Create test cases for thorough testing of DNSSEC scenarios
Scenarios to test (and expected results):
For each scenario, these DNSKEY configurations should be tested:
- Conf 1: Only old algorithm (RSASHA1) DNSKEY(s).
- Conf 2: Both old and new algorithm (NSEC3RSASHA1) DNSKEY(s).
- Conf 3: RSASHA256 DNSKEY(s)
- all configurations: Result: RRSIGs for each active key, NSECs present, NSEC3s not present. (already done in the old tests)
all configurations: The same as (1).
- Conf 1: Should not sign the zone at all, and log some error.
- Conf 2: RRSIGs only for the new algorithm, NSEC3s present, NSECs not present.
- Conf 3: Result same as in (1).
Results the same as in (3).
- Results the same as in (3).
- Results the same as in (3).
- Results same as in (1).
- Results same as in (7).
Scenarios without different DNSKEY configurations:
- Result: Appropriate DNSKEY should be added to the zone and the key should be used to sign the zone.
- Result: DNSKEY should be added to zone, but not used for signing.
- Result: The DNSKEY should be added to the zone and zone signed by it.
- Result: The DNSKEY should no longer be present, and all signatures associated with it should be removed.
- Resuit: The DNSKEY should not be removed, signatures also left in the zone. There should be a warning in the log.
- Result: The DNSKEY should be removed, together with signatures associated with it.