Test Plan NSEC3 interop tests
Actually this is really DNSSEC interop testing plan, with some minor extensions.
Version history: ScottR last updated 2006/01/25 Olafur 2006/01/26 Scottr 2006/04/04
Predicate:
How will NSEC3 zones be signaled if there is a signal mechanism, implementations need to know this a priory.
Zone Signing Tests
1. sign zone with one label depth, no delegations 2. sign zone with one label depth, with secure and insecure delegations (i.e. at least one delegation as a DS RR) 3. sign zone with multiple label depth (including empty non-terminals) 4. sign zone with very long zone name (over 222 bytes in length)
Open questions: range of fields
Iterations: 1..n or 0..n what is n Salt: length 0..k or 1..k what is k.
Checking results of Zone Signing Tests: TBD
1. Test if NSEC[3] chain of names is correctly sorted 2. Test if the chain is circular 3. Test that all RRsets to be covered are reflected in the bitmaps. 4. [Optional] if output is in "DNS presentation format" check if it is importable to other implementations.
Zone loading tests
1. Load zone with NSEC and NSEC3 RRs
2. Load zone with file generated from another signer
3. Load zone with unknown/undefined hash algorithm
a. warning message?
4. Load a zone with NSEC3 RRs with no salt
Checking results of Zone Loading Tests: TBD
Zone Transfer test:
1. Transfer NSEC3 zone to a server that understands NSEC3
a. obtains salt and iterations correctly
b. has NSEC3's with different salt/iterations
2. Transfer a NSEC3 zone to a server that doesn't understand NSEC3
a. outcome: NSEC3's treated as unknown RR types
b. outcome: NSEC3's dropped from zone
c. outcome: Error
3. Transfer a NSEC3 zone with unknown/undefined hash algorithms
a. Result should be the same as in in #1
4. Transfer a NSEC zone to a server that understands NSEC3
a. outcome - no error
Using the example NSEC3 zone in the Internet-draft Appendix A.
For Authoritative server test. This series of tests will be run using both a NSEC3 signed zone and a DNSSEC signed using NSEC RRs.
1. Query for name/rrType that exists in the zone
a. query: "example. IN SOA"
2. query for non-OPT-IN unsecure delegation
a. Query for "foo.b.example. IN A"
b. outcome - referral with NSEC/NSEC3 showing no DS RR for b.example.
3. query for OPT-IN unsecure delgation
4. query for secure delegation
a. outcome - referral with DS RR showing delegation has authentication chain from parent.
5. qname exists, qtype = ANY
a. Query for "xx.example. IN ANY"
b. outcome: all RRsets at name (including NSEC RRs), no NSEC3 RRs
6. query where qname could be matched by wildcard expansion
a. Query for "foo.x.example. IN MX"
b. positive wildcard expansion and NSEC/NSEC3 showing no exact name matches
7. query for name that could match wildcard, but "*" label does not have correct qtype
a. Query for "foo.x.example. IN HINFO"
b. outcome: NSEC/NSEC3 RR for "*" label showing qtype does not exist.
8. query for name that does not exist in zone (not at an empty non-terminal).
a. Query for "nothere.example. IN A"
b. outcome: standard NSEC/NSEC3 reply showing no exact match and no wildcard expansion possible
9. query for qname that exists, qtype that does not.
a. Query for "xx.example. IN MX"
b. outcome: one NSEC/NSEC3 RR matching qname
10. query for empty non terminal
a. Query for "y.w.example. IN A" (Appendix B.3)
b. outcome: NSEC/NSEC3 RR response proving non-existance - note NSEC3 response will look different.
11. NSEC zone only: query for qname exists, qtype=NSEC
a. query: "example. IN NSEC"
b. outcome: NSEC RR in answer section.
12. NSEC3 zone only: query for qtype NSEC3 RR, with qname of a hashed real owner name
a. Query for "wbyijvpnyj33pcpi3i44ecnibnaj7eiw.example." IN NSEC3
b. outcome: NXDomain response with NSEC3 RRs showing qname does not exist.
13. NSEC3 zone only: query for real name, but qtype NSEC3 (apex name?)
a. Query for "example. IN NSEC3"
b. outcome: NSEC3 with hashed qname (Section 7)
14. query for qtype NSEC/NSEC3, but qname does not exist.
a. Query for "xxxxxxxxxxxxxxxxxxxxx.example. IN NSEC3"
b. outcome: NXDomain response
For recursive servers
Same as above, with:
1. query for another name that would be in span
2. NSEC aware cache receives NSEC3 response
a. outcome: dropped, or handled as unknown?
3. Same as (1), with CD bit set
4. look for outgoing queries, or does the resolver kill the resolution process
a. i.e. if the cache sees a query for an NSEC3 RR, does it ever short
circuit the query and send NXDOMAIN responses?
For resolvers/validators
1. Get normal positive response
2. Get secure referral
3. Get positive response from wildcard expansion
a. full response
b. response missing NSEC3 RR showing no direct match (closest encloser)
c. response contains incorrect NSEC3 RR showing no direct match
d. response missing NSEC3 RR showing no closer encloser
e. incorrect wildcard expansion, with NSEC3 RRs proving closer encloser exists
f. correct response, but using incorrect wildcard
g. wildcard expansion where closest encloser shows no wildcard expansion possible (N-1 case)
4. Get OPT-IN referral for unsecure zone
a. correct
b. missing NSEC3 showing unsecure delegation
c. contains NSEC3 with incorrect span
5. Get non-OPT-IN referral for unsecure zone
a. correct
b. missing NSEC3 showing unsecure status
c. contains incorrect NSEC3 RR showing status
6. Get normal response using NSEC RRs, not NSEC3 RRs
7. Get NSEC3 response showing no-error/no-data
a. valid answer
b. missing NSEC3 showing QTYPE does not exist
c. contains NSEC3 showing QTYPE does exist
8. Get NSEC3 reponse showing that name was empty non-terminal
a. valid answer
b. missing NSEC3 showing no wildcard expansion
c. missing NSEC3 showing closest encloser
d. missing NSEC3 showing closer encloser
9. NXDOMAIN response
a. Valid NSEC3 set showing name does not exist (valid answer)
b. Missing NSEC3 spanning QNAME
c. Get NSEC3 who's span does not contain QNAME
d. Missing NSEC3 of closest encloser
e. Missing NSEC3 showing no wildcard applies
10. Get NSEC3 RR with iteration number higher than "what it accepts"
11. Get 2 NSEC3 RRs with different OPT-IN statements.
a. Outcome - no error
12. Get Response containing NSEC3 RRs with different salt and iterations parameters
a. outcome: valid answer?
13. Get NSEC3 RR with invalid hash algorithm code
a. error code?
b. For insecure delegation showing DS does not exist.
14. Get 2 NSEC3 RRs with different hash algos
a. may not be applicable as SHA-1 is currently the only defined algorithm
15. Get an NSEC3 RR with meta-RRs in the bitmap
16. Get a response with NSEC3 and NSEC RRs in authority section
Dynamic Update tests (optional for now?)
1. Add an A RR to the zone
a. outcome - normal operation
2. Delete an owner name
3. Add a secure delegation to a zone
4. Add an unsecure delegation to a zone at an OPT-IN gap
5. Add an unsecure delegation to a zone at a non-OPT-IN gap
6. Remove a secure delegation
7. Remove an unsecure delegation at an OPT-IN gap
8. Remove an unsecure delegation at a non-OPT-IN gap
9. Delete an NSEC3 RR
a. outcome - denied?
10. Change an NSEC3 RR OPT-IN status
Broken Packets
Roy/David/Jelte
From the testplan at http://www.nsec3.org/cgi-bin/trac.cgi/wiki/Testing, we've copied the section "For resolvers/validators" and removed the 'non-bad' responses.
I propose we're going to use 'broken.ws.nsec3.org' as the zone where the broken responses reside. We will use good.broken.ws.nsec3.org as the (valid) unsigned delegation from broken.ws.nsec3.org.
check-list for configuration:
1) find free address in the local net and add alias
done: sudo ifconfig en1 inet 10.1.1.66 netmask 255.255.255.255 alias
2) add the proper delegation material to the ws.nsec3.org zone
3) setup packet-server with the proper keys and config
4) upload the packet-server.cfg to the wiki for future use
- from this point on, packet-server can run, and we'll be able to 'just add' packets to the proper directory
These are the cases that require broken responses.
3. Get positive response from wildcard expansion
b. response missing NSEC3 RR showing no direct match (closest encloser)
Query: missing-dm-wc.w.broken.ws.nsec3.org/A
c. response contains incorrect NSEC3 RR showing no direct match
Query: wrong-dm-wc.w.broken.ws.nsec3.org/A
d. response missing NSEC3 RR showing no closer encloser
Query: missing-nc-wc.w.broken.ws.nsec3.org/A
e. incorrect wildcard expansion, with NSEC3 RRs proving closer encloser exists
Query: wrong-wc-1.z.w.broken.ws.nsec3.org/MX
f. correct response, but using incorrect wildcard
Query: wrong-wc-2.z.w.broken.ws.nsec3.org/MX
g. wildcard expansion where closest encloser shows no wildcard expansion possible (N-1 case)
This is unclear.
4. Get OPT-IN referral for unsecure zone
b. missing NSEC3 showing unsecure delegation
c. contains NSEC3 with incorrect span
5. Get non-OPT-IN referral for unsecure zone
b. missing NSEC3 showing unsecure status
Query: missing-ds-nsec3-del.broken.ws.nsec3.org/DS
c. contains incorrect NSEC3 RR showing status
Query: bad-ds-nsec3-del/DS
7. Get NSEC3 response showing no-error/no-data
b. missing NSEC3 showing QTYPE does not exist
Query: missing-type-nsec3-no-data/MX
c. contains NSEC3 showing QTYPE does exist
Query: type-nsec3-no-data/MX
8. Get NSEC3 reponse showing that name was empty non-terminal
b. missing NSEC3 showing no wildcard expansion
Query: no-wc-empty-nont,A
c. missing NSEC3 showing closest encloser
Query: no-ce-empty-nont,A
d. missing NSEC3 showing closer encloser
Query: no-ce2-empty-nont,A
9. NXDOMAIN response
b. Missing NSEC3 spanning QNAME
Query: no-nsec3-nxd,A
c. Get NSEC3 who's span does not contain QNAME
Query: bad-span-nsec3-nxd,A
d. Missing NSEC3 of closest encloser
Query: no-ce-nsec3-nxd,A
e. Missing NSEC3 showing no wildcard applies
Query: no-wc-nsec3-nxd,A
11. Get 2 NSEC3 RRs with different OPT-IN statements.
a. Outcome - no error
Query: optinout,A
12. Get Response containing NSEC3 RRs with different salt and iterations parameters
a. outcome: valid answer?
The individual proves are using unique different salt and iterations parameters.
Query: 12,A
13. Get NSEC3 RR with invalid hash algorithm code
a. error code?
Query: alg-hash-nsec3,A
b. For insecure delegation showing DS does not exist.
Query: alg-hash-ds,DS
14. Get 2 NSEC3 RRs with different hash algos
a. may not be applicable as SHA-1 is currently the only defined algorithm
Query: alg-hash-two,A
15. Get an NSEC3 RR with meta-RRs in the bitmap
Query: bitmap,A
16. Get a response with NSEC3 and NSEC RRs in authority section
Query: nsec-nsec3,A