Home | History | Annotate | Line # | Download | only in checkds 
      1 Copyright (C) Internet Systems Consortium, Inc. ("ISC")
      2 
      3 SPDX-License-Identifier: MPL-2.0
      4 
      5 This Source Code Form is subject to the terms of the Mozilla Public
      6 License, v. 2.0.  If a copy of the MPL was not distributed with this
      7 file, you can obtain one at https://mozilla.org/MPL/2.0/.
      8 
      9 See the COPYRIGHT file distributed with this work for additional
     10 information regarding copyright ownership.
     11 
     12 The test setup for the checkds tests.
     13 
     14 These servers are parent servers:
     15 - ns1 is the root server.
     16 
     17 - ns2 is a primary authoritative server that serves the parent zone for zones
     18   configured in ns9.
     19 - ns4 is the secondary server for ns2.
     20 - ns8 is the secondary server for ns2 that is not part of the NS RRset,
     21   used for testing explicit parental-agents.
     22 
     23 - ns5 is a primary authoritative server that serves the parent zone for zones
     24   configured in ns9, but this one does not publish DS records (to test cases
     25   where the DS is missing and the DS needs to be withdrawn).
     26 - ns7 is the secondary server for ns5.
     27 - ns10 is the secondary server for ns5 that is not part of the NS RRset,
     28   used for testing explicit parental-agents.
     29 
     30 - ns6 is an authoritative server for a different zone, to test badly configured
     31   parental agents.
     32 
     33 - ns3 is a resolver that can be configured as a parental agent.
     34 
     35 - Finally, ns9 is the authoritative server for the various DNSSEC enabled test
     36   domains.
     37 
     38 We need multiple test cases for testing the "checkds" functionality. Basically,
     39 the behavior of "checkds" is of importance in three cases:
     40 
     41 1. Enabling DNSSEC
     42 2. KSK rollover
     43 3. Going insecure
     44 
     45 All these three cases involve publishing DS records into the parent, and
     46 withdrawing them. The named instance is responsible for checking that the
     47 relevant DS records are published or removed from the parent zone. Therefor,
     48 it needs to know what the parental agents are (the servers that it can send
     49 the DS queries to).
     50 
     51 Then there are two ways of retrieving parental agents, either through explicit
     52 configuration ("checkds explicit;"), or through discovery ("checkds yes;"). In
     53 the latter case, the parental agents are retrieved by querying for the parent NS
     54 RRset.
     55 
     56 The third value is "checkds no;", which disables the feature.
     57 
     58 Depending on the DS publication status, the DS state of the key needs to be
     59 updated. In case of DS publication, the "DSPublish" state should be set, only
     60 if all parental agents have the relevant DS published. In case of DS withdrawal,
     61 the "DSRemoved" state should be set, only if none of the parental agents have
     62 the relevant DS in their zone.
     63 
     64 Regardless of how parental agents are retrieved, we identify the following test
     65 cases:
     66 
     67 1.	Enabling DNSSEC
     68 
     69 1.1.	- With one parental agent
     70 1.1.1.	  - DS is correctly published in the parent:		DSPublish
     71 1.1.2.	  - DS is not (yet) published in the parent:		!DSPublish
     72 1.1.3.	  - The parental agent is badly configured:		!DSPublish
     73 1.1.4.	  - DS is published, but has bogus signature:		!DSPublish
     74 
     75 1.2.	- With multiple parental agents
     76 1.2.1.	  - DS is correctly published in all parents:		DSPublish
     77 1.2.2.	  - DS is not (yet) published in some parents:		!DSPublish
     78 1.2.3.	  - One parental agent is badly configured:		!DSPublish
     79 1.2.4.	  - DS is completely published, bogus signature:	!DSPublish
     80 
     81 2.	Going insecure
     82 
     83 2.1.	- With one parental agent
     84 2.1.1.	  - DS is correctly withdrawn from the parent:		DSRemoved
     85 2.1.2.	  - DS is (still) published in the parent:		!DSRemoved
     86 2.1.3.	  - The parental agent is badly configured:		!DSRemoved
     87 2.1.4.	  - DS is withdrawn, but has bogus signature:		!DSRemoved
     88 
     89 2.2.	- With multiple parental agents
     90 2.2.1.	  - DS is correctly withdrawn from all parents:		DSRemoved
     91 2.2.2.	  - DS is not (yet) withdrawn from some parents:	!DSRemoved
     92 2.2.3.	  - One parental agent is badly configured:		!DSRemoved
     93 2.2.4.	  - DS is removed completely, bogus signature:		!DSRemoved
     94 
     95 We deliberately don't test the "KSK Rollover" case in this system test as this
     96 can be considered as the same as "Enabling DNSSEC" for one key and
     97 "Going insecure" for another case. In other words, it is covered by the two
     98 other scenarios (although we might still add the test cases in the future).
     99