired. Fetched from name servers "{ns_list}".
DS10_NSEC3_RRSIG_NOT_YET_VALIDERRORns_list, keytagThe RRSIG (signature) with tag {keytag} for the NSEC3 record it not yet valid. Fetched from name servers "{ns_list}".
DS10_NSEC3_RRSIG_NO_DNSKEYWARNINGns_list, keytagThere is no DNSKEY record matching the RRSIG (signature) with tag {keytag} for the NSEC3 record. Fetched from name servers "{ns_list}".
DS10_NSEC3_RRSIG_VERIFY_ERRORERRORns_list, keytagThe RRSIG (signature) with tag {keytag} for the NSEC3 record cannot be verified. Fetched from name servers "{ns_list}".
DS10_NSEC_ERR_TYPE_LISTERRORns_listNSEC record for the zone apex with incorrect type list. Fetched from name servers "{ns_list}".
DS10_NSEC_GIVES_ERR_ANSWERERRORns_listUnexpected DNS record in the answer section on an NSEC query. Fetched from name servers "{ns_list}".
DS10_NSEC_MISMATCHES_APEXERRORns_listThe returned NSEC record has an unexpected non-apex owner name. Fetched from name servers "{ns_list}".
DS10_NSEC_MISSING_SIGNATUREERRORns_listMissing RRSIG (signature) for the NSEC record or records. Fetched from name servers "{ns_list}".
DS10_NSEC_NODATA_MISSING_SOAERRORns_listMissing SOA record in NODATA response with NSEC. Fetched from name servers "{ns_list}".
DS10_NSEC_NODATA_WRONG_SOAERRORns_list, domainWrong owner name ("{domain}") on SOA record in NODATA response with NSEC. Fetched from name servers "{ns_list}".
DS10_NSEC_NO_VERIFIED_SIGNATUREERRORns_listThere is no RRSIG (signature) for the NSEC record that can be verified. Fetched from name servers "{ns_list}".
DS10_NSEC_QUERY_RESPONSE_ERRERRORns_listNo response or error in response on query for NSEC. Fetched from name servers "{ns_list}".
DS10_NSEC_RRSIG_EXPIREDERRORns_list, keytagThe RRSIG (signature) with tag {keytag} for the NSEC record has expired. Fetched from name servers "{ns_list}".
DS10_NSEC_RRSIG_NOT_YET_VALIDERRORns_list, keytagThe RRSIG (signature) with tag {keytag} for the NSEC record it not yet valid. Fetched from name servers "{ns_list}".
DS10_NSEC_RRSIG_NO_DNSKEYWARNINGns_list, keytagThere is no DNSKEY record matching the RRSIG (signature) with tag {keytag} for the NSEC record. Fetched from name servers "{ns_list}".
DS10_NSEC_RRSIG_VERIFY_ERRORERRORns_list, keytagThe RRSIG (signature) with tag {keytag} for the NSEC record cannot be verified. Fetched from name servers "{ns_list}".
DS10_SERVER_NO_DNSSECERRORns_listThe following name servers do not support DNSSEC or have not been properly configured. Testing for NSEC and NSEC3 has been skipped on these servers. Fetched from name servers "{ns_list}".
DS10_ZONE_NO_DNSSECNOTICEns_listThe zone is not DNSSEC signed or not properly DNSSEC signed. Testing for NSEC and NSEC3 has been skipped. Fetched from name servers "{ns_list}".

The value in the Level column is the default severity level of the message. The severity level can be changed in the Zonemaster-Engine profile. Also see the Severity Level Definitions document.

The argument names in the Arguments column lists the arguments used in the message. The argument names are defined in the argument list.

The name server names are assumed to be available at the time when the msgid is created, if the argument name is "ns" or "ns_list" even when in the "Test procedure" below it is only referred to the IP address of the name servers.

For the Zonemaster definition of the mnemonics for DNSKEY algorithms, see the algorithm table in the "Objective" section in DNSSEC05.

Comments on mixing of NSEC and NSEC3

In section "Test procedure" below, if the server returns an NSEC record (either in the answer section when querying for NSEC or on the authority section when querying for NSEC3PARAM) it is considered to be "NSEC type" for the zone.

If the server returns an NSEC3PARAM record in the answer section when querying for it or an NSEC3 record in the authority section when querying for NSEC, it is considered to be "NSEC3 type" for the zone.

DS10_MIXED_NSEC_NSEC3 means that one or several name servers have been identified as both "NSEC type" and "NSEC3 type".

DS10_INCONSISTENT_NSEC_NSEC3 means that some name servers are non-mixed "NSEC type" and others are non-mixed "NSEC3 type" for the same zone.

Test procedure

In this section and unless otherwise specified below, the term "DNSSEC Query" follow the specification for DNS queries as specified in DNS Query and Response Defaults. The handling of the DNS responses on the DNS queries follow, unless otherwise specified below, what is specified for DNSSEC Response in the same specification.

A complete list of all DNS Resource Record types can be found in the IANA RR Type List.

  1. Create a DNSSEC Query with query type DNSKEY and query name Child Zone ("DNSKEY Query").

  2. Create a DNSSEC Query with query type NSEC and query name Child Zone ("NSEC Query").

  3. Create a DNSSEC Query with query type NSEC3PARAM and query name Child Zone ("NSEC3PARAM Query").

  4. Retrieve all name server names and IP addresses for Child Zone using methods Get-Del-NS-Names-and-IPs and Get-Zone-NS-Names-and-IPs ("NS IP").

  5. Create the following empty sets:

    1. Name server IP address, DNSKEY record key tag and DNSKEY algorithm code ("Algo Not Supported By ZM").
    2. Name server IP address ("Erroneous Multiple NSEC").
    3. Name server IP address ("Erroneous Multiple NSEC3").
    4. Name server IP address ("Erroneous Multiple NSEC3PARAM").
    5. Name server IP address ("NSEC In Answer").
    6. Name server IP address ("NSEC Incorrect Type List").
    7. Name server IP address ("NSEC Mismatches Apex").
    8. Name server IP address ("NSEC Missing Signature").
    9. Name server IP address and owner name (domain name data) ("NSEC NODATA Wrong SOA").
    10. Name server IP address ("NSEC NODATA Missing SOA").
    11. Name server IP address ("NSEC Query Gives Erroneous Answer").
    12. Name server IP address ("NSEC Query Gives NSEC3 NODATA").
    13. Name server IP address and key tag ("NSEC RRSIG Verify Error").
    14. Name server IP address and key tag ("NSEC RRSIG Expired").
    15. Name server IP address and key tag ("NSEC RRSIG Not Yet Valid").
    16. Name server IP address and key tag ("NSEC RRSIG No DNSKEY").
    17. Name server IP address ("NSEC RRSIG Verified").
    18. Name server IP address ("NSEC Query Response Error").
    19. Name server IP address ("NSEC3 Incorrect Type List").
    20. Name server IP address ("NSEC3 Mismatches Apex").
    21. Name server IP address ("NSEC3 Missing Signature").
    22. Name server IP address and owner name (domain name data) ("NSEC3 NODATA Wrong SOA").
    23. Name server IP address ("NSEC3 NODATA Missing SOA").
    24. Name server IP address and key tag ("NSEC3 RRSIG Verify Error").
    25. Name server IP address and key tag ("NSEC3 RRSIG Expired").
    26. Name server IP address and key tag ("NSEC3 RRSIG Not Yet Valid").
    27. Name server IP address and key tag ("NSEC3 RRSIG No DNSKEY").
    28. Name server IP address ("NSEC3 RRSIG Verified").
    29. Name server IP address ("NSEC3PARAM In Answer").
    30. Name server IP address ("NSEC3PARAM Mismatches Apex").
    31. Name server IP address ("NSEC3PARAM Query Gives Erroneous Answer").
    32. Name server IP address ("NSEC3PARAM Query Gives NSEC NODATA").
    33. Name server IP address ("NSEC3PARAM Query Response Error").
    34. Name server IP address ("Responds without DNSKEY").
    35. Name server IP address ("Responds with DNSKEY").

  6. For each name server IP address in NS IP do:

    1. Send DNSKEY Query to the name server IP.

    2. If at least one of the following criteria is met, then go to next name server IP:

      1. There is no DNS response.
      2. The RCODE Name in the response is not "NoError".
      3. The AA flag is not set in the response.

    3. If the response does not contain any DNSKEY record with owner name matching Child Zone in the answer section, add name server name and IP to the Responds without DNSKEY set and go to next server.

    4. Else, add name server IP to the Responds with DNSKEY set and retrieve the DNSKEY records from the answer section to be used in validation below.

    5. Send NSEC Query to the name server IP and do:

      1. If at least one of the following criteria is met, then add the name server IP to the NSEC Query Response Error set:
        1. There is no DNS response.
        2. The RCODE Name in the response is not "NoError".
        3. The AA flag is not set in the response.
      2. Else if the answer section is non-empty, then do:
        1. If the answer section has at least one NSEC RR then do:
          1. Add the name server IP to the NSEC In Answer set.
          2. If the number of NSEC records is greater than one then add name server IP to the Erroneous Multiple NSEC set.
          3. Else, if the owner name of the NSEC record is not Child Zone then add name server IP to the NSEC Mismatches Apex set.
        2. Else add the name server IP to the NSEC Query Gives Erroneous Answer set.
      3. Else if the answer section is empty and the authority section contains an NSEC3 record then do:
        1. Add the name server IP to the NSEC Query Gives NSEC3 NODATA set.
        2. If the SOA record is missing from the authority section then add name server IP to the NSEC3 NODATA Missing SOA set.
        3. Else if the owner name of SOA record is not Child Zone then add name server IP and owner name to the NSEC3 NODATA Wrong SOA set.
        4. If the authority section contains more than one NSEC3 record then add name server IP to the Erroneous Multiple NSEC3 set.
        5. Else do:
          1. If the hash owner name of the NSEC3 record does not match apex of Child Zone then add name server IP to the NSEC3 Mismatches Apex set.
          2. Else if the type list in the NSEC3 record matches at least one of the following criteria then add name server IP to the NSEC3 Incorrect Type List set:
            1. At least one of SOA, NS, DNSKEY, NSEC3PARAM or RRSIG is missing.
            2. At least one of NSEC or NSEC3 is included.
          3. Retrieve the NSEC3 record from the response.
          4. Retrieve the RRSIG records for the retrieved NSEC3 record.
          5. If the NSEC3 record do not have a matching RRSIG record, then add the name server IP to the NSEC3 Missing Signature set.
          6. Else do:
            1. Use the DNSKEY records retrieved above.
            2. For each NSEC3 RRSIG do:
              1. Verify the RRSIG record by the DNSKEY records.
              2. If there is no DNSKEY that matches RRSIG by key tag, then add the name server IP and RRSIG key ID to the NSEC3 RRSIG No DNSKEY set.
              3. Else, if the RRSIG record has a validity period that ends before the time of test execution, then add the name server IP and RRSIG key ID to the NSEC3 RRSIG Expired set.
              4. Else, if the RRSIG record has a validity period that starts after the time of test execution, then add the name server IP and RRSIG key ID to the NSEC3 RRSIG Not Yet Valid set.
              5. Else, if the Zonemaster installation does not have support for the DNSKEY algorithm that created the RRSIG, then add name server IP, DNSKEY algorithm and DNSKEY key tag to the Algo Not Supported By ZM set.
              6. Else, if the RRSIG cannot be validated by the DNSKEY record appointed, then add name server IP and DNSKEY key tag to the NSEC3 RRSIG Verify Error set.
              7. Else, add the name server IP to the NSEC3 RRSIG Verified set.

    6. Send NSEC3PARAM Query to the name server IP and do:

      1. If at least one of the following criteria is met, then add the name server IP to the NSEC3PARAM Query Response Errors set:
        1. There is no DNS response.
        2. The RCODE Name in the response is not "NoError".
        3. The AA flag is not set in the response.
      2. Else if the answer section is non-empty, then do:
        1. If the answer section has at least one NSEC3PARAM RR then do:
          1. Add the name server IP to the NSEC3PARAM In Answer set.
          2. If the number of NSEC3PARAM records is greater than one then add name server IP to the Erroneous Multiple NSEC3PARAM set.
          3. Else, if the owner name of the NSEC3PARAM record is not Child Zone then add name server IP to the NSEC3PARAM Mismatches Apex set.
        2. Else add the name server IP to the NSEC3PARAM Query Gives Erroneous Answer set.
      3. Else if the answer section is empty and the authority section contains an NSEC record then do:
        1. Add the name server IP to the NSEC3PARAM Query Gives NSEC NODATA set.
        2. If the SOA record is missing the authority section then add the name server IP to the NSEC NODATA Missing SOA set.
        3. Else if the owner name of the SOA record is not Child Zone then add name server IP and the owner name to the NSEC NODATA Wrong SOA set.
        4. If the authority section contains more than one NSEC record then add name server IP to the Erroneous Multiple NSEC set.
        5. Else do:
          1. If the owner name of the NSEC record is not Child Zone then add name server IP to the NSEC Mismatches Apex set.
          2. Else if the type list in the NSEC record matches at least one of the following criteria then add name server IP to the NSEC Incorrect Type List set:
            1. At least one of SOA, NS, DNSKEY, NSEC or RRSIG is missing.
            2. At least one of NSEC3PARAM or NSEC3 is included.
          3. Retrieve the NSEC record from the response.
          4. Retrieve the RRSIG records for the retrieved NSEC record.
          5. If the NSEC record does not have a matching RRSIG record, then add the name server IP to the NSEC Missing Signature set.
          6. Else do:
            1. Use the DNSKEY records retrieved above.
            2. For each NSEC RRSIG do:
              1. Verify the RRSIG record by the DNSKEY records.
              2. If there is no DNSKEY that matches RRSIG by key tag, then add the name server IP and RRSIG key ID to the NSEC RRSIG No DNSKEY set.
              3. Else, if the RRSIG record has a validity period that ends before the time of test execution, then add the name server IP and RRSIG key ID to the NSEC RRSIG Expired set.
              4. Else, if the RRSIG record has a validity period that starts after the time of test execution, then add the name server IP and RRSIG key ID to the NSEC RRSIG Not Yet Valid set.
              5. Else, if the Zonemaster installation does not have support for the DNSKEY algorithm that created the RRSIG, then add name server IP, DNSKEY algorithm and DNSKEY key tag to the Algo Not Supported By ZM set.
              6. Else, if the RRSIG cannot be validated by the DNSKEY record appointed, then add name server IP and DNSKEY key tag to the NSEC RRSIG Verify Error set.
              7. Else, add the name server IP to the NSEC RRSIG Verified set (unless it is already a member of the set).

  7. If the Erroneous Multiple NSEC set is non-empty then output DS10_ERR_MULT_NSEC with the name server IP addresses from the set.

  8. If the Erroneous Multiple NSEC3 set is non-empty then output DS10_ERR_MULT_NSEC3 with the name server IP addresses from the set.

  9. If the Erroneous Multiple NSEC3PARAM set is non-empty then output DS10_ERR_MULT_NSEC3PARAM with the name server IP addresses from the set.

  10. Create a list of those name server IP included in the NSEC In Answer set but not in the NSEC3PARAM Query Gives NSEC NODATA set, or the other way around. From that list remove any name server IP included in the NSEC3PARAM In Answer set or in the NSEC Query Gives NSEC3 NODATA set. Output DS10_INCONSISTENT_NSEC with the resulting list of name server IP addresses.

  11. Create a list of those name server IP included in the NSEC3PARAM In Answer set but not in the NSEC Query Gives NSEC3 NODATA set, or the other way around. From that list remove any name server IP included in the NSEC In Answer set or the NSEC3PARAM Query Gives NSEC NODATA set. Output DS10_INCONSISTENT_NSEC3 with the resulting list of name server IP addresses.

  12. Create a list of those name server IP included in the NSEC3PARAM In Answer set or in the NSEC Query Gives NSEC3 NODATA set, and also included in the NSEC In Answer set or the NSEC3PARAM Query Gives NSEC NODATA set. Output DS10_MIXED_NSEC_NSEC3 with the resulting list of name server IP addresses.

  13. If the NSEC In Answer set or the NSEC3PARAM Query Gives NSEC NODATA set (or both) is non-empty and both the NSEC3PARAM In Answer set and the NSEC Query Gives NSEC3 NODATA set are empty, then output DS10_HAS_NSEC with the name server IP addresses from the sets.

  14. If the NSEC3PARAM In Answer set or the NSEC Query Gives NSEC3 NODATA set (or both) is non-empty and both the NSEC In Answer set and the NSEC3PARAM Query Gives NSEC NODATA set are empty, then output DS10_HAS_NSEC3 with the name server IP addresses from the sets.

  15. Create a list of the name server IP in the NSEC3PARAM In Answer set or in the NSEC Query Gives NSEC3 NODATA set (or both), but neither in the NSEC In Answer set or the NSEC3PARAM Query Gives NSEC NODATA set. Create a second list of the name server IP in the NSEC In Answer set or in the NSEC3PARAM Query Gives NSEC NODATA set (or both), but neither in the NSEC3PARAM In Answer set or the NSEC Query Gives NSEC3 NODATA set. If both lists are non-empty then output DS10_INCONSISTENT_NSEC_NSEC3 with both the lists.

  16. If the NSEC Incorrect Type List set is non-empty, then output *DS10_NSEC_ERR_TYPE_LIST with the list of name server IP in the set.

  17. If the NSEC Mismatches Apex set is non-empty, then output *DS10_NSEC_MISMATCHES_APEX with the list of name server IP in the set.

  18. If the NSEC NODATA Wrong SOA set is non-empty, then for each owner name in the set output DS10_NSEC_NODATA_WRONG_SOA with the owner name and the list of name server IP in the set for that owner name.

  19. If the NSEC NODATA Missing SOA set is non-empty, then output DS10_NSEC_NODATA_MISSING_SOA with the list of name server IP in the set.

  20. If the NSEC Query Gives Erroneous Answer set is non-empty, then output DS10_NSEC_GIVES_ERR_ANSWER with the list of name server IP in the set.

  21. If the NSEC Query Response Error set is non-empty, then output DS10_NSEC_QUERY_RESPONSE_ERR with the list of name server IP in the set.

  22. If the NSEC3 Incorrect Type List set is non-empty, then output DS10_NSEC3_ERR_TYPE_LIST with the list of name server IP in the set.

  23. If the NSEC3 Mismatches Apex set is non-empty, then output DS10_NSEC3_MISMATCHES_APEX with the list of name server IP in the set.

  24. If the NSEC3 NODATA Wrong SOA set is non-empty, then for each owner name in the set output DS10_NSEC3_NODATA_WRONG_SOA with the owner name and the list of name server IP in the set for that owner name.

  25. If the NSEC3 NODATA Missing SOA set is non-empty, then output DS10_NSEC3_NODATA_MISSING_SOA with the list of name server IP in the set.

  26. If the NSEC3PARAM Query Gives Erroneous Answer set is non-empty, then output DS10_NSEC3PARAM_GIVES_ERR_ANSWER with the list of name server IP in the set.

  27. If the NSEC3PARAM Mismatches Apex set is non-empty, then output DS10_NSEC3PARAM_MISMATCHES_APEX with the list of name server IP in the set.

  28. If the NSEC3PARAM Query Response Error set is non-empty, then output DS10_NSEC3PARAM_QUERY_RESPONSE_ERR with the list of name server IP in the set.

  29. If the NSEC Missing Signature set is non-empty then output DS10_NSEC_MISSING_SIGNATURE with the name server IP addresses from the set.

  30. If the NSEC3 Missing Signature set is non-empty then output DS10_NSEC3_MISSING_SIGNATURE with the name server IP addresses from the set.

  31. If the NSEC RRSIG No DNSKEY set is non-empty, then for each key ID output DS10_NSEC_RRSIG_NO_DNSKEY with the key ID and the name server IP addresses from the set for the key ID.

  32. If the NSEC RRSIG Expired set is non-empty, then for each key ID output DS10_NSEC_RRSIG_EXPIRED with the key ID and the name server IP addresses from the set for the key ID.

  33. If the NSEC RRSIG Not Yet Valid set is non-empty, then for each key ID output DS10_NSEC_RRSIG_NOT_YET_VALID with the key ID and the name server IP addresses from the set for the key ID.

  34. If the NSEC RRSIG Verify Error set is non-empty, then for each key ID output DS10_NSEC_RRSIG_VERIFY_ERROR with the key ID and the name server IP addresses from the set for the key ID.

  35. If the combined set of the unique name server IP addresses of the NSEC RRSIG No DNSKEY, NSEC RRSIG Expired, NSEC RRSIG Not Yet Valid and NSEC RRSIG Verify Error sets is non-empty, then do:

    1. For each name server IP address in the combined set store the IP address in a temporary set for the next step if the IP address is not a member of the NSEC RRSIG Verified set.
    2. If the temporary set is non-empty then output DS10_NSEC_NO_VERIFIED_SIGNATURE with the name server IP addresses from the set.

  36. If the NSEC3 RRSIG No DNSKEY set is non-empty, then for each key ID output DS10_NSEC3_RRSIG_NO_DNSKEY with the key ID and the name server IP addresses from the set for the key ID.

  37. If the NSEC3 RRSIG Expired set is non-empty, then for each key ID output DS10_NSEC3_RRSIG_EXPIRED with the key ID and the name server IP addresses from the set for the key ID.

  38. If the NSEC3 RRSIG Not Yet Valid set is non-empty, then for each key ID output DS10_NSEC3_RRSIG_NOT_YET_VALID with the key ID and the name server IP addresses from the set for the key ID.

  39. If the NSEC3 RRSIG Verify Error set is non-empty, then for each key ID output DS10_NSEC3_RRSIG_VERIFY_ERROR with the key ID and the name server IP addresses from the set for the key ID.

  40. If the combined set of the NSEC3 RRSIG No DNSKEY, NSEC3 RRSIG Expired, NSEC3 RRSIG Not Yet Valid and NSEC3 RRSIG Verify Error sets is non-empty, then do:

    1. Extract all unique name server IP address in the combined set that are not members the NSEC3 RRSIG Verified set.
    2. If the extracted name server IP addresses is a non-empty set then output DS10_NSEC3_NO_VERIFIED_SIGNATURE with the extracted name server IP addresses.

  41. If the Algo Not Supported By ZM set is non-empty, then output DS10_ALGO_NOT_SUPPORTED_BY_ZM for each DNSKEY key tag with the name server IP addresses, the key tag and the algorithm name and code from the set.

  42. If the Responds with DNSKEY set is empty and the Responds without DNSKEY is non-empty then output DS10_ZONE_NO_DNSSEC with the name server IP addresses from the Responds without DNSKEY set.

  43. If both the Responds with DNSKEY set and the Responds without DNSKEY set are non-empty then output DS10_SERVER_NO_DNSSEC with the name server IP addresses from the Responds without DNSKEY set.

  44. Extract all members of the NS IP set that is not also a member of the Responds without DNSKEY set, the NSEC In Answer set, the NSEC3PARAM Query Gives NSEC NODATA set, the NSEC3PARAM In Answer set or the NSEC Query Gives NSEC3 NODATA set. If the extracted set is non-empty, then output DS10_EXPECTED_NSEC_NSEC3_MISSING with the extracted list of name server IP addresses.

Outcome(s)

The outcome of this Test Case is "fail" if there is at least one message with the severity level ERROR or CRITICAL.

The outcome of this Test Case is "warning" if there is at least one message with the severity level WARNING, but no message with severity level ERROR or CRITICAL.

In other cases, no message or only messages with severity level INFO or NOTICE, the outcome of this Test Case is "pass".

Special procedural requirements

If either IPv4 or IPv6 transport is disabled, skip sending queries over that transport protocol. A message will be outputted reporting that the transport protocol has been skipped.

See the DNSSEC README document about DNSSEC algorithms.

Intercase dependencies

None.

Terminology

No special terminology for this Test Case.