CONSISTENCY01
For the data served by the authoritative name servers for a designated zone to be consistent, all authoritative name servers must serve the same SOA record for the designated zone.
If the serial number (explained in 3.3.13. of RFC 1035), which is part of the SOA record, is not consistent between authoritative servers, there is a possibility that the data served is inconsistent. The reasons for this inconsistency may be different - such as misconfiguration, or as a result of slow propagation to the secondary name servers.
The objective of this test is to verify that the serial number is consistent between different authoritative name servers.
For reference purposes : RFC 1982 explains the serial number arithmetic, and section 4.3.5 of RFC 1034 explains the importance of serial number consistency.
It is assumed that Child Zone is also tested by Connectivity01. This test case will set DEBUG level on messages for non-responsive name servers.
- "Child Zone" - The domain name to be tested
- "Accepted Serial Difference" - Accepted difference between SOA serial values from SOA records of different name servers for Child Zone. Default value is 0, i.e. no difference.
-
Obtain the list of name server IPs for the Child Zone from Method4 and Method5 ("Name Server IP").
-
Create an SOA query for Child Zone name (the top of the zone).
-
Create an empty set of pair of retrieved SOA serials and name server name and IP ("SOA Serial Set").
-
For each name server in Name Server IP do:
-
Send the SOA query to the name server.
-
If the name server does not respond with a DNS response, then output NO_RESPONSE.
-
Or, if the name server returns a DNS response, but no SOA record is included, then output NO_RESPONSE_SOA_QUERY.
-
Or, retrieve the SOA SERIAL from the response and add it to SOA Serial Set (unless it is already there) and update the set with the name server name and IP.
-
-
If SOA Serial Set has exactly one SOA serial value, then output ONE_SOA_SERIAL.
-
Or, if SOA Serial Set has at least two SOA serials values, then do:
- Order the serial number values from SOA Serial Set from smallest to largest following the arithmetic for serial number, if possible.
- If there is not a single, uniquely defined order of the serial numbers, then output SOA_SERIAL_VARIATION and MULTIPLE_SOA_SERIALS.
- Or, if the difference between the first and the last serial number is larger than Accepted Serial Difference, using arithmetic for serial number, then output SOA_SERIAL_VARIATION and MULTIPLE_SOA_SERIALS.
- Or, if the difference between the first and the last serial number is not larger than Accepted Serial Difference, using arithmetic for serial number, output MULTIPLE_SOA_SERIALS_OK.
-
For each SOA serial value in SOA Serial Set, output SOA_SERIAL with the serial number and a semicolon separated list of name server names and IP address pairs (name/IP).
The outcome of this Test Case is "fail" if there is at least one message with the severity level ERROR or CRITICAL.
The outcome of this Test Case is "warning" if there is at least one message with the severity level WARNING, but no message with severity level ERROR or CRITICAL.
In other cases the outcome of this Test Case is "pass".
| Message | Default severity level (if message is emitted) |
|---|---|
| NO_RESPONSE | DEBUG |
| NO_RESPONSE_SOA_QUERY | DEBUG |
| ONE_SOA_SERIAL | INFO |
| MULTIPLE_SOA_SERIALS | WARNING |
| MULTIPLE_SOA_SERIALS_OK | NOTICE |
| SOA_SERIAL | INFO |
| SOA_SERIAL_VARIATION | NOTICE |
If either IPv4 or IPv6 transport is disabled, ignore the evaluation of the result of any test using this transport protocol. Log a message reporting on the ignored result.
A manual inspection of the SOA serial may be needed to determine if the zone updates work properly or not, and if the serial values are within a reasonable range, then the test is OK.
When comparing SOA serial it must be done using the arithmetic defined in RFC 1982.
None