DNSSEC

• DNSSEC01

  Legal values for the DS hash digest algorithm

• DNSSEC02

  DS must match a valid DNSKEY in the child zone

• DNSSEC03

  Verify NSEC3 parameters

• DNSSEC04

  Check for too short or too long RRSIG lifetimes

• DNSSEC05

  Check for invalid DNSKEY algorithms

• DNSSEC06

  Verify DNSSEC additional processing

• DNSSEC07

  DNSSEC signed zone and DS in parent for signed zone

• DNSSEC08

  Valid RRSIG for DNSKEY

• DNSSEC09

  RRSIG(SOA) must be valid and created by a valid DNSKEY

• DNSSEC10

  Zone contains NSEC or NSEC3 records

• DNSSEC11

  DS in delegation requires signed zone

• DNSSEC13

  All DNSKEY algorithms used to sign the zone

• DNSSEC14

  Check for valid RSA DNSKEY key size

• DNSSEC15

  Existence of CDS and CDNSKEY

• DNSSEC16

  Validate CDS

• DNSSEC17

  Validate CDNSKEY

• DNSSEC18

  Validate trust from DS to CDS and CDNSKEY

• DNSSEC19

  Check DNSKEY records for known cryptographic weaknesses

• DNSSEC20

  NSEC/NSEC3 type bitmap at zone apex matches actual RR types

• DNSSEC21

  Parent zone signs the delegating DS RRset