Overview

Support for AXFR and IXFR is being introduced in OpenDNSSEC version 1.4. This makes handling the zone input and output a lot more complex.

Requirements

AXFR is specified in RFC 1034 and RFC 1035. If is updated by RFC 5936. IXFR is specified in RFC 1995. The NOTIFY mechanism is described in RFC 1996.

Input

AXFR is first mentioned in RFC 1034. OpenDNSSEC can send a query with a special QTYPE=AXFR to request a full zone transfer. AXFR is being requested over TCP, and the query is answered by a sequence of response messages. OpenDNSSEC can detect a change in the zone by comparing the local serial and the SERIAL field of the SOA, as described in RFC 1982. OpenDNSSEC uses a poll strategy, based on the REFRESH, RETRY and EXPIRE fields of the SOA.

Output

TCP Management

Access Control

Test Environment

We need to be able to do zone transfers over UDP, TCP, IPv4, IPv6, from different masters, to different slaves, with and without TSIG. Therefore, our test environment needs to contain multiple machines:

Test Cases

One large zone

First, we start with a simple zone and configure it with DNS Input and File Output Adapters. This zone source of authority is at MA and will produce a signed zonefile on the OpenDNSSEC box. Focus in on the Input requirements, listed in RFCs. The zone should be large, to enforce that the sequence of response messages consists of more than one packet.

Second, we start with a simple zone and configure it with File Input and DNS Output Adapters. This zone source of authority is at the OpenDNSSEC box and will be served to SA. Focus in on the Output requirements, listed in RFCs.

If both tests succeed, we can retry with both DNS Input and Output Adapters.

Many zones

We define a set of zones with different source of authorities, different ACLs, different secondaries and thus different zone transfer strategies.
Note that the table below does not list all possibilities, but it should cover more than enough to go through all code paths.

 

MASTERSLAVE

Inbound TSIG

Outbound TSIG
MAODS

-

n/a
MAODS

MD5

n/a
MAODSSHA1n/a
MAODSSHA256n/a
MBODS-n/a
MBODSMD5n/a
MBODSSHA1n/a
MBODS

SHA256

n/a
MA+MBODS-n/a
MA+MBODSSHA1n/a
ODSSAn/a-
ODSSAn/aMD5
ODSSA

n/a

SHA1
ODSSAn/aSHA256
ODSSBn/a-
ODSSBn/aMD5
ODSSBn/aSHA1
ODSSBn/aSHA256
ODSSA+SBn/a-
ODSSA+SBn/aSHA1
MASA+SB-SHA256
MBSA+SBMD5-
MASA+SBSHA1MD5
MBSA+SBSHA256SHA1

 

Focus is on that all zones are getting signed correctly. Also the following requirements should be checked: