These are the DNSSEC tests for a domain.
This document uses the terminology defined in the Master Test Plan.
| Req | Description | Test Case |
|---|---|---|
| R58 | Legal values for the DS hash digest algorithm | DNSSEC01 |
| R59 | DS must match a DNSKEY in the designated zone | DNSSEC02 |
| R60 | Check for too many NSEC3 iterations | DNSSEC03 |
| R61 | Check for too short or too long RRSIG lifetimes | DNSSEC04 |
| R62 | Check for invalid DNSKEY algorithms | DNSSEC05 |
| R63 | Verify DNSSEC additional processing | DNSSEC06 |
| R64 | If there exists DNSKEY at child, the parent should have a DS | DNSSEC07 |
| R65 | RRSIG(DNSKEY) must be valid and created by a valid DNSKEY | DNSSEC08 |
| R66 | RRSIG(SOA) must be valid and created by a valid DNSKEY | DNSSEC09 |
| R76 | Zone contains NSEC or NSEC3 records | DNSSEC10 |
| R79 | If DS at parent, child zone must be signed | DNSSEC11 |
| R84 | Test for DNSSEC Algorithm Completeness (DS->DNSKEY->RRSIG) | DNSSEC12 |
- Transport: UDP
- Bufsize: EDNS0 buffer size (512)
- Flags -- query flags
- do -- DNSSEC ok (1)
- cd -- Checking Disabled (1)
- rd -- Recursion Desired (0)
- ad -- Authenticated Data (0)
See section 3.2 of RFC 4035 for a description of the flags used by a recursive name server.
There are many algorithms defined for doing DNSSEC, not all of them are mandatory to implement. This test case should strive not only to implement all mandatory algorithms, but also most of those that are in use on the internet today as well.
If any algorithm in a DNSSEC record type is not recognized by the test system, the test system should emit a notice about this.
Copyright (c) 2013, 2014, 2015, IIS (The Internet Infrastructure Foundation)
Copyright (c) 2013, 2014, 2015, AFNIC
Creative Commons Attribution 4.0 International License
You should have received a copy of the license along with this work. If not, see https://creativecommons.org/licenses/by/4.0/.