rfc.xxxx

早期freebsd实现

machines.


4.1. Current procedure (Doc-V.1.0):

  A: Abort test -- can't continue.
  E: Incorrect behavior is considered an error.
  W: Incorrect behavior in this respect causes warning to be issued.
  N: Note occurrence/information.
  o: Side effects ... additional "computation".

Start test:

(1) Query default nameserver for NS records of parent domain.

(2) Query servers for parent domain for SOA record for parent domain.

    W: Check each response to see that it was authoritative.
    W: Check each response to see that SOA records were returned.
    W: Check that only one SOA was returned.

    W: Check that SOA serial numbers are same from all servers.
       Only servers not issued warning above are tested here.

    A: No server returned an SOA record.

    o  Generate list of parent servers that are authoritative and
       returned correct SOA information.  This is the list of servers
       that are asked next query.
  
  At this point, might want to add check to compare entire SOA.
  Such a check for parent SOAs probably not relative enough for
  test of child domain.  Similar reasoning why above are warnings
  and not errors.


(3) Query all authoritative servers of parent zone for
    NS records of domain being tested.

    N: Note the number of NS records and A records corresponding
       to nameserver (glue) were returned in response.

    E: Check that TTLs of NS records are the same.

    o: Determine if response is happens to be authoritative for
       testee domain.  Information is kept separate depending if
       came from authoritative server.
       This gets sort of messy, and may not be necessary (partially
       leftover from earlier versions).  However, many domains have
       different information at non-authoritative and authoritative.
       This allows one to be a bit more specific in issuing errors
       about what set of servers had inconsistent data.

    E: Check that NS records from different servers agree.
        (Test is done separately for the AUTH and non-AUTH
        server's lists.  If both are consistent, then check
        if the two lists also agree.)

    o: Generate list of servers for testee domain.
        Include any with corresponding NS record from any
        parent server (regardless to authority of server).
        Other lists are also maintained:
          - servers known by authoritative parent servers
          - servers known by non-authoritative parent servers
          - servers only known by non-authoritative parent servers
        Might also want to look at those only known by authoritative.

    W: Look at each parent server that also claimed authority for
       domain -- check that an NS record is held for it (by any
       of the servers).

(4) Query set of nameservers for testee domain for SOA records for
    domain.  Currently, set is generated above and includes any
    nameserver for which an NS record was returned in the above
    series (3) of queries.  Different criteria for set inclusion
    may also be interesting.

    E: Check each response to see that it was authoritative.
    E: Check each response to see that SOA records were returned.
    W: Check that only one SOA was returned.

    E: Check that SOA serial numbers are same from all servers.
       Only servers not issued warning above are tested here.

    E: Check that entire SOA record matches among servers.
       (Checked only if serial numbers agree).

    o: Generate list of nameservers that are authoritative
       and have at least one SOA record.


(5) Query set of testee domain nameservers for NS records of domain.
    Currently, this set includes all nameservers which in previous
    series of queries, returned authoritative response containing
    exactly one SOA.

    E: Check that TTLs of NS records are the same.

    E: Check that NS records from servers are the same.

    E: Check that NS records from testee serves agree with
       NS records from parent domain servers (make comparison with
       any list consistent among some set of the parent servers --
       i.e. remember that AUTH/non-AUTH mess !!)
       This is only checked if child servers agree among themselves.
     check for agreement between parent and child servers.

    E: Check that all servers that claim to be authoritative
       have NS record at held by one of the AUTH servers.

Generate a list of addresses of nameservers for domain the domain.
Choose addresses of servers that are in the domain in question
(i.e. don't care about some other domain's server which is acting
as a secondary).  Currently, we only look at one address on per any
single network (i.e. only of 128.9.0.32 and 128.9.0.33 would be
followed up).


(6) Query for in-addr.arpa. PTR records for list of addresses
    on networks of the domain.

    E:  Check that response is returned to reverse mapping query.


4.2. Example test runs:

Note: The domains have been changed to protect the miscreants.
      Output has been changed to fit the RFC.


4.2.1.  Test for mystery domain #1:

Doc-1.0: Starting test of mystery.dom.   parent is edu.
Doc-1.0: Test date - Fri Apr 27 14:57:05 PDT 1990
soa @a.isi.edu. for edu. has serial: 900423
DIGERR (TIME_OUT): dig @aos.brl.mil. for SOA of parent failed
soa @c.nyser.net. for edu. has serial: 900423
soa @gunter-adam.af.mil. for edu. has serial: 900423
soa @ns.nasa.gov. for edu. has serial: 900423
DIGERR (TIME_OUT): dig @ns.nic.ddn.mil. for SOA of parent failed
soa @terp.umd.edu. for edu. has serial: 900426
WARNING: Found 2 unique SOA serial #'s for edu.
Found 3 NS and 3 glue records for mystery.dom. @a.isi.edu. 
Found 3 NS and 3 glue records for mystery.dom. @c.nyser.net. 
Found 3 NS and 3 glue records for mystery.dom. @gunter-adam.af.mil.
Found 3 NS and 3 glue records for mystery.dom. @ns.nasa.gov.
Found 3 NS and 3 glue records for mystery.dom. @terp.umd.edu.
DNServers for edu.
   === 0 were also authoritatve for mystery.dom.
   === 5 were non-authoritative for mystery.dom.
Servers for edu. (not also authoritative for mystery.dom.)
   === agree on NS records for mystery.dom.
NS list summary for mystery.dom. from parent (edu.) servers
  == mystery.dom. cs.mystery.dom. pendragon.cs.purdue.edu.
soa @mystery.dom. for mystery.dom. serial: 900425
soa @cs.mystery.dom. for mystery.dom. serial: 900425
soa @pendragon.cs.purdue.edu. for mystery.dom. serial: 900425
SOA serial #'s agree for mystery.dom.
Authoritative domain (mystery.dom.) servers agree on NS for mystery.dom.
ERROR: NS list from mystery.dom. servers do not match parent
  === (edu.) NS list
NS list summary for mystery.dom. from authoritative servers
  == telcom.mystery.dom.
ERROR: mystery.dom. claims to be AUTH no NS record from AUTH servers
ERROR: cs.mystery.dom. claims to be AUTH no NS record
===   from AUTH servers
ERROR: pendragon.cs.purdue.edu. claims to be AUTH no NS record
===   from AUTH servers
Checking 2 potential addresses for hosts at mystery.dom.
  == 128.196.128.233 192.12.69.1
in-addr PTR record found for 128.196.128.233
in-addr PTR record found for 192.12.69.1
Summary:
   ERRORS found for mystery.dom. (count: 4)
   WARNINGS issued for mystery.dom. (count: 1)
Done test of mystery.dom.  Fri Apr 27 14:59:07 PDT 1990


4.2.2 Test for mystery domain #2:

Doc-1.0: Starting test of mystery.dom.   parent is edu.
Doc-1.0: Test date - Fri Apr 27 16:14:02 PDT 1990
soa @a.isi.edu. for edu. has serial: 900423
soa @aos.brl.mil. for edu. has serial: 900426
soa @c.nyser.net. for edu. has serial: 900423
soa @gunter-adam.af.mil. for edu. has serial: 900423
soa @ns.nasa.gov. for edu. has serial: 900423
soa @ns.nic.ddn.mil. for edu. has serial: 900426
soa @terp.umd.edu. for edu. has serial: 900426
WARNING: Found 2 unique SOA serial #'s for edu.
Found 3 NS and 3 glue records for mystery.dom. @a.isi.edu.
Found 3 NS and 3 glue records for mystery.dom. @aos.brl.mil.
Found 3 NS and 3 glue records for mystery.dom. @c.nyser.net.
Found 3 NS and 3 glue records for mystery.dom. @gunter-adam.af.mil.
Found 3 NS and 3 glue records for mystery.dom. @ns.nasa.gov.
Found 3 NS and 3 glue records for mystery.dom. @ns.nic.ddn.mil.
Found 3 NS and 3 glue records for mystery.dom. @terp.umd.edu.
DNServers for edu.
   === 0 were also authoritatve for mystery.dom.
   === 7 were non-authoritative for mystery.dom.
Servers for edu. (not also authoritative for mystery.dom.)
   === agree on NS records for mystery.dom.
NS list summary for mystery.dom. from parent (edu.) servers
  == eos.cair.mystery.dom. nike.cair.mystery.dom. ns.utah.edu.
DIGERR (TIME_OUT): dig @eos.cair.mystery.dom. for SOA of mystery.dom.
soa @nike.cair.mystery.dom. for mystery.dom. serial: 60001
soa @ns.utah.edu. for mystery.dom. serial: 60001
SOA serial #'s agree for mystery.dom.
Authoritative domain (mystery.dom.) servers agree on NS for mystery.dom.
ERROR: NS list from mystery.dom. servers do not match parent
  === (edu.) NS list
NS list summary for mystery.dom. from authoritative servers
  == nike.cair.mystery.dom. orion.cair.mystery.dom.
ERROR: ns.utah.edu. claims to be AUTH no NS record from AUTH servers
Checking 1 potential addresses for hosts at mystery.dom.
  == 130.253.1.5
ERROR: no in-addr PTR recorder found for 130.253.1.5
Summary:
   ERRORS found for mystery.dom. (count: 3)
   WARNINGS issued for mystery.dom. (count: 1)
   Incomplete test for mystery.dom. (1)
Done test of mystery.dom.  Fri Apr 27 16:16:08 PDT 1990


References/Readings:

[RFC-1034]      P. Mockapetris, "Domain Names - Concepts and
                Facilities", RFC-1034, USC/Information Sciences
                Institute, November 1987.

[RFC-1035]      P. Mockapetris, "Domain Names - Implementation and
                Specification", RFC-1035, USC/Information Sciences
                Institute, November 1987.


Authors' Addresses:

Steve Hotz
USC - Information Sciences Institute
4676 Admiralty Way
Marina del Rey, Ca. 90293

Phone: (213) 822-1511

Email: hotz@isi.edu


Paul Mockapetris
USC - Information Sciences Institute
4676 Admiralty Way
Marina del Rey, Ca. 90293

Phone: (213) 822-1511

Email: pvm@isi.edu