Best Practices for Testing Domain Delegation

Slide Note
Embed
Share

Develop a comprehensive approach to testing domain delegation, focusing on creating explicit requirements and a modular tool like Zonemaster. Emphasize the importance of setting specific, measurable, realistic, and time-bound requirements for correct delegation. Discuss the need for tools to detect errors and behaviors accurately to ensure reliable testing outcomes. Aim to achieve a best practice where different tools can test the same criteria, with conflicting conclusions indicating potential errors.

anyi_49
anyi_49 Follow

Uploaded on Sep 20, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Test cases for domain checks a step towards a best practice Mats Dufberg, .SE Sandoche Balakrichenan, AFNIC

  2. Zonemaster Upcoming tool for test of delegation of a domain The development of Zonemaster has several purposes Replace tools built by Afnic (Zonecheck) and .SE (DNSCheck), respectively with a better tool. Create a tool that should be modular and easy to update. Create explicit requirements for correct delegation of a domain. Create explicit requirements that can be used to verify the tool

  3. The goals of the requirements General accepted requirements of a delegation of a domain. Requirements accepted as a best practice for a domain. Requirements for domain and tool that could be used for any tool, not only Zonemaster.

  4. Requirements on tool and specification for domain delegation Requirements on tool: The tool must be able to detect errors and certain behavior to make sure that we do not get false positives or false negatives. Specification for delegation of a domain: These are everything that we require on the domain to be considered to correctly delegated.

  5. Why this presentation? Is this right approach? Is it possible to define generally accepted requirements? Can we reach a best practice for testing the delegation of a domain? Can we reach the point where different tools test the same thing? If two come to different conclusions, one is probably wrong? What are your thoughts? Have we missed something?

  6. Requirements on the requirements The requirements must be SMaRT Specific It must be clear what the requirement is. Measurable It must be possible to issue a DNS query, or a set of queries, and from that determine if the requirement has been fulfilled or not. Realistic We cannot assume more access to the name servers than we normally have. Time It cannot be too time-consuming to perform the tests. In this presentation all details are, of course, not included. See https://github.com/dotse/zonemaster for more details.

  7. Requirements on tool The tool must be able to detect restrictions, such as hostname syntax, and configuration errors, such as CNAME collision and lame delegation. The tool must be able to differentiate between different status of an answer, such as NXDOMAIN and psuedo-status NODATA. This is work in progress. More requirements to come.

  8. Explicit specification for the delegation of a domain The specifications fall into groups: Basic Delegation Address Connectivity Consistency Name server Syntax Zone DNSSEC

  9. Source of specifications The specifications are, as long as it is possible, based on documented requirements, mostly RFCs. Some specifications are based on best practice and experience of DNS operation. In all cases, the requirements are stated at the Zonemaster Github site, http://goo.gl/Z4yxTR (https://github.com/dotse/zonemaster to main site).

  10. Basic The domain must meet the following requirements, or else the rest of the requirements are meaningless: The domain must have a parent domain The domain must have at least one working name server

  11. Delegation The delegation is here seen as the overlap between the delegating zone and the zone in question. At least two NS Each NS must resolve to a distinct address Referral must fit 512 bytes NS must be authoritative NS must not point at CNAME SOA must exist Glue in delegation must exist in zone

  12. Address The resolved IP addresses must meet some requirements: Address must be globally routable No addresses in bogon prefixes Address should have reverse (PTR) Reverse (PTR) should match the name

  13. Connectivity Connectivity is fundamental. UDP TCP AS and network diversity

  14. Consistency Consistency between data from different name servers of the same domain is needed for a healthy domain. All parameters in SOA equal between all server. The same NS RR set in all servers.

  15. Name server The behavior of the name servers used for the domain will be fundamental to the quality of the domain. Must handle queries for AAAA correctly. Must respond from the same IP as the query came to. Should or must support EDNS0 Should not be a recursor. Should not allow AXFR from the world .

  16. Syntax The format of names must meet the standards. No illegal characters in domain name (only LDH) No hyphen in initial or final position of any label. "xn--" is OK, but else "--" is not OK in third and forth position Name server name must be valid No "@" in SOA RNAME (mail addr) No illegal characters in SOA RNAME (mail addr) No illegal characters in SOA MNAME (master server) Any MX in apex must point at a valid hostname

  17. Zone A complete analysis of the zone would require AXFR. Some parts can be tested. Name server in SOA MNAME must be a fully qualified master server for the zone. SOA values (refresh, retry, expire, minimum) must be sensible SOA MNAME must not point at a CNAME The zone should have an MX in apex (unless it is the root or a TLD) MX must not point at a CNAME The zone should have an A or AAAA in apex unless it has a valid MX (unless it is the root or a TLD)

  18. DNSSEC The DNSSEC tests are of course only relevant for signed zones. If it has a DS record in the delegation, it must be signed Legal values for DS hash digest algorithms DS must match DNSKEY in the zone Not too many NSEC3 iterations Not too short or too long RRSIG lifetime DNSKEY algorithm must be valid Answers must contain RRISG RR Signed zone should have a DS in parent RRSIG of DNSKEY and SOA must be valid Zone must have NSEC or NSEC3

  19. A framework Instead of focusing on the tool doing the cool testing we have here presented the requirements. If we succeed, the requirements will turn into a best practice and living outside the Zonemaster tool.

  20. Thank you. Questions and comments?

Related


Enhancing Nursing Delegation Through Technology: A Pilot Project

Enhancing Nursing Delegation Through Technology: A Pilot Project

wrenlee
Gradual Fine-Tuning for Low-Resource Domain Adaptation: Methods and Experiments

Gradual Fine-Tuning for Low-Resource Domain Adaptation: Methods and Experiments

shania
Understanding Gray Box Testing in Software Development

Understanding Gray Box Testing in Software Development

angele
Understanding Injective and Surjective Functions

Understanding Injective and Surjective Functions

dinah
Understanding Testing in Software Engineering

Understanding Testing in Software Engineering

redu_sha
Understanding Domain Adaptation in Machine Learning

Understanding Domain Adaptation in Machine Learning

demetria
Country Names in the Domain Name System (DNS)

Country Names in the Domain Name System (DNS)

tup_o
Effective People Management Skills and Delegation in Business Administration

Effective People Management Skills and Delegation in Business Administration

arden
Understanding Delegation of Authority and Management by Objectives

Understanding Delegation of Authority and Management by Objectives

elan
Understanding Delegation of Authority in Management

Understanding Delegation of Authority in Management

marlon
Vanuatu Delegation Preparation for COP27 NAB Meeting

Vanuatu Delegation Preparation for COP27 NAB Meeting

rafe
Uganda's Successes in Reaching Men with HIV Testing Through Assisted Partner Notification Program

Uganda's Successes in Reaching Men with HIV Testing Through Assisted Partner Notification Program

junius
Software Testing Foundation Level: Testing Throughout the SDLC Quiz

Software Testing Foundation Level: Testing Throughout the SDLC Quiz

avani
Testing Approach in SCREAM for E3SM Fall All-Hands 2019

Testing Approach in SCREAM for E3SM Fall All-Hands 2019

filip
Hierarchical Attention Transfer Network for Cross-domain Sentiment Classification

Hierarchical Attention Transfer Network for Cross-domain Sentiment Classification

mccleary_m
Understanding Domain Names for Authoritative DNS Servers

Understanding Domain Names for Authoritative DNS Servers

asy_mar
Importance of Software Testing in Preventing Catastrophic Failures

Importance of Software Testing in Preventing Catastrophic Failures

eyre
Software Quality Assurance: Understanding Unit Testing and Boundary Value Testing

Software Quality Assurance: Understanding Unit Testing and Boundary Value Testing

endellion
Understanding Functions: Definitions and Arrow Diagrams

Understanding Functions: Definitions and Arrow Diagrams

pandora
Understanding Operating System Protection Principles

Understanding Operating System Protection Principles

amadea
Developing MPI Programs with Domain Decomposition

Developing MPI Programs with Domain Decomposition

ell_elk
Understanding Cross-Domain Policies in Web Application Security

Understanding Cross-Domain Policies in Web Application Security

jayelyn
Wyoming Eminent Domain Laws - Legal Updates and Negotiations

Wyoming Eminent Domain Laws - Legal Updates and Negotiations

abas732
Understanding Directors' Duties and Responsibilities in Corporate Governance

Understanding Directors' Duties and Responsibilities in Corporate Governance

lilac

More Related Content

Understanding Software Testing Metrics and Tools
Understanding Software Testing Metrics and Tools
Fundamentals of Software Testing Explained
Fundamentals of Software Testing Explained
Understanding Equivalence Class Testing and Its Application in Software Testing
Understanding Equivalence Class Testing and Its Application in Software Testing
Insights from Cognitive and Field Testing on Hearing Domain at the 10th Washington Group Meeting
Insights from Cognitive and Field Testing on Hearing Domain at the 10th Washington Group Meeting
Understanding Software Testing and Best Practices
Understanding Software Testing and Best Practices
Important Update: Change of CORE Domain Code and Impacted Auction Information
Important Update: Change of CORE Domain Code and Impacted Auction Information
Challenges in Establishing a Secure Inter-Domain Routing System
Challenges in Establishing a Secure Inter-Domain Routing System
Scheme of Reservation and Delegation (SoRD)
Scheme of Reservation and Delegation (SoRD)
Understanding Delegatus Non Potest Delegare in Legal Context
Understanding Delegatus Non Potest Delegare in Legal Context
University Procurement Policies and Delegation Guidelines - October 2021
University Procurement Policies and Delegation Guidelines - October 2021
COIL4PURPOSE Southeast Asia Delegation Visit to Duy Tan University 8-9th March 2024
COIL4PURPOSE Southeast Asia Delegation Visit to Duy Tan University 8-9th March 2024
Evolution of Test Automation and Modern Testing Practices
Evolution of Test Automation and Modern Testing Practices
Fundamentals of Software Testing: Quiz on Testing Principles
Fundamentals of Software Testing: Quiz on Testing Principles
Difference Between Manual Testing and Model Checking
Difference Between Manual Testing and Model Checking
Implementation of LFD Testing in Workplace Settings
Implementation of LFD Testing in Workplace Settings
Zimbabwe HIV Viral Load Testing Overview
Zimbabwe HIV Viral Load Testing Overview
Antigen Testing in Higher Education Institutions
Antigen Testing in Higher Education Institutions
Evolution of Antimicrobial Susceptibility Testing in Veterinary Medicine
Evolution of Antimicrobial Susceptibility Testing in Veterinary Medicine
Enhancing Mobile App Testing Strategies for Quality Assurance
Enhancing Mobile App Testing Strategies for Quality Assurance
Unit Testing Legacy Code: Hijacking Singletons for Testing
Unit Testing Legacy Code: Hijacking Singletons for Testing
Understanding Software Testing: Test Cases, Selection, and Execution
Understanding Software Testing: Test Cases, Selection, and Execution
DNS Research Federation: Advancing Understanding of Cybersecurity Impact
DNS Research Federation: Advancing Understanding of Cybersecurity Impact
Understanding Domain and Range of Functions
Understanding Domain and Range of Functions
Understanding Integrity Constraints in Relational Database Systems
Understanding Integrity Constraints in Relational Database Systems