DNSSEC Test Plan
These are the DNSSEC tests for a domain.
This document uses the terminology defined in the Master Test Plan.
Default DNS query flags for all DNSSEC tests
- Transport: UDP
- Bufsize: EDNS0 buffer size (512)
- Flags -- query flags
- do -- DNSSEC ok (1)
- cd -- Checking Disabled (1)
- rd -- Recursion Desired (0)
- ad -- Authenticated Data (0)
See section 3.2 of RFC 4035 for a description of the flags used by a recursive name server.
Key, hash and signature algorithms
There are many algorithms defined for doing DNSSEC, not all of them are mandatory to implement. This test case should strive not only to implement all mandatory algorithms, but also most of those that are in use on the internet today as well.
If any algorithm in a DNSSEC record type is not recognized by the test system, the test system should emit a notice about this.
Test cases list
| Test Case | Test Case Description |
|---|---|
| DNSSEC01 | Legal values for the DS hash digest algorithm |
| DNSSEC02 | DS must match a valid DNSKEY in the child zone |
| DNSSEC03 | Verify NSEC3 parameters |
| DNSSEC04 | Check for too short or too long RRSIG lifetimes |
| DNSSEC05 | Check for invalid DNSKEY algorithms |
| DNSSEC06 | Verify DNSSEC additional processing |
| DNSSEC07 | If DNSKEY at child, parent should have DS |
| DNSSEC08 | Valid RRSIG for DNSKEY |
| DNSSEC09 | RRSIG(SOA) must be valid and created by a valid DNSKEY |
| DNSSEC10 | Zone contains NSEC or NSEC3 records |
| DNSSEC11 | DS in delegation requires signed zone |
| DNSSEC12 | Test for DNSSEC Algorithm Completeness |
| DNSSEC13 | All DNSKEY algorithms used to sign the zone |
| DNSSEC14 | Check for valid RSA DNSKEY key size |
| DNSSEC15 | Existence of CDS and CDNSKEY |
| DNSSEC16 | Validate CDS |
| DNSSEC17 | Validate CDNSKEY |
| DNSSEC18 | Validate trust from DS to CDS and CDNSKEY |