Resolver Tests

Scott Rose and Wouter Wijngaards.

We used the unbound resolver which was pointed to a set of servers. The servers were running NSD 2 (Ben Laurie's patch), NSD 3, Bind 9.5-workshop version(nsec3 capable) and bind-9.3.1. We also used pdig and drill.

For query 8, nothere.no.ws.nsec3.org to resolver1 pointed to name server1 domain tree, resolver1 did not resolve immediately but gave a delegation, 2nd query with partial results in cache succeeded. This was not repeatable.

Test report results Caching server

Caching resolver vs. name server1 domain tree (in DENIC room)
Test

1. Query for name/rrType that exists in the zone (ws.nsec3.org SOA)

  • result: PASS

2. query for non-OPT-IN unsecure delegation (ai.unsec.no.ws.nsec3.org A)

  • result: PASS

3. query for OPT-IN unsecure delgation (ai.unsec.oo.ws.nsec3.org A)

  • result PASS

4. query for secure delegation (ai.sec.oo.ws.nsec3.org A)

  • result Servfail

5. qname exists, qtype = ANY (ws.nsec3.org ANY)

  • result PASS (no nsec3 RRs)

6. query where qname could be matched by wildcard expansion (foo.w.oo.ws.nsec3.org MX)

  • result PASS

7. query for name that could match wildcard, but "*" label does not have correct qtype (foo.w.no.ws.nsec3.org A)

  • result PASS

8. query for name that does not exist in zone (not at an empty non-terminal). (foo.oo.ws.nsec3.org A)

  • result PASS

9. query for qname that exists, qtype that does not. (ai.sec.no.ws.nsec3.org TXT)

  • result PASS

10. query for empty non terminal (y.w.ws.nsec3.org A)

  • result PASS

11. NSEC zone only: query for qname exists, qtype=NSEC

  • result SKIP

12. NSEC3 zone only: query for qtype NSEC3 RR, with qname of a hashed real owner name

  • result PASS

13. NSEC3 zone only: query for real name, but qtype NSEC3 (apex name?)

  • result PASS

14. query for qtype NSEC/NSEC3, but qname does not exist.

  • result PASS NXDOMAIN response

Test series 2 - caching resolver vs. name server 2 tree nominet lab
Test

1. Query for name/rrType that exists in the zone (ws.nsec3.org SOA)

  • result: PASS

2. query for non-OPT-IN unsecure delegation (ai.unsec.no.ws.nsec3.org A)

  • result: PASS

3. query for OPT-IN unsecure delgation (ai.unsec.oo.ws.nsec3.org A)

  • result PASS

4. query for secure delegation (ai.sec.oo.ws.nsec3.org A)

  • result PASS

5. qname exists, qtype = ANY (ws.nsec3.org ANY)

  • result PASS (no nsec3 RRs)

6. query where qname could be matched by wildcard expansion (foo.w.oo.ws.nsec3.org MX)

  • result PASS

7. query for name that could match wildcard, but "*" label does not have correct qtype (foo.w.no.ws.nsec3.org A)

  • result PASS

8. query for name that does not exist in zone (not at an empty non-terminal). (foo.oo.ws.nsec3.org A)

  • result PASS

9. query for qname that exists, qtype that does not. (ai.sec.no.ws.nsec3.org TXT)

  • result PASS

10. query for empty non terminal (y.w.ws.nsec3.org A)

  • result PASS

11. NSEC zone only: query for qname exists, qtype=NSEC

  • result SKIP

12. NSEC3 zone only: query for qtype NSEC3 RR, with qname of a hashed real owner name

  • result PASS

13. NSEC3 zone only: query for real name, but qtype NSEC3 (apex name?)

  • result PASS

14. query for qtype NSEC/NSEC3, but qname does not exist.

  • result PASS NXDOMAIN response

Test Series 3 non-NSEC3 aware cache vs. name server 2 tree - Nominet lab
Test

1. Query for name/rrType that exists in the zone (ws.nsec3.org SOA)

  • result: PASS

2. query for non-OPT-IN unsecure delegation (ai.unsec.no.ws.nsec3.org A)

  • result: SERVFAIL (+cd - PASS)

3. query for OPT-IN unsecure delgation (ai.unsec.oo.ws.nsec3.org A)

  • result SERVFAIL (+cd - PASS)

4. query for secure delegation (ai.sec.oo.ws.nsec3.org A)

  • result PASS

5. qname exists, qtype = ANY (ai.ws.nsec3.org ANY)

  • result PASS (no nsec3 RRs)

6. query where qname could be matched by wildcard expansion (foo.w.oo.ws.nsec3.org MX)

  • result SERVFAIL (+cd - PASS)

7. query for name that could match wildcard, but "*" label does not have correct qtype (foo.w.no.ws.nsec3.org A)

  • result SERVFAIL (+cd - failed to provide wildcard noerr/no data proof)

8. query for name that does not exist in zone (not at an empty non-terminal). (foo.oo.ws.nsec3.org A)

  • result SERVFAIL (+cd only SOA and RRSIG in authority section)

9. query for qname that exists, qtype that does not. (ai.sec.no.ws.nsec3.org TXT)

  • result SERVFAIL (+cd failed to provide noerr/nodata NSEC proof)

10. query for empty non terminal (y.w.ws.nsec3.org A)

  • result SERVFAIL (+cd only SOA and RRSIG in authority section)

11. NSEC zone only: query for qname exists, qtype=NSEC

  • result SKIP

12. NSEC3 zone only: query for qtype NSEC3 RR, with qname of a hashed real owner name (h(ai.no.ws.nsec3.org) NSEC3)

  • result SERVFAIL (+cd NXDOMAIN with SOA and RRSIG in authority section)

13. NSEC3 zone only: query for real name, but qtype NSEC3 (ai.no.ws.nsec3.org NSEC3)

  • result SERVFAIL (+cd NOerr/NOdata with SOA and RRSIG in authority)

14. query for qtype NSEC/NSEC3, but qname does not exist. (foo.no.ws.nsec3.org NSEC3)

  • result SERVFAIL (+cd NXDOMAIN with SOA and RRSIG in authority)

Test Series 4 (caching resolver vs. name server3 prototype) - DENIC room
Test

1. Query for name/rrType that exists in the zone (ws.nsec3.org SOA)

  • result: PASS

2. query for non-OPT-IN unsecure delegation (ai.unsec.no.ws.nsec3.org A)

  • result: ?

3. query for OPT-IN unsecure delgation (ai.unsec.oo.ws.nsec3.org A)

  • result: Servfail

4. query for secure delegation (ai.sec.oo.ws.nsec3.org A)

  • result: Servfail

5. qname exists, qtype = ANY (ai.oo.ws.nsec3.org ANY)

  • result PASS

6. query where qname could be matched by wildcard expansion (foo.w.oo.ws.nsec3.org MX)

  • result Servfail

7. query for name that could match wildcard, but "*" label does not have correct qtype (foo.w.no.ws.nsec3.org A)

  • result PASS

8. query for name that does not exist in zone (not at an empty non-terminal). (foo.oo.ws.nsec3.org A)

  • result PASS

9. query for qname that exists, qtype that does not. (ai.oo.ws.nsec3.org TXT)

  • result PASS

10. query for empty non terminal (y.w.oo.ws.nsec3.org A)

  • result PASS

11. NSEC zone only: query for qname exists, qtype=NSEC

  • result SKIP

12. NSEC3 zone only: query for qtype NSEC3 RR, with qname of a hashed real owner name (h(ai.oo.ws.nsec3.org) NSEC3)

  • result PASS

13. NSEC3 zone only: query for real name, but qtype NSEC3 (apex name?)(ai.oo.ws.nsec3.org NSEC3)

  • result PASS

14. query for qtype NSEC/NSEC3, but qname does not exist.(foo.oo.ws.nsec3.org NSEC3)

  • result Servfail