Ben's and Matt's test results, 05/09/06:
Matt: Using Unbound build 316 (with "ws.nsec3.org" trust anchor configured) and "drill version 1.1.0 (ldns version 1.1.0 20060509)"
Ben: Using drill (svn version) via unbound (whatever Roy is running)
For resolvers/validators
1. Get normal positive response
Test: Query is ws.nsec3.org/IN/SOA (i.e., uses local trust anchor and no following of delegations)
NSD2 Summary: Ben success, Matt success
BIND Summary: Matt success, Ben success
2. Get secure referral
Test: oo.ws.nsec3.org/in/soa (i.e., follow a secure delegation)
NSD2 Summary: Matt success, Ben success
BIND Summary: Ben success, Matt success
3. Get positive response from wildcard expansion
a. full response
Test: foo.w.ws.nsec3.org/in/mx (i.e., expansion of "*.w" MX wildcard in zone that we have a trust anchor for)
NSD2 Summary: Matt success, Ben success
BIND Summary: Matt fail (NSEC3 missing, Unbound detected), Ben fail (NSEC3 missing, drill did not detect this)
b. response missing NSEC3 RR showing no direct match (closest encloser)
Test: missing-dm-wc.broken.ws.nsec3.org/A
Results:
c. response contains incorrect NSEC3 RR showing no direct match
SKIPPED
d. response missing NSEC3 RR showing no closer encloser
SKIPPED
e. incorrect wildcard expansion, with NSEC3 RRs proving closer encloser exists
SKIPPED
f. correct response, but using incorrect wildcard
SKIPPED
g. wildcard expansion where closest encloser shows no wildcard expansion possible (N-1 case)
SKIPPED
4. Get OPT-OUT referral for unsecure zone
a. correct
Test: unsec.oo.ws.nsec3.org/in/soa
NSD2 Result: Ben success, Matt success
BIND Result: Ben success, Matt failure (response is missing one of two required NSEC3 records)
5. Get non-OPT-IN referral for unsecure zone
a. correct
Test: unsec.no.ws.nsec3.org/in/soa
NSD2 Results: Ben success, Matt success
BIND Results: Ben success, Matt success
6. Get normal response using NSEC RRs, not NSEC3 RRs
SKIPPED (zones not signed with NSEC, only NSEC3)
7. Get NSEC3 response showing no-error/no-data
a. valid answer
Test: ai.ws.nsec3.org/in/mx
NSD2 Results: Matt success, Ben success (drill failed, manual verification correct)
BIND Results: Matt success, Ben fail
8. Get NSEC3 reponse showing that name was empty non-terminal
a. valid answer
Query: w.ws.nsec.org/in/a
NSD2 Results: Ben success (drill died, manual verify ok), Matt success
BIND Results: Ben success, Matt success
b. missing NSEC3 showing no wildcard expansion
SKIPPED
c. missing NSEC3 showing closest encloser
SKIPPED
d. missing NSEC3 showing closer encloser
SKIPPED
9. NXDOMAIN response
a. Valid NSEC3 set showing name does not exist (valid answer)
Test: foo.ws.nsec3.org/in/a
NSD2 Results: Matt success, Ben success
BIND Results: Ben fail (missing NSEC3, manually checked - drill does not check the proof, however), Matt fail
b. Missing NSEC3 spanning QNAME
SKIPPED
c. Get NSEC3 whose span does not contain QNAME
SKIPPED
d. Missing NSEC3 of closest encloser
SKIPPED
e. Missing NSEC3 showing no wildcard applies
SKIPPED
10. Get NSEC3 RR with iteration number higher than "what it accepts"
SKIPPED
11. Get 2 NSEC3 RRs with different OPT-IN statements.
a. Outcome - no error
SKIPPED
12. Get Response containing NSEC3 RRs with different salt and iterations parameters
a. outcome: valid answer?
SKIPPED
13. Get NSEC3 RR with invalid hash algorithm code
a. error code?
SKIPPED
b. For insecure delegation showing DS does not exist.
SKIPPED
14. Get 2 NSEC3 RRs with different hash algos
SKIPPED
a. may not be applicable as SHA-1 is currently the only defined algorithm
15. Get an NSEC3 RR with meta-RRs in the bitmap
SKIPPED
16. Get a response with NSEC3 and NSEC RRs in authority section
SKIPPED
