1 Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2 3 SPDX-License-Identifier: MPL-2.0 4 5 This Source Code Form is subject to the terms of the Mozilla Public 6 License, v. 2.0. If a copy of the MPL was not distributed with this 7 file, you can obtain one at https://mozilla.org/MPL/2.0/. 8 9 See the COPYRIGHT file distributed with this work for additional 10 information regarding copyright ownership. 11 12 The test setup for the checkds tests. 13 14 These servers are parent servers: 15 - ns1 is the root server. 16 17 - ns2 is a primary authoritative server that serves the parent zone for zones 18 configured in ns9. 19 - ns4 is the secondary server for ns2. 20 - ns8 is the secondary server for ns2 that is not part of the NS RRset, 21 used for testing explicit parental-agents. 22 23 - ns5 is a primary authoritative server that serves the parent zone for zones 24 configured in ns9, but this one does not publish DS records (to test cases 25 where the DS is missing and the DS needs to be withdrawn). 26 - ns7 is the secondary server for ns5. 27 - ns10 is the secondary server for ns5 that is not part of the NS RRset, 28 used for testing explicit parental-agents. 29 30 - ns6 is an authoritative server for a different zone, to test badly configured 31 parental agents. 32 33 - ns3 is a resolver that can be configured as a parental agent. 34 35 - Finally, ns9 is the authoritative server for the various DNSSEC enabled test 36 domains. 37 38 We need multiple test cases for testing the "checkds" functionality. Basically, 39 the behavior of "checkds" is of importance in three cases: 40 41 1. Enabling DNSSEC 42 2. KSK rollover 43 3. Going insecure 44 45 All these three cases involve publishing DS records into the parent, and 46 withdrawing them. The named instance is responsible for checking that the 47 relevant DS records are published or removed from the parent zone. Therefor, 48 it needs to know what the parental agents are (the servers that it can send 49 the DS queries to). 50 51 Then there are two ways of retrieving parental agents, either through explicit 52 configuration ("checkds explicit;"), or through discovery ("checkds yes;"). In 53 the latter case, the parental agents are retrieved by querying for the parent NS 54 RRset. 55 56 The third value is "checkds no;", which disables the feature. 57 58 Depending on the DS publication status, the DS state of the key needs to be 59 updated. In case of DS publication, the "DSPublish" state should be set, only 60 if all parental agents have the relevant DS published. In case of DS withdrawal, 61 the "DSRemoved" state should be set, only if none of the parental agents have 62 the relevant DS in their zone. 63 64 Regardless of how parental agents are retrieved, we identify the following test 65 cases: 66 67 1. Enabling DNSSEC 68 69 1.1. - With one parental agent 70 1.1.1. - DS is correctly published in the parent: DSPublish 71 1.1.2. - DS is not (yet) published in the parent: !DSPublish 72 1.1.3. - The parental agent is badly configured: !DSPublish 73 1.1.4. - DS is published, but has bogus signature: !DSPublish 74 75 1.2. - With multiple parental agents 76 1.2.1. - DS is correctly published in all parents: DSPublish 77 1.2.2. - DS is not (yet) published in some parents: !DSPublish 78 1.2.3. - One parental agent is badly configured: !DSPublish 79 1.2.4. - DS is completely published, bogus signature: !DSPublish 80 81 2. Going insecure 82 83 2.1. - With one parental agent 84 2.1.1. - DS is correctly withdrawn from the parent: DSRemoved 85 2.1.2. - DS is (still) published in the parent: !DSRemoved 86 2.1.3. - The parental agent is badly configured: !DSRemoved 87 2.1.4. - DS is withdrawn, but has bogus signature: !DSRemoved 88 89 2.2. - With multiple parental agents 90 2.2.1. - DS is correctly withdrawn from all parents: DSRemoved 91 2.2.2. - DS is not (yet) withdrawn from some parents: !DSRemoved 92 2.2.3. - One parental agent is badly configured: !DSRemoved 93 2.2.4. - DS is removed completely, bogus signature: !DSRemoved 94 95 We deliberately don't test the "KSK Rollover" case in this system test as this 96 can be considered as the same as "Enabling DNSSEC" for one key and 97 "Going insecure" for another case. In other words, it is covered by the two 98 other scenarios (although we might still add the test cases in the future). 99