browse
Cisco Umbrella is happy to announce preliminary support for Extended DNS Errors (EDE) as defined in https://tools.ietf.org/html/draft-ietf-dnsop-extended-error-16.
Our initial support is focused on DNSSEC error codes for SERVFAIL responses. We plan to add support for other error codes in the future, as well as the text representations of the error codes.
Supported Error Codes
Code
|
Name
|
Supported
|
Error encountered
|
---|---|---|---|
0 | Other |
No | |
1 | Unsupported DNSKEY Algorithm |
Yes | DNSKEY Algorithm not supported. |
2 | Unsupported DS Digest Type |
Yes | DS Digest type not supported |
3 | Stale Answer |
No | |
4 | Forged Answer |
No | |
5 | DNSSEC Indeterminate |
No | |
6 | DNSSEC Bogus |
Yes |
|
7 | Signature Expired |
Yes | RRSIG matched DNSKEY (keytag and algorithm) but has a expired signature |
8 | Signature Not Yet Valid | Yes | RRSIG matched DNSKEY (keytag and algorithm) but has a signature inception time that is after now. |
9 | DNSKEY Missing |
Yes | DS matching the DNSKEY not found. |
10 | RRSIGs Missing |
Yes | RRSIG that matches the DNSKEY (keytag and algorithm) not found. |
11 | No Zone Key Bit Set |
Yes | When the DNSKEY does not have the zone bit set. |
12 | NSEC Missing |
Yes | Negative proof not found or insufficient. |
13 | Cached Error |
No | |
14 | Not Ready |
No | |
15 | Blocked |
No | |
16 | Censored |
No | |
17 | Filtered |
No | |
18 | Prohibited |
No | |
19 | Stale NXDOMAIN Answer |
No | |
20 | Not Authoritative |
No | |
21 | Not Supported |
No | |
22 | No Reachable Authority |
No | |
23 | Network Error |
No | |
24 | Invalid Data |
No |
Example Response
A query returning an Extended DNS Error will show the error code in the EDNS section using OPT code 15. For example, in the following query, the error code returned is 6, corresponding to the 'DNSSEC Bogus' error:
; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> +dnssec +nocrypt bogus.d2a10n3.rootcanary.net @m81.sjc.opendns.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 63825 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 16384 ; OPT=15: 00 06 ("..") ;; QUESTION SECTION: ;bogus.d2a10n3.rootcanary.net. IN A