Test Plan for NSEC3 Workshop 1
Version 2.0 (Draft) (Protocol tests for DNSSEC using NSEC3 RR)
More of Scott's plan will be included.
Notation
- C() = covers
- N() = next equals
- WC = wildcard expansion
Plan
Exercise all possible classes of responses
With ref to correct cases, signers create proper data, servers serve correct data, and validators process data correctly. In all cases (including incorrect responses) all signatures are correct and in-date.
- Simple positive response
- No NSEC3 RRs in response
- Positive wildcard response
- Answer is QNAME QTYPE with data from WC RDATA
- NSEC3 RRs showing:
- Owner name doesn't exist
- No closer encloser
- Referrals
- Delegation with DS
- non-opt-in unsecure delegation
- opt-in unsecure delegation
- Correct negative responses
- NXDOMAIN
- NOERROR/NODATA
- WC NODATA
- QNAME exists but is an ENT
- DS child-zone NODATA
- same as NOERROR/NODTA but special case re processing
- NSEC3 NODATA (NSEC3 paradox)
- Incorrect positive responses. Tests intended to make sure that validators mark bogus responses as bogus.
- (no NSEC3-specific ways to break standard positive response)
- Positive WC response
- remove no closer encloser NSEC3 RR
- remove closest encloser NSEC3 RR
- remove both
- supply valid but non-closest encloser NSEC3 RR instead of correct closest encloser NSEC3 RR
- use correct NSEC3 RR but wrong wildcard expansion
Zone: *.b.example. A blah *.example. A blah QNAME: alpha.b.example. Response: NSEC3 b.example. NSEC3 alpha.b.example. WC *.example. - use wrong NSEC3 RRs and wrong wc expansion
Zone: b.example. A blah *.example. A blah QNAME: alpha.b.example. Response: NSEC3 example. NSEC3 alpha.b.example. WC *.example. - using (N-1 case)
Zone: example. SOA c.example. A *.example. A Query: QNAME = a.b.c.example. Resp: NSEC3 c.example. NSEC3 C(b.c.example.) WC *.example.
- Referrals
- (delegation with DS not tested)
- non-opt-in unsecure delegation
- remove NSEC3 RR
- incorrect NSEC3 RR (doesn't match hash)
- incorrect NSEC3 RR (DS bit set)
- opt-in unsecure delegation
- remove NSEC3 RR
- incorrect NSEC3 RR (doesn't match hash)
- incorrect NSEC3 RR (DS bit set)
- Incorrect negative responses
- NXDOMAIN
- remove no WC proof NSEC3 RR
- remove no closer encloser NSEC3 RR
- remove closest encloser NSEC3 RR
- (all combinations of above three)
- NSEC3 RR with incorrect algorithm
- supply NSEC3 RR which uses wrong closest encloser (parent or other ancestor)
- NXDOMAIN for existing QNAME
Zone: example. SOA b.example. A Query: QNAME = b.example. Resp: NXDOMAIN NSEC3 example. NSEC3 C(*.example.) NSEC3 b.example. - NXDOMAIN for existing QNAME ("covers" case)
Zone: example. SOA b.example. A Query: QNAME = b.example. Resp: NXDOMAIN NSEC3 example. NSEC3 C(*.example.) NSEC3 N(b.example.) - NXDOMAIN using incorrect closest encloser ("N+2+" case)
Zone: example. SOA b.example. A Query: QNAME = a.b.example. Resp: NXDOMAIN NSEC3 example. NSEC3 C(*.example.) NSEC3 C(a.b.example.)
- NOERROR/NODATA
- remove NSEC3 RR which proves type
- supply NSEC3 RR which claims QTYPE does exist
- WC NODATA
- remove no closer encloser NSEC3 RR
- remove closest encloser NSEC3 RR
- (all combinations of above)
- QNAME exists but is an ENT
- remove no WC proof NSEC3 RR
- remove no closer encloser NSEC3 RR
- remove closest encloser NSEC3 RR
- (all combinations of above three)
- DS child-zone NODATA
- remove no WC proof NSEC3 RR
- remove no closer encloser NSEC3 RR
- remove closest encloser NSEC3 RR
- (all combinations of above three)
- NSEC3 NODATA (NSEC3 paradox)
- NXDOMAIN
- Misc.
- Simple positive with spurious NSEC3 RR(s)
- With and without type bit set
- supply incorrect NSEC3 RRs
- supply extra NSEC3 RRs
- Simple positive with spurious NSEC3 RR(s)
Test delegations
- NSEC -> NSEC3
- NSEC3 -> NSEC
- NSEC3 opt-in -> unsecure
- NSEC3 no opt-in -> unsecure
- opt-in -> no opt-in
- no opt-in -> opt-in
Test various transitions
(all testing caching behaviour)
- Algorithm Roll