WikiStart: NSEC_to_NSEC3_Roll_Test_Report.txt

NSEC-to-NSEC3 Roll Test Report
------------------------------

Synopsis:

This tested the observed behaviour of several different
resolvers/validators before, during and after a roll from NSEC to
NSEC3.


Roll states:

State 1: Initial state (pre-roll):

        An NSEC3-capable authoritative server with NSEC-signed zone
        using key algorithm 5 (RSASHA1) which had three sub-zones.
        These were:

        - an unsigned sub-zone [n0.roll.ws.nsec3.org]
        - a signed sub-zone using NSEC [n1.roll.ws.nsec3.org]
        - a signed sub-zone using NSEC3 [n3.roll.ws.nsec3.org]

State 2: Intermediate state (during roll):

        We performed a key rollover to an NSEC-signed zone using
        key algorithm 133 (NSEC3RSASHA1, i.e. RSASHA1 algorithm with
        code specially assigned to signal possible use of NSEC3).

State 3: Final state (post-roll):

        We then signed the zones, replacing the NSEC chain with an
        NSEC3 chain -- again using key algorithm 133 -- and reloaded
        the server.


Testing:

A number of different resolvers/validators were tested:

- two different NSEC3-aware validators: V1 and V7.

- two different NSEC-only validators: V3 and V8.

- several different resolvers which were either DNSSEC-unaware or
  had DNSSEC disabled: R3, R4, R5, R10, R11.


Result:

All resolvers/validators returned expected results throughout all
three states of the test.

- The NSEC3-aware validators returned consistent authoritative results
  during all three states.

- The NSEC-only-aware validators returned authoritative answers in
  State 1 and non-authoritative answers in States 2 and 3.

- The non-DNSSEC-aware resolvers returned expected answers throughout
  the test.