Help & Documentation

All sections / {current.section.title} / {current.chapter.title} / {current.topic.title} / {current.title} / {current.title} / {current.title} / {current.title}

Aggressive NSEC


Functional overview

For DNS zones signed with DNSSEC, NSEC records are created for each explicit DNS record prefix which give information about the next existing record prefix in the zone sorted alphabetically (or by hash value if using NSEC3).  As these records are returned in response to DNS queries for other records, resolvers can use this information to avoid calls for records which fall between previous queries and next prefixes using the NSEC records.  A resolver is deemed to be utilising Aggressive NSEC if it avoids calls for such records. 

A resolver will pass this test if a call for two explicit defined records followed by a non existent record in the middle only results in the outside records being queried for and not the middle one.  


Implementation

The Client Side Website Toolkit (CSWT) will send 3 consecutive HTTP requests of the format:

apples.DOMAIN_NAME 

pears.DOMAIN_NAME

oranges.DOMAIN_NAME

NB: Unlike other tests, as NSEC records typically refer to explicit prefixed records (and for simplicity) the use of UUID prefixed subdomains is not helpful in this test.   As such test requests will use explicit prefixes and are instead tracked and related by resolver IP address only. 

The SSCRT configures the DNS zone for the domain name with A records for apples.DOMAIN_NAME and pears.DOMAIN_NAME and then signs the zone using DNSSEC as well as setting up a wildcard SSL cert and matching web server virtual host for *.DOMAIN_NAME.  

The test is considered to have succeeded if DNS queries are received for apples.DOMAIN_NAME and pears.DOMAIN_NAME but not for oranges.DOMAIN_NAME.

As an additional data point if an HTTP request is observed via the web server for UUID.LONG_SUBDOMAIN.DOMAIN_NAME this will also be logged to provide other information on client requests but this is not considered part of the success criteria.


Configuring test sessions

Aggressive NSEC test sessions are configured using the test key nsec which should be supplied when creating new sessions on the SSCRT 

resolvertest install aggressive-nsec example.com  

and when invoking tests using the CSWT.



e.g.

let test = new ResolverCapabilityTest(“aggressive-nsec”, “example.com”);    

Log format

The log output for Aggressive NSEC tests will contain the following distinct fields:


id - A unique numerical id for the log entry

date - The date and time of the combined log entry.

status - Either “Success” or “Failed” depending upon whether DNS queries  were received for apples.DOMAIN_NAME and pears.DOMAIN_NAME but not for oranges.DOMAIN_NAME.

dnsResolutionTime1 - The date and time that the A record DNS query was received for apples.DOMAIN_NAME

dnsResolvedHostname1 -should generally be set to apples.DOMAIN_NAME

dnsClientIpAddress1 - The IPv4 address of the client resolver or the /24 depending upon the configured privacy setting in the SSCRT.

dnsResolverQuery1 - The full query string made by the resolver for the resolution of the A record DNS query for apples.DOMAIN_NAME

dnsResolutionTime2 - The date and time that the A record DNS query was received for pears.DOMAIN_NAME 

dnsResolvedHostname2 - should generally be set to pears.DOMAIN_NAME

dnsClientIpAddress2 - The IPv4 address of the client resolver or the /24 depending upon the configured privacy setting in the SSCRT.

dnsResolverQuery2 - The full query string made by the resolver for the resolution of the A record DNS query for pears.DOMAIN_NAME

dnsResolutionTime3 - The date and time that an A record DNS query was received for oranges.DOMAIN_NAME (in case of failure)

dnsResolvedHostname3 -should generally be set to oranges.DOMAIN_NAME if set

dnsClientIpAddress3 - The IPv4 address of the client resolver or the /24 depending upon the configured privacy setting in the SSCRT.

dnsResolverQuery3 - The full query string made by the resolver for the resolution of the A record DNS query for oranges.DOMAIN_NAME (in case of failure)


webServerRequestTime1 - The date and time that the HTTP request was made for apples.DOMAIN_NAME

webServerRequestHostname1- This will be set to apples.DOMAIN_NAME if an HTTP request was made

webServerClientIpAddress1- The IPv4 address of the client machine (web browser) or the /24 depending upon the configured privacy setting in the SSCRT if this request was made.  

webServerResponseCode1 - The HTTP response code returned from the web server - generally should be 200 if the request was made

webServerRequestTime2 - The date and time that the HTTP request was made for pears.DOMAIN_NAME

webServerRequestHostname2- This will be set to pears.DOMAIN_NAME if an HTTP request was made

webServerClientIpAddress2- The IPv4 address of the client machine (web browser) or the /24 depending upon the configured privacy setting in the SSCRT if this request was made.  

webServerResponseCode2 - The HTTP response code returned from the web server - generally should be 200 if the request was made

Top
DNSRF Corporate Logo - words and line shorter version
Search
{item._type | case 'page' 'Web page' 'blog/blog' publication 'adnewsfeed/news' 'News' 'docs/article' 'Docs'}{item.section.title} / {item.chapter.title} / {item.topic.title}  | {category.title}
{item.publishDate | date 'DD MMM YYYY' | append ': '}