DNSSEC validation

[vohmar]

Create background job for validating dnssec trust chains of the domains that have DS records in .ee TLD zones.

Similar to host validation and csync processes

• mark ds records that have been added to the registry by csync as valid (no need to validate those records at least for a year)
• validate all un-validated ds records
  • check that the dnskey exist in all the nameservers associated with the domain - by both IPv4 and IPv6 addresses

if invalid ds record is found on three consecutive validation runs then remove it from .ee zone notify registrar and registrant - message must include list of misconfigured host records notify registrar via poll message notify technical contact about removing dn record from the zone via email

testing: 1)

• add ds record to a domain that has the same key in all its nameservers (both ipv4 and ipv6 ip addresses)
• run validator - no issues

• add ds record to a domain that has no dnskeys in its hosts
• run validator - ds record is marked as invalid for the first time, record is created to a validation table
• run validator third time - third record is created in validations table, DS record is removed from the .ee TLD zones
• notification arrived to the registrar as a poll message
• notification arrived to technical contact about removing dn record from the zone via email
  • email notification is sent to registrant and admin if tech contact is missing or has invalid email address

• add ds record to a domain that has one misconfigured host and at least one proper ns server
• run validator - ds record is marked as invalid for the first time and second time, record(s) are created to a validation table
• run validator third time - third record is created in validations table, DS record is removed from the .ee TLD zones
• notification arrived to the registrar as a poll message
• notification arrived to technical contact about removing dn record from the zone via email
  • email notification is sent to registrant and admin if tech contact is missing or has invalid email address

• add ds record to a domain with correct key value but incorrect algorithm
• run validator - ds record is marked as invalid for the first time, record is created to a validation table
• run validator third time - third record is created in validations table, DS record is removed from the .ee TLD zones
• notification arrived to the registrar as a poll message
• notification arrived to technical contact about removing dn record from the zone via email
  • email notification is sent to registrant and admin if tech contact is missing or has invalid email address

5. what other issues can there be in relation to dnssec trust chain validation