Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Test requirements

Overview

Zonemaster is implemented as a number of test cases. Behind the test cases are requirements on a DNS zone and its name servers. The requirements are derived from the DNS protocol specifications and best practices. Each test case is meant to verify one or a few of the requirements.

Requirements

In the table below, all requirements behind the Zonemaster test cases are listed. For each requirement there is a link to a reference and a link to the specification of the Zonemaster test case that verifies that requirement. In the test case specification more details are found.

This is not a static document. As DNS evolves and new issues are pointed at requirements will be added, removed or modiefied just as the test cases.

Req ID Requirement specification Reference Test case
R00100 A name server IP address should be globally routable on Internet. ADDRESS01
R00200 A name server IP address should be registered in the DNS reverse lookup tree. ADDRESS02
R00300 A name server IP address reverse lookup entry should be valid. RFC1912 ADDRESS03
R00400 The zone name should consists of valid IDN or non-IDN ASCII labels (names). BASIC00
R00500 IDN labels (names) should be valid. RFC5890 BASIC00
R00600 Non-IDN ASCII labels (names) should be valid. RFC1123 RFC2782 BASIC00
R00700 A DNS zone should have a parent zone from which it is delegated. BASIC01
R00800 A DNS zone should have at least one accessible name server that hosts it. BASIC02
R00900 A name server for a zone should respond on a query. BASIC04
R01000 A name server for a zone should respond with SOA record on SOA query. RFC2181 BASIC04 DELEGATION06
R01100 A name server for a zone should respond with RCODE NoError on SOA query. BASIC04
R01200 A name server for a zone should respond with AA flag set on SOA query. RFC2181 BASIC04
R01300 A name server for a zone should respond with NS RRset on NS query. RFC2181 BASIC04
R01400 A name server for a zone should respond with RCODE NoError on NS query. BASIC04
R01500 A name server for a zone should respond with AA flag set on NS query. RFC2181 BASIC04
R01600 A name server should respond on port 53 over UDP. RFC1035 CONNECTIVITY01
R01700 A name server should respond on port 53 over TCP. RFC7766 CONNECTIVITY02
R01800 The name server IP addresses should be announce from different ASNs. RFC2182 CONNECTIVITY03
R01900 The name server IP addresses should not be on the same subnet. CONNECTIVITY03
R02000 All name servers for a zone should respond with the same SOA serial number. RFC1034 CONSISTENCY01
R02100 All name servers for a zone should respond with the same SOA RNAME value. RFC1034 CONSISTENCY02
R02200 All name servers for a zone should respond with the same SOA REFRESH value. RFC1034 CONSISTENCY03
R02300 All name servers for a zone should respond with the same SOA RETRY value. RFC1034 CONSISTENCY03
R02400 All name servers for a zone should respond with the same SOA EXPIRE value. RFC1034 CONSISTENCY03
R02500 All name servers for a zone should respond with the same SOA MINIMUM value. RFC1034 CONSISTENCY03
R02600 All name servers for a zone should respond with the same NS RRset. RFC1034 CONSISTENCY04
R02700 The NS RRset in the delegation should be identical to the NS RRset in the zone. RFC1034 IANA CONSISTENCY05 DELEGATION07
R02800 All name servers for a zone should respond with the same SOA MNAME value. RFC1034 CONSISTENCY06
R02900 The SOA MNAME value should point at the primary master server of the zone. RFC1035 CONSISTENCY06
R03000 A zone should be hosted by at least two names servers (on IPv4). RFC1034 DELEGATION01
R03100 A zone should be hosted by at least two names servers (on IPv6). DELEGATION01
R03200 A zone should be hosted on IPv4. RFC3901 RFC4472 DELEGATION01
R03300 Name servers for a zone should have distinct IP addresses. DELEGATION02
R03400 Referral from parent name servers should fit into 512 octets. IANA DELEGATION03
R03500 The name server for the zone should respond authoritively for the zone. RFC2181 DELEGATION04
R03600 The name server name should not point at a CNAME. RFC2181 DELEGATION05
R03700 Signed zone must have DNSKEY.
R03800 Only valid DS hash algorithm should be used. RFC8624 DNSSEC01
R03900 If child zone is signed then parent zone should have DS record(s). RFC4035 DNSSEC07
R04000 DS at parent must match a DNSKEY at child. RFC4035 RFC6840 DNSSEC02
R04100 Parent name server should respond with NoError on DS query. DNSSEC02
R04200 Parent name server should respond with AA on DS query. DNSSEC02
R04300 DNSKEY RRset should be signed by DNSKEY from RRset. DNSSEC02
R04400 DNSKEY(DS) should have SEP flag set. DNSSEC02
R04500 RRSIG(DNSKEY RRset) should match appointed DNSKEY from DNSKEY RRset. DNSSEC02 DNSSEC08
R04600 The number of NSEC3 iterations should be limited. RFC5155 DNSSEC03
R04700 RRSIG lifetime should not be too short. RFC6781 DNSSEC04
R04800 RRSIG lifetime should not be too long. RFC6781 DNSSEC04
R04900 Only valid DNSKEY algorithms should be used. RFC8624 DNSSEC05
R05000 Query with DO set should include RRSIG in response for signed zone. RFC4035 DNSSEC06
R05100 If the zone is signed, then there should be a DS record in the delegation. RFC4035 DNSSEC07
R05200 Name servers should respond with NoError on DNSKEY query. DNSSEC08
R05300 Name servers should respond with AA on DNSKEY query. DNSSEC08
R05400 Name servers should respond with one DNSKEY RRset. DNSSEC08
R05500 RRSIG(SOA) should match appointed DNSKEY from DNSKEY RRset. RFC4035 DNSSEC09
R05600 NXDOMAIN response should include NSEC/NSEC3 for signed zone. RFC4035 RFC5155 DNSSEC10
R05700 NSEC and NSEC3 should not be mixed in responses. DNSSEC10
R05800 NSEC/NSEC3 record should be signed by RRSIG. DNSSEC10
R05900 If parent zone has DS record(s) then child zone must be signed. DNSSEC11
R06000 It should be possible to verify SOA using DS from parent as trust anchor. DNSSEC12
R06100 It should be possible to verify NS using DS from parent as trust anchor. DNSSEC12
R06200 It should be possible to verify DNSKEY using DS as trust anchor. DNSSEC12
R06300 Every algorithm represented in DNSKEY RRset must be used to sign the entire zone. RFC6840 -
R06400 Every algorithm represented in DNSKEY RRset must be used to sign the SOA RRset. RFC6840 DNSSEC13
R06500 Every algorithm represented in DNSKEY RRset must be used to sign the NS RRset. RFC6840 DNSSEC13
R06600 Every algorithm represented in DNSKEY RRset must be used to sign the DNSKEY RRset. RFC6840 DNSSEC13
R06700 DNSKEY of type RSASHA1 (5) should have a key size of 512 to 4096 bits. RFC3110 DNSSEC14
R06800 DNSKEY of type RSASHA1-NSEC3-SHA1 (7) should have a key size of 512 to 4096 bits. RFC5155 DNSSEC14
R06900 DNSKEY of type RSASHA256 (8) should have a key size of 512 to 4096 bits. RFC5702 DNSSEC14
R07000 DNSKEY of type RSASHA512 (10) should have a key size of 1024 to 4096 bits. RFC5702 DNSSEC14
R07100 A name server hosting a zone should not also be a recursive name server. RFC5358 RFC2870 NAMESERVER01
R07200 A name server should support EDNS. NAMESERVER02
R07300 A name server not supporting EDNS should respond with FORMERR. RFC6891 NAMESERVER02
R07400 A name server should not support open zone transfer for its zone or zones. NAMESERVER03
R07500 A name server should respond with the same source IP as the query was sent to. RFC2181 NAMESERVER04
R07600 A name server should handle queries for AAAA correctly. RFC4074 NAMESERVER05
R07700 The name of the name server, as given in the NS record, must be resolvable in DNS. RFC1035 NAMESERVER06
R07800 A name server should not return a referal to root on queries for zones not hosted. NAMESERVER07
R07900 A name server should preserve case of query name when creating response. Ref? NAMESERVER08
R08000 A name server should treat query name without considering character case. Ref? NAMESERVER09
R08100 A name server should respond with BADVERS on unsupported EDNS version. RFC6891 NAMESERVER10
R08200 A name server should completely ignore unsupported EDNS OPTION-CODE. RFC6891 NAMESERVER11
R08300 A name server should completely ignore unsupported EDNS flag bit (Z flag bits). RFC6891 NAMESERVER12
R08400 A name server with EDNS support should include OPT record in truncated response. RFC6891 NAMESERVER13
R08500 A name server should respond with BADVERS and ignore OPTION-CODE on query with unsupported EDNS version and unsupported OPTION-CODE. RFC6891 NAMESERVER14
R08600 The zone (domain) name should only contain legal characters. RFC1035 RFC1123 RFC2182 RFC3696 SYNTAX01
R08700 No label of the zone name should start or end with hyphen ("-"). RFC1035 RFC1123 RFC2182 RFC3696 SYNTAX02
R08800 No label of the zone name should have "--" in positions 3 and 4 unless it starts with "xn--". RFC3696 SYNTAX03
R08900 If the zone name has a label that starts with "xn--" it should be a valid A-label.
R09000 If the zone name has an IDN label, its U-label should be valid.
R09100 If the zone name has an IDN label, its U-label should not start or end with hyphen ("-").
R09200 If the zone name has an IDN label, its U-label should not have "--" om positions 3 and 4.
R09300 If the zone name has an IDN label, its U-label should not have UNASSIGNED or DISALLOWED characters.
R09400 If the zone name has an IDN label, any CONTEXTO or CONTEXTJ character in its U-label must follow the rules.
R09500 The names of the server names of the zone must be valid hostnames. RFC0952 RFC1123 RFC2182 RFC3696 SYNTAX04
R09600 In the SOA RNAME field there should be no "@" character. RFC1035 SYNTAX05
R09700 The SOA RNAME field should, after conversion, be a valid email address. RFC1035 RFC1912 RIPE-203 SYNTAX06
R09800 The SOA MNAME should be a valid hostname. RFC0952 RFC1123 RFC2182 RFC3696 SYNTAX07
R09900 The MX record or records of apex, if any, should have valid domain names for the mail target. RFC0952 RFC1123 RFC2182 RFC3696 SYNTAX08
R10000 The SOA MNAME field should be a fully qualified master name server of the zone. RFC1035 RIPE-203 ZONE01
R11000 The SOA REFRESH value should be at least 4 hours. RFC1912 RIPE-203 ZONE02
R12000 The SOA RETRY value should be lower than the REFRESH value. RFC1912 RIPE-203 ZONE03
R13000 The SOA RETRY value should be at least 1 hour. RFC1912 RIPE-203 ZONE04
R14000 The SOA EXPIRE value should be at least 2 weeks (1,209,600 sec). RFC1912 RIPE-203 ZONE05
R15000 The SOA MINUMUM value should be at least 300 sec and not more than 86400 sec. RFC1912 RIPE-203 ZONE06
R16000 The SOA MNAME field should not point at a CNAME. ZONE07
R17000 The mail exchange field in MX records should not point at a CNAME. RFC2181 RFC5321 ZONE08
R18000 Apex of every zone should be a valid mail domain. RFC2142 ZONE09
R19000 The should be exactly one SOA record in every zone. RFC1035 ZONE10