WikiStart: nsec3-workshop-agenda.txt

Workshop Agenda

Most of the tests for authoritative servers were completed during the first workshop. This workshop will concentrate on a few key issues that came up from that workshop and followup discussions. Most of the focus will be on the resolver side.

The identified issues are 
(1) signalling NSEC3 and traversing through various combinations.
(2) rolling from NSEC to NSEC3 and vice versa
(3) zone signing, loading and transfer
(4) handling brokeness 

We'd like to propose the following schedule for the three days:

        Monday morning
        1. Welcome
        2. Introduction
        3. Network, Resolver and Tools setup
        4. Agenda Bashing
        5. Group Management

        Monday morning, afternoon
        6. Signalling and Traversing

        monday afternoon
        7. Rolling from NSEC to NSEC3 and vice versa

        Tuesday morning
        8. Zone signing, loading and transfer

        tuesday afternoon, wednesday morning
        9. handling brokeness

        Wednesday afternoon
        10. wrap-up and documentation



1. Welcome.

We have a few newcomers to this workshop. We'd like them to share their specific interest and expectation of this workshop, and get a good overall sense of understanding the protocol.

2. Introduction.

An outline of the 4 main items (point 6-9) we'd like to test, the basic setup of the tests, the expected documentation, and a small open discussion of other interesting test scenarios that we might have overlooked.

3. Network and Tools setup

We have a set of authoritative servers, serving a set of zones, available from a server outside the network. In contrast with the last workshop, this will not be a backup, but will be the default. We need to test the network in order to reach those servers.

We have two implementations of a resolver. Some of us will be asked to run an instance of the resolver. We need six instances, which are explained below (point 6).

We will also have a set of tools to make life easier. These include a whole range of items, and we will ask the developers of the tools to give a quick outline.

4. Agenda bashing.

Since we're on a fairly tight schedule, we'd like to hash out anything left untouched, and ask for input on other material to test.

5. Group management.

Since we will have 6 instances of a resolver, we'd like to have 6 groups of participants testing each instance of the resolver. We'd like to have a fair distribution of experience and knowledge. If you don't know how to use the tools, sit with someone who does. If you haven't grasped the details of NSEC3 yet, sit with someone who does. 

6. Signalling and Traversing

There are 3 authoritative servers. The 'trust-anchored zone' (ws.nsec3.org) resides on one server. The second level zones reside on another server, and the third level zones reside on yet another server. The ws.nsec3.org zone is DNSSEC-NSEC signed and contains delegations to signed zones and one unsigned zone. The delegations are to zone with the following format. 

        n0      unsigned zone
        n1u     signed zone with unsigned delegations, using NSEC
        n1s     signed zone with signed delegations, using NSEC
        n3o     signed zone with opted out, unsigned delegations, using NSEC3
        n3u     signed zone with unsigned delegations, using NSEC3
        n3s     signed zone with signed delegations, using NSEC3

The zones with unsigned delegations (n0,n1u,n3o,n3u) will have a delegation to n0.(n0,n1u,n3o,n3u)
The zones with signed delegations (n1s,n3s) will have delegations to n1.n3s and n3.(n1s,n3s)

We will have two independent resolver implementations. One is BIND, the other UNDBOUND. Each implementations will be configured in three modes: NSEC3 capable, NSEC only, and one with no trust anchor. Three modes times two implementations gives us 6 instances.

Each group sends the following list of requests to their assigned resolver instance, and notes the results (ad bit status, response type). We will hand out the list with requests, so they can easily be ticked off.

 1. www.n0.n0.ws.nsec3.org IN A
 2. www.n0.n1u.ws.nsec3.org IN A
 3. www.n0.n3o.ws.nsec3.org IN A
 4. www.n1.n1s.ws.nsec3.org IN A
 5. www.n3.n1s.ws.nsec3.org IN A
 6. www.n1.n3s.ws.nsec3.org IN A
 7. www.n3.n3s.ws.nsec3.org IN A

Note we do only care about the delegation logic here. To be complete, we will have a test zone from the previous workshop available so all response types can be checked again.

Following the tests, discussion about any odd behavior, failed tests, etc.  The 
product of these tests will be a matrix of the compiled results.  

7. Rolling from NSEC to NSEC3 and vice versa.

This is somewhat trickier to automate, though we will have 3 sets of files ready for an intermediate (delegating) zone, and 3 for an 'end' zone before-hand.
The 3 zones files are basically: NSEC-known-alg, NSEC-unknown-alg, NSEC3-unknown-alg. To be efficient, these second and third level zones will be delegated to local servers at the workshop. (Two individual laptops). We might use three to avoid the DS roll in the trust-anchored server (ws.nsec3.org).

We use the combination of resolvers mentioned above (BIND-NODNSSEC, etc,etc), effectively the same teams who did the previous testing, and have one or two individuals doing the rolling.  To avoid TTL issues, we'll keep'em short.

Each group sends a list of requests similarly to the previous test (but a shorte list). This list will be done 5 times, according to the following states, combining the beforementioned states as follows: (1)NSEC-KNOWN-ALG (2)NSEC-UNKNOWN-ALG (3)NSEC3-UNKNOWN-ALG (4)NSEC-UNKNOWN-ALG (5)NSEC-KNOWN-ALG 

Only the intermediate zone 'roll' is going to be rolled, thus, given the following zones: 

n0.roll.ws.nsec3.org
n1.roll.ws.nsec3.org
n3.roll.ws.nsec3.org

Each group will query their respective resolver, for a record in n0, n1, n3 and nx. The 'nx' zone does not exist and is in order to trigger a negative response from the server responsible for 'roll'.

8. Zone signing, loading and transfer

We believe that zone signing mostly works, since we have previously compared the output of several signed zones using several signers. We'd like to test zonetransfers for serveral signed zones. 
        - from bind to nsd
        - from nsd to bind

using several NSEC3 signed zones with different parameters. 

These tests will be fairly simple. We'll take two groups, one group transferring all the zones to their hosts from the BIND server, another group from the NSD server. We have a zonecompare tool to compare what has been transferred to what is on disk. 

9. handling brokeness

This test is an iteration of the same test in the previous workshop. We will again use two groups. One using the bind-resolver, another using the unbound resolver, using a list of requests to perform.

10. wrap-up and documentation.

During wrap-up we will address the issues evolving from all the previous tests, and possibly perform other tests. We need to writeup 5 documents, where 4 documents match the results of the 4 previous tests, and one document handling the open issues, and possible future work.