NAMESERVER01: A name server should not be a recursor
Test case identifier
NAMESERVER01
Objective
To ensure consistency in DNS, an authoritative name server should not be configured to do recursive lookups. Also, open recursive resolvers are considered bad internet practice due to their capability of assisting in large scale DDoS attacks. The introduction to RFC 5358 elaborates on mixing recursor and authoritative functionality, and the issue is further elaborated by D.J. Bernstein.
Section 2.5 of RFC 2870 have very specific requirement on disabling recursion functionality on root name servers.
Scope
It is assumed that Child Zone is also tested by Connectivity01. This test case will set DEBUG level on messages for non-responsive name servers.
Inputs
- The domain name to be tested ("Child Zone").
Ordered description of steps to be taken to execute the test case
-
Create A queries for the following domain names:
- xn--nameservertest.iis.se
- xn--nameservertest.icann.org
- xn--nameservertest.ripe.net
-
Retrieve all name server IPs for the Child Zone using Method4 and Method5.
-
Repeat the following steps for each name server IP.
- Send the three A queries over UDP.
- For each query do the following steps:
- If the name server does not respond with a DNS response, then emit NO_RESPONSE.
- If the DNS response comes with the RA flag set, then emit IS_A_RECURSOR.
- If the RCODE is NXDOMAIN in the responses for all three queries then emit IS_A_RECURSOR.
- If neither NO_RESPONSE nor IS_A_RECURSOR has been emitted for that server, then emit NO_RECURSOR.
Outcome(s)
The outcome of this Test Case is "fail" if there is at least one message with the severity level ERROR or CRITICAL.
The outcome of this Test Case is "warning" if there is at least one message with the severity level WARNING, but no message with severity level ERROR or CRITICAL.
In other cases the outcome of this Test Case is "pass".
Message | Default severity level (if message is emitted) |
---|---|
NO_RESPONSE | DEBUG |
IS_A_RECURSOR | ERROR |
NO_RECURSOR | INFO |
Special procedural requirements
If either IPv4 or IPv6 transport is disabled, ignore the evaluation of the result of any test using this transport protocol. Log a message reporting on the ignored result.
The domain names used in the queries are selected to be almost certainly nonexistent name since the names are chosen to violate the IDNA 2008 specification under SLDs (second-level domains) expected to respect that specification. The SLDs are selected so that the chance that they are all hosted on the same servers is low.
Intercase dependencies
None.
Terminology
Valid domain names according to the "IDNA 2008 specification" is found in RFC 5890, section 2.3.1, page 7.