Functional overview
For DNS zones signed with DNSSEC, NSEC records are created for each explicit DNS record prefix which give information about the next existing record prefix in the zone sorted alphabetically (or by hash value if using NSEC3). As these records are returned in response to DNS queries for other records, resolvers can use this information to avoid calls for records which fall between previous queries and next prefixes using the NSEC records. A resolver is deemed to be utilising Aggressive NSEC if it avoids calls for such records.
A resolver will pass this test if a call for two explicit defined records followed by a non existent record in the middle only results in the outside records being queried for and not the middle one.
Implementation
The Client Side Website Toolkit (CSWT) will send 3 consecutive HTTP requests of the format:
apples.DOMAIN_NAME
pears.DOMAIN_NAME
oranges.DOMAIN_NAME
NB: Unlike other tests, as NSEC records typically refer to explicit prefixed records (and for simplicity) the use of UUID prefixed subdomains is not helpful in this test. As such test requests will use explicit prefixes and are instead tracked and related by resolver IP address only.
The SSCRT configures the DNS zone for the domain name with A records for apples.DOMAIN_NAME and pears.DOMAIN_NAME and then signs the zone using DNSSEC as well as setting up a wildcard SSL cert and matching web server virtual host for *.DOMAIN_NAME.
The test is considered to have succeeded if DNS queries are received for apples.DOMAIN_NAME and pears.DOMAIN_NAME but not for oranges.DOMAIN_NAME.
As an additional data point if an HTTP request is observed via the web server for UUID.LONG_SUBDOMAIN.DOMAIN_NAME this will also be logged to provide other information on client requests but this is not considered part of the success criteria.
Configuring test sessions
Aggressive NSEC test sessions are configured using the test key nsec which should be supplied when creating new sessions on the SSCRT
resolvertest install aggressive-nsec example.com
and when invoking tests using the CSWT.
e.g.
let test = new ResolverCapabilityTest(“aggressive-nsec”, “example.com”);
Log format
The log output for Aggressive NSEC tests will contain the following distinct fields:
id - A unique numerical id for the log entry
date - The date and time of the combined log entry.
status - Either “Success” or “Failed” depending upon whether DNS queries were received for apples.DOMAIN_NAME and pears.DOMAIN_NAME but not for oranges.DOMAIN_NAME.
dnsResolutionTime1 - The date and time that the A record DNS query was received for apples.DOMAIN_NAME
dnsResolvedHostname1 -should generally be set to apples.DOMAIN_NAME
dnsClientIpAddress1 - The IPv4 address of the client resolver or the /24 depending upon the configured privacy setting in the SSCRT.
dnsResolverQuery1 - The full query string made by the resolver for the resolution of the A record DNS query for apples.DOMAIN_NAME
dnsResolutionTime2 - The date and time that the A record DNS query was received for pears.DOMAIN_NAME
dnsResolvedHostname2 - should generally be set to pears.DOMAIN_NAME
dnsClientIpAddress2 - The IPv4 address of the client resolver or the /24 depending upon the configured privacy setting in the SSCRT.
dnsResolverQuery2 - The full query string made by the resolver for the resolution of the A record DNS query for pears.DOMAIN_NAME
dnsResolutionTime3 - The date and time that an A record DNS query was received for oranges.DOMAIN_NAME (in case of failure)
dnsResolvedHostname3 -should generally be set to oranges.DOMAIN_NAME if set
dnsClientIpAddress3 - The IPv4 address of the client resolver or the /24 depending upon the configured privacy setting in the SSCRT.
dnsResolverQuery3 - The full query string made by the resolver for the resolution of the A record DNS query for oranges.DOMAIN_NAME (in case of failure)
webServerRequestTime1 - The date and time that the HTTP request was made for apples.DOMAIN_NAME
webServerRequestHostname1- This will be set to apples.DOMAIN_NAME if an HTTP request was made
webServerClientIpAddress1- The IPv4 address of the client machine (web browser) or the /24 depending upon the configured privacy setting in the SSCRT if this request was made.
webServerResponseCode1 - The HTTP response code returned from the web server - generally should be 200 if the request was made
webServerRequestTime2 - The date and time that the HTTP request was made for pears.DOMAIN_NAME
webServerRequestHostname2- This will be set to pears.DOMAIN_NAME if an HTTP request was made
webServerClientIpAddress2- The IPv4 address of the client machine (web browser) or the /24 depending upon the configured privacy setting in the SSCRT if this request was made.
webServerResponseCode2 - The HTTP response code returned from the web server - generally should be 200 if the request was made