DNSSEC14: Check for valid RSA DNSKEY key size
Test case identifier
DNSSEC14
Objective
The DNSKEYs based on RSA have different minimum and maximum key sizes, which must be followed. This test case will validate the keys size of such keys. RSA based algorithms that are deprecated or else not suitable for DNSKEY (RFC 8624 and IANA registry) are just ignored. See test case DNSSEC05 for test of algorithm.
The table 1 below specify the maximum and minimum key size, respectively. Algorithm number can be found in IANA registry.
Table 1: Minimum and maximum RSA key sizes in bits
| Algorithm | Min size | Max size | Reference |
|---|---|---|---|
| 5 | 512 | 4096 | RFC 3110 |
| 7 | 512 | 4096 | RFC 5155 |
| 8 | 512 | 4096 | RFC 5702 |
| 10 | 1024 | 4096 | RFC 5702 |
It is also recommended that an RSA based algorithm has a key length of at least 2048 bit as stated in NIST SP 800-57 Part 1 Rev. 4, table 2 on page 53 in section 5.6.1 and table 4 on page 55 in section 5.6.2.
This test case verifies that RSA DNSKEYs follows the stated key lengths from the RFCs and also the NIST recommended shortest key length.
Scope
It is assumed that Child Zone is also tested by Connectivity01. This test case will set DEBUG level on messages for non-responsive name servers.
Inputs
- "Child Zone" - The domain name to be tested.
- "Key Size Table" - The table above.
Ordered description of steps to be taken to execute the test case
-
Create a DNSKEY query with DO flag set for the apex of the Child Zone.
-
Retrieve all name server IP addresses for the Child Zone using Method4 and Method5 ("NS IP").
-
Create an empty set "DNSKEY RRs".
-
For each name server IP address in NS IP do:
- Send the DNSKEY query over UDP.
- If no DNS response is returned, then output NO_RESPONSE.
- Else, if the DNS response does not contain an DNSKEY RRset, then output NO_RESPONSE_DNSKEY.
- Else, retrieve the DNSKEY RRs and add them to DNSKEY RRs.
-
For each DNSKEY from the DNSKEY RRs do:
- If the algorithm of the DNSKEY is not listed in Key Size Table, go to next DNSKEY.
- Else, if the algorithm is listed in Key Size Table and the key size is smaller than specified, then output DNSKEY_TOO_SMALL_FOR_ALGO.
- Else, if the algorithm is listed in Key Size Table and the key size is smaller than 2048 bits, then output DNSKEY_SMALLER_THAN_REC.
- Else, if the algorithm is listed in Key Size Table and the key size is larger than specified, then output DNSKEY_TOO_LARGE_FOR_ALGO.
-
If DNSKEY RRs is non-empty and no messages, except for any NO_RESPONSE, has been outputted, then output KEY_SIZE_OK.
Outcome(s)
The outcome of this Test Case is "fail" if there is at least one message with the severity level ERROR or CRITICAL.
The outcome of this Test Case is "warning" if there is at least one message with the severity level WARNING, but no message with severity level ERROR or CRITICAL.
In other cases the outcome of this Test Case is "pass".
| Message | Default severity level |
|---|---|
| NO_RESPONSE | DEBUG |
| NO_RESPONSE_DNSKEY | WARNING |
| DNSKEY_SMALLER_THAN_REC | WARNING |
| DNSKEY_TOO_SMALL_FOR_ALGO | ERROR |
| DNSKEY_TOO_LARGE_FOR_ALGO | ERROR |
| KEY_SIZE_OK | INFO |
Special procedural requirements
If either IPv4 or IPv6 transport is disabled, ignore the evaluation of the result of any test using this transport protocol. Log a message reporting on the ignored result.
See the DNSSEC README document about DNSSEC algorithms.
The test case is only performed if some DNSKEY record is found in the Child Zone.
Intercase dependencies
None.