DNSSEC08
- Objective
- Scope
- Inputs
- Summary
- Test procedure
- Outcome(s)
- Special procedural requirements
- Intercase dependencies
- Terminology
A DNSSEC signed zone should have a DNSKEY RRset in the zone apex (RFC 4035, section 2.1) and that RRset should be signed by a key that matches one of the records in the DNSKEY RRset (RFC 4035, section 2.2).
This test case will verify if the Child Zone meets that requirement.
It is assumed that Child Zone is tested and reported by Connectivity01. This test case will just ignore non-responsive name servers or name servers not giving a correct DNS response for an authoritative name server.
This test case is only relevant if the zone has been DNSSEC signed.
- "Child Zone" - The domain name to be tested.
- If no DNSKEY records are found, then further investigation will not be done and no messages will be outputted.
| Message Tag outputted | Level | Arguments | Description of when message tag is outputted |
|---|---|---|---|
| DS08_ALGO_NOT_SUPPORTED_BY_ZM | NOTICE | ns_ip_list, algo_mnemo, algo_num, keytag | This installation of Zonemaster does not support the DNSKEY algorithm. |
| DS08_DNSKEY_RRSIG_EXPIRED | ERROR | ns_ip_list, keytag | DNSKEY RRset is signed with an RRSIG that has expired. |
| DS08_DNSKEY_RRSIG_NOT_YET_VALID | ERROR | ns_ip_list, keytag | DNSKEY RRset is signed with a not yet valid RRSIG. |
| DS08_MISSING_RRSIG_IN_RESPONSE | ERROR | ns_ip_list | DNSKEY is unsigned which is against expectation. |
| DS08_NO_MATCHING_DNSKEY | ERROR | ns_ip_list, keytag | DNSKEY RRset is signed with an RRSIG that does not match any DNSKEY. |
| DS08_RRSIG_NOT_VALID_BY_DNSKEY | ERROR | ns_ip_list, keytag | DNSKEY RRset is signed with an RRSIG that cannot be validated by the matching DNSKEY. |
The value in the Level column is the default severity level of the message. The severity level can be changed in the Zonemaster-Engine profile. Also see the Severity Level Definitions document.
The argument names in the Arguments column lists the arguments used in the message. The argument names are defined in the argument list.
-
Create a DNSKEY query with DO flag set for Child Zone ("DNSKEY Query").
-
Retrieve all name server IP addresses for the Child Zone using Method4 and Method5 ("NS IP").
-
Create the following empty sets:
- Name server IP address ("DNSKEY without RRSIG").
- Name server IP address and RRSIG key tag ("DNSKEY RRSIG not yet valid").
- Name server IP address and RRSIG key tag ("DNSKEY RRSIG expired").
- Name server IP address and RRSIG key tag ("No matching DNSKEY").
- Name server IP address and RRSIG key tag ("RRSIG not valid by DNSKEY").
- Name server IP address, DNSKEY record key tag and DNSKEY algorithm code ("Algo Not Supported By ZM").
-
For each name server IP address in NS IP do:
- Send DNSKEY Query to the name server IP.
- If at least one of the following criteria is met, then go to next name
server IP:
- There is no DNS response.
- The RCODE of response is not "NoError" (IANA RCODE List).
- The AA flag is not set in the response.
- There is no DNSKEY record with matching owner name in the answer section.
- Retrieve the DNSKEY records and its RRSIG records from the answer section.
- If there is no RRSIG for the DNSKEY record, then add the name server IP address to the DNSKEY without RRSIG set and go to next name server IP.
- Else, for each DNSKEY RRSIG record do:
- If the RRSIG record start of validity is after the time of the test, then add name server IP and RRSIG key tag to the DNSKEY RRSIG not yet valid set.
- Else, if the RRSIG record end of validity is before the time of the test, then add name server IP and RRSIG key tag to the DNSKEY RRSIG expired set.
- Else, if the Zonemaster installation does not have support for the DNSKEY algorithm that created the RRSIG, then add name server IP, DNSKEY algorithm and DNSKEY key tag to the Algo Not Supported By ZM set.
- Else, if the RRSIG does not match any DNSKEY, then add the name server IP and the RRSIG key tag to the No matching DNSKEY set.
- Else, if the RRSIG cannot be validated by the matching DNSKEY record, then add the name server IP and the RRSIG key tag to the RRSIG not valid by DNSKEY set.
-
If the DNSKEY without RRSIG set is non-empty, then output DS08_MISSING_RRSIG_IN_RESPONSE with the name servers IP addresses from the set.
-
If the DNSKEY RRSIG not yet valid set is non-empty, then for each RRSIG key tag from the set output DS08_DNSKEY_RRSIG_NOT_YET_VALID with the key tag and the name servers IP addresses from the set.
-
If the DNSKEY RRSIG expired set is non-empty, then for each RRSIG key tag from the set output DS08_DNSKEY_RRSIG_EXPIRED with the key tag and the name servers IP addresses from the set.
-
If the No matching DNSKEY set is non-empty, then for each RRSIG key tag from the set output DS08_NO_MATCHING_DNSKEY with the key tag and the name servers IP addresses from the set.
-
If the RRSIG not valid by DNSKEY set is non-empty, then for each RRSIG key ID from the set output DS08_RRSIG_NOT_VALID_BY_DNSKEY with the key tag and the name servers IP addresses from the set.
-
If the Algo Not Supported By ZM set is non-empty, then output DS08_ALGO_NOT_SUPPORTED_BY_ZM for each DNSKEY key tag with the name server IP addresses, the key tag and the algorithm name and code from the set.
The outcome of this Test Case is "fail" if there is at least one message with the severity level ERROR or CRITICAL.
The outcome of this Test Case is "warning" if there is at least one message with the severity level WARNING, but no message with severity level ERROR or CRITICAL.
In other cases, no message or only messages with severity level INFO or NOTICE, the outcome of this Test Case is "pass".
If either IPv4 or IPv6 transport is disabled, ignore the evaluation of the result of any test using this transport protocol. Log a message reporting on the ignored result.
See the DNSSEC README document about DNSSEC algorithms.
None.
No special terminology for this test case.