WikiStart: signal-traverse-notes.txt

Line 
1 Setup
2 This series of test were developed to test the NSEC/NSEC3 signaling mechanism.
3 Previous work showed that non-NSEC3 aware validating resolvers could not follow
4 a unsigned delegation from a NSEC3 zone.  The proposed solution was to signal
5 NSEC3 signed zones by using an alternative DNSKEY algorithm code, which non-NSEC3
6 aware validators would interpret as insecure and not attempt to validate security
7 information from those zones.  In this experiment, the algorithm code for "NSEC3
8 signed" zones was 133.
9
10 Test Format
11 The tree used for the signaling and traversing tests are summarized below. 
12 For resolvers that required DNSSEC, the KSK for ws.nsec3.org was used as the
13 trust anchor. 
14
15 * ws.nsec3.org (signed with nsec)
16   * n0.ws.nsec3.org
17       * n0.n0.ws.nsec3.org
18   * n1u.ws.nsec3.org
19       * n0.n1u.ws.nsec3.org
20   * n1s.ws.nsec3.org
21      * n3.n1s.ws.nsec3.org
22   * n3u.ws.nsec3.org
23      * n0.n3u.nsec3.org
24   * n3s.ws.nsec3.org
25      * n1.n3s.ws.nsec3.org
26      * n3.n3s.ws.nsec3.org
27   * n3o.ws.nsec3.org
28      * n0.n3o.ws.nsec3.org
29   * full.ws.nsec3.org
30
31 The labels indicate the following:
32
33 n0 - unsigned zone data
34 n1 - DNSSEC signed data (NSEC chain)
35 n1u - DNSSEC signed data (NSEC chain) with unsigned delegations
36 n1s - DNSSEC signed data (NSEC chain) with signed delegations
37 n3 - DNSSEC with NSEC3 chain
38 n3u - DNSSEC with NSEC3 chain, unsigned delegations
39 n3s - DNSSEC with NSEC3 chain, signed delegations
40 n3o - DNSSEC with NSEC3 chain with Opt-Out
41 full - DNSSEC with NSEC3, includes wildcards, empty non-terminals, etc.
42
43 Each zone contained a single host (www) and DNSKEY RRs as appropriate.  There
44 was two versions of this tree - one served by A1 servers and one served by
45 A4 servers.  Each type of resolver sent queries for the www host in each of
46 the following zones:
47
48 www.n0.n0.ws.nsec3.org
49 www.n0.n1u.ws.nsec3.org
50 www.n3.n1s.ws.nsec3.org
51 www.n0.n3u.ws.nsec3.org
52 www.n0.n3o.ws.nsec3.org
53 www.n1.n3s.ws.nsec3.org
54 www.n3.n3s.ws.nsec3.org
55
56 Along with various queries to full.ws.nsec3.org as time permitted.  For each
57 resolver implementation, the expected results depended on the characteristics of
58 the resolver:
59
60 Expected results:
61
62 Tree authoritative servers:  A1, A4
63 NSEC3-aware: R9, R1, R7, R10, R9
64 NSEC-aware: R8, R3, R10
65 DNSSEC unaware: R11, R5, R4, R6
66
67             NSEC3-aware        NSEC-aware     DNSSEC-unaware
68
69 www.n0.n0    insecure          insecure    traditional resp.   
70
71 www.n0.n1u   insecure          insecure    traditional resp.
72
73 www.n1.n1s   nxdomain          nxdomain    traditional resp.
74                    
75 www.n3.n1s   secure/AD         insecure    traditional resp.
76
77 www.n0.n3u   insecure          insecure    traditional resp.
78
79 www.n0.n3o   insecure          insecure    traditional resp.
80
81 www.n1.n3s   secure/AD         insecure    traditional resp.
82
83 www.n3.n3s   secure/AD         insecure    traditional resp.
84
85
86 Actual results from tests:
87
88
89                      R9       R1       R11       R8       R5       R3      R6
90
91     www.n0.n0         P        P        P        P        P         P      P
92
93     www.n0.n1u        P        P        P        P        P         P      P
94
95     www.n1.n1s        P        P        P        P        P         P      P
96        
97     www.n3.n1s        P        P        P        P        P         P      P
98
99     www.n0.n3u        P        P        P        P        P         P      P
100
101     www.n0.n3o        P        *        P        P        P         P      P
102
103     www.n1.n3s        P        P        P        P        P         P      P
104
105     www.n3.n3s        P        P        P        P        P         P      P
106
107
108
109
110                    R3        R4              R7             R10        R10
111                 (dnssec)                 (with nsec3)    (no nsec3)    (nsec3)
112                      
113     www.n0.n0         P         P              P                  P             P
114
115     www.n0.n1u        P         P              P                  P             P
116            
117     www.n1.n1s        P         P              P                  P             P
118        
119     www.n3.n1s        P         P              P                  P             P
120
121     www.n0.n3u        P         P              P                  P             P
122
123     www.n0.n3o        P         P              P                  P             P
124
125     www.n1.n3s        P         P              P                  P             P
126
127     www.n3.n3s        P         P              P                  P             P
128
129
130 Discussion
131
132 From the results in the tables above, the "*" indicates that the tree using A1 returning ServFail
133 for that query.  It was later believed to be an environment bug, not a
134 protocol error.  One that may repeat if the zones are not set up correctly.  All
135 other queries resulted in matching behavior with both domain trees and the
136 expected results (marked with the 'P' for "pass").
137
138 These tests do not cover all possible DNS environments.  More work would need to
139 be done as corner cases and unique zones are encountered.  For the majority of
140 expected scenarios, the expected results (from the resolvers point of view) were
141 recieved.  That is, when a non-NSEC3 aware validating resolver encounters a
142 zone along a resolution path, it will see the unknown key algorithm and
143 consider that zone (and all children of that zone) to be insecure.