Some basic tests are performed against the name servers to verify consistent DNS setups in connection with the processing of three types of EPP commands:
- domain create
- domain update
- host update (if the host name and/or IP address is changed)
The EPP commands are rejected if any of these basic tests fail.
Domain create and domain update
Tests performed for each name server registered for the domain name
If the name server is directly under the domain name being tested and therefore has glue records in the parent domain:
- The name server must be registered with at least one IPv4 address.
- The name server must respond to all of its registered IPv4 and IPv6 addresses with A records and AAAA records corresponding to the IPv4 and IPv6 addresses registered to the name servers and only these addresses.
If the name server is not directly under the domain name being tested and therefore does not require glue records in the parent domain:
- The name server must have one or more A records.
- The name server may have one or more AAAA records.
Tests performed against each IPv4 and IPv6 address for each of the name servers registered for the domain name
- The domain name has NS records for all name servers registered for the domain name and only these name servers.
- The domain name has an SOA record, which includes a valid mname and a valid rname.
DNSSEC-specific tests performed if the domain name is registered with at least one DS record
- All registered name servers must respond with a DNSKEY set for the domain name. All name servers must respond with the same DNSKEY set.
- All registered name servers must respond with RRSIG records for the domain names SOA record, NS records, and DNSKEY records.
- The DNSKEY set must include at least one key referenced in the DS set.
- RRSIG records for the DNSKEY set must include at least one valid signature created with one of the keys referenced in the DS set.
- The RRSIG records for the SOA record must include at least one valid signature created with one of the keys in the DNSKEY set.
- The RRSIG records for the NS set must include at least one valid signature created with one of the keys in the DNSKEY set.
Host update
Tests performed if the name server is beneath a domain name it is the name server for, which means it has a glue record in the parent domain
- The name server must be registered with at least one IPv4 address.
- The name server must respond to all of its registered IPv4 and IPv6 addresses with A records and AAAA records corresponding to the IPv4 and IPv6 addresses registered to it, and only these addresses.
Tests performed if the name server is not beneath a domain name it is the name server for, and therefore does not require a glue record
- The name server must have one or more A records.
- The name server may have one or more AAAA records.
Tests performed against each of the name server’s IPv4 and IPv6 addresses
- All domain names registered to the name server have NS records for the name server.
- All domain names registered to the name server have a valid SOA record.
DNSSEC-specific tests performed for each of the domain names registered to the name server
- The system performs the same tests described for domain names, except only the name server being updated is included in the test and not the other name server registered for the domain name.
- Please also note the following limitation: In special circumstances, the test may sometimes conclude that no error has been found, even though a DNSSEC error is actually present. This happens when the only errors are DNSSEC errors, and there are no other types of DNS errors present.