Implemented Gonemaster Testcases

This document is the authoritative inventory of currently implemented gonemaster testcases.

Source of truth used for this inventory:

  • engine/plan.go (moduleTestcases, moduleOrder)
  • engine/engine.go (basicTests, syntaxTests, addressTests, connectivityTests, consistencyTests, delegationTests, dnssecTests, nameserverTests, zoneTests)

Notes:

  • DNSSEC testcase ordering is numeric (dnssec01dnssec18) as returned by dnssecTestcaseNames().
  • dnssec12 is currently not implemented and therefore not present in this inventory.

Summary

  • Modules: 9
  • Implemented testcases: 80

Regeneration

make spec-export-implemented

Module Inventory

basic (3)

  • basic01 - Determine whether the child zone exists and whether a parent zone can be identified from iterative authoritative responses.
  • basic02 - Verify that the child zone has at least one working authoritative nameserver for SOA.
  • basic03 - Detect the “broken but functional” case by probing A records for www.<child-zone> against delegation nameservers.

address (3)

  • address01 - Classify authoritative nameserver IP addresses as globally reachable, documentation, local-use, or otherwise not globally reachable.
  • address02 - Verify that every unique nameserver IP address has a usable reverse DNS PTR mapping.
  • address03 - Verify that reverse PTR hostnames for nameserver IPs match the corresponding nameserver hostname.

connectivity (4)

  • connectivity01 - Verify that nameservers are reachable over UDP for SOA and NS queries at the child zone name.
  • connectivity02 - Verify that nameservers are reachable over TCP for SOA and NS queries at the child zone name.
  • connectivity03 - Evaluate ASN diversity of authoritative nameserver IP addresses.
  • connectivity04 - Evaluate prefix diversity of nameserver IP addresses by IP family.

consistency (6)

  • consistency01 - Check SOA serial consistency across nameservers for the tested zone.
  • consistency02 - Check SOA RNAME consistency across nameservers for the tested zone.
  • consistency03 - Check consistency of SOA timer fields (refresh, retry, expire, minimum) across nameservers.
  • consistency04 - Check NS RRset consistency across nameservers for the tested zone.
  • consistency05 - Compare delegation glue addresses against child authoritative address data for in-bailiwick nameservers.
  • consistency06 - Check SOA MNAME consistency across nameservers for the tested zone.

delegation (7)

  • delegation01 - Validate that delegation-side and child-side nameserver sets meet minimum-count requirements overall and per IP family.
  • delegation02 - Detect nameserver IP-address reuse within delegation data, within child data, and across the combined delegation+child addressed NS set.
  • delegation03 - Check whether a synthesized maximal referral response can fit within the 512-byte non-EDNS UDP DNS payload limit.
  • delegation04 - Verify whether nameservers from delegation and child sources answer authoritatively for SOA queries.
  • delegation05 - Verify that NS names used for the tested zone are not aliases (CNAME targets).
  • delegation06 - Verify SOA RRset existence on nameservers collected from delegation and child sources.
  • delegation07 - Compare parent-side and child-side NS name sets and report mismatches.

dnssec (20)

  • dnssec01 - Validate DS digest algorithm usage for the child delegation and classify each observed DS digest type.
  • dnssec02 - Verify that DS records found at the parent delegation match usable DNSKEYs in the child zone and that matching DNSKEYs can validate DNSKEY RRset signatures.
  • dnssec03 - Verify NSEC3 parameter consistency and policy compliance across child nameservers when DNSKEY support is present.
  • dnssec04 - Evaluate DNSKEY/SOA RRSIG validity windows and flag signatures that are expired, too short-lived, too long-lived, or otherwise within configured limits.
  • dnssec05 - Validate DNSKEY algorithm classes used by child-zone nameservers and report deprecated, reserved, private, unassigned, non-zone-signing, unrecommended, and acceptable algorithm usage.
  • dnssec06 - Verify DNSSEC additional-processing behavior for DNSKEY responses by checking whether DNSKEY answers include accompanying RRSIG data.
  • dnssec07 - Determine whether the child zone is signed (based on DNSKEY + covering RRSIG observations) and, for signed zones, whether parent-side DS data is present and consistent.
  • dnssec08 - Verify that DNSKEY RRset signatures are present, time-valid, algorithm-supported, and cryptographically match DNSKEY records at child nameservers.
  • dnssec09 - Verify that SOA responses are signed and that SOA RRSIG records are time-valid, algorithm-supported, and cryptographically matched by DNSKEY records from the same nameserver.
  • dnssec10 - Verify that signed child-zone nameservers consistently provide NSEC or NSEC3 denial-of-existence material (including signatures and owner/type-shape checks) when querying for apex NSEC and NSEC3PARAM.
  • dnssec11 - Verify that parent-side DS presence is consistent with child-side DNSKEY presence (zone signing expectation), including parent consistency and child consistency reporting.
  • dnssec13 - Verify that each DNSKEY algorithm observed in the DNSKEY RRset also appears in RRSIG records for DNSKEY, SOA, and NS answer flows at child nameservers.
  • dnssec14 - Validate RSA DNSKEY key sizes against per-algorithm minimum/maximum ranges and recommended size thresholds.
  • dnssec15 - Verify presence and consistency of CDS and CDNSKEY RRsets and detect mismatches between the two at child nameservers.
  • dnssec16 - Validate CDS RRsets against DNSKEY data and CDS signatures, including delete semantics and signature/keytag consistency checks.
  • dnssec17 - Validate CDNSKEY RRsets against DNSKEY data and CDNSKEY signatures, including delete semantics and signature/keytag consistency checks.
  • dnssec18 - Validate that CDS and CDNSKEY RRsets are signed by a DNSKEY that corresponds to DS information observed at the parent side.
  • dnssec19 - Check DNSKEY records published by authoritative nameservers for known cryptographic weaknesses and membership in blocklists of compromised keys. This testcase ports DNSSEC-relevant checks from the badkeys project to detect vulnerable RSA keys (Fermat factorization, ROCA, pattern anomalies, invalid parameters, small factors, Wiener’s attack) and keys matching the badkeys blocklist of known-compromised keys (e.g., Debian OpenSSL CVE-2008-0166, RFC example keys, firmware keys).
  • dnssec20 - Verify that the NSEC or NSEC3 type bitmap at the zone apex accurately reflects the RR types actually present in the zone. An incomplete (subset) bitmap enables cache poisoning via RFC 8198 aggressive negative caching and replay attacks (see Petr Špaček, ISC, 2021-11-30, “Type Bitmap: Subset - Broken”).
  • dnssec21 - Verify that the parent zone correctly signs the DS RRset that delegates the child zone. Concretely: each parent nameserver must return the DS RRset for the child along with at least one RRSIG that validates against a published parent DNSKEY. This catches parent-side DNSSEC failures (broken key rollovers, expired or misissued RRSIGs over DS) that resolvers experience as a SERVFAIL chain break, but that today’s DNSSEC testcases cannot see when the child zone is the test target.

nameserver (15)

  • nameserver01 - Detect whether authoritative nameservers also behave as recursors.
  • nameserver02 - Validate EDNS(0) handling on authoritative nameservers.
  • nameserver03 - Check whether nameservers allow AXFR zone transfer.
  • nameserver04 - Verify that nameserver responses come from the same IP address that was queried.
  • nameserver05 - Evaluate nameserver behavior for AAAA queries after successful A-query baseline checks.
  • nameserver06 - Verify that NS names discovered from delegation/child data can be resolved to at least one IP address.
  • nameserver07 - Detect upward referrals (root NS records in authority section) returned by authoritative nameservers.
  • nameserver08 - Check whether nameservers preserve or alter query-name case in the echoed question section.
  • nameserver09 - Compare nameserver results for two differently cased query names that are equivalent under DNS case-insensitive matching.
  • nameserver10 - Validate authoritative nameserver behavior for unsupported EDNS version queries (version 1).
  • nameserver11 - Verify handling of an unknown EDNS option code in authoritative SOA responses.
  • nameserver12 - Validate behavior when querying with unknown EDNS Z flags set.
  • nameserver13 - Check truncated EDNS responses for missing OPT records.
  • nameserver15 - Detect whether authoritative nameservers reveal software version data through CHAOS-class TXT queries.
  • nameserver16 - Query authoritative nameservers with an EDNS NSID option request (RFC 5001, option code 3) and report which servers provide NSID values and what those values contain.

syntax (8)

  • syntax01 - Validate that the tested domain name contains only allowed DNS hostname characters.
  • syntax02 - Validate that no domain label starts or ends with a hyphen (-).
  • syntax03 - Validate that domain labels do not contain a double hyphen in positions 3 and 4, except ACE labels (xn--...).
  • syntax04 - Validate syntax of nameserver hostnames gathered from parent delegation and child apex NS sets.
  • syntax05 - Detect misuse of @ in SOA RNAME and ensure mailbox form is represented with dot-separated DNS notation.
  • syntax06 - Validate SOA RNAME as an email-like mailbox and verify that its mail domain/exchange resolution path is usable.
  • syntax07 - Validate SOA MNAME hostname syntax using the same hostname validator as syntax04.
  • syntax08 - Validate syntax of MX exchange hostnames for the tested zone.

zone (14)

  • zone01 - Validate SOA MNAME handling for the child zone: name sanity, resolvability, authority behavior, and serial-based master inference.
  • zone02 - Validate that SOA refresh is at or above the configured minimum threshold.
  • zone03 - Validate ordering relationship between SOA timers: refresh should be greater than retry.
  • zone04 - Validate that SOA retry is at or above the configured minimum threshold.
  • zone05 - Validate SOA expire constraints
  • zone06 - Validate that SOA default TTL (minimum field) is within configured lower and upper bounds.
  • zone07 - Validate SOA MNAME alias/address behavior
  • zone08 - Validate that MX exchange hostnames are not aliases (CNAME).
  • zone09 - Validate MX presence and consistency across authoritative nameservers, including null-MX and domain-class exceptions (root/TLD/.arpa).
  • zone10 - Validate SOA answer-shape correctness on nameservers: response presence, SOA presence, owner name correctness, and multiplicity.
  • zone11 - Validate SPF policy publication at zone apex
  • zone12 - Check existence and RFC 7477 compliance of the CSYNC RR at the zone apex.
  • zone13 - Validate that the SPF policy at the zone apex does not exceed the DNS lookup limit defined in RFC 7208 Section 4.6.4.
  • zone14 - Check existence and RFC 8976 compliance of the ZONEMD RR at the zone apex.