Extended DNS Errors

Unlocking the Full Potential of DNS Troubleshooting

Explore all the domains

Latest news

July 7, 2024

The domains are under maintenance

It SHOULD take a couple of days only. There MAY be unexpected delays.

June 22, 2025

All the domains were resigned

December 13, 2024

All the domains were resigned

October 29, 2024

The project was presented at RIPE 89 in Prague during the DNS WG session

The recording and slides are available here.

October 8, 2024

Major cleanup

  • All the domains (apart from nsec3-iter-*) are now RFC 9276 compliant, meaning they are using 0 additional iterations and no salt
  • Added more domains that are not compliant with RFC 9276
  • Removed most of the domains with non-routable glue records due to redundant results
July 22, 2024

The project was presented at IETF 120 in Vancouver

The recording of the IRTFOPEN session available here.

July 15, 2024

The project was presented at APAC DNS Forum 2024 Pre-Event Webinar 3

The recording is available here.

January 6, 2024

Major news - our paper won the IRTF Applied Networking Research Prize!

It will be presented later this year in Vancouver during IETF 120.

October 25, 2023

The paper was presented at the ACM Internet Measurement Conference in Montréal

September 14, 2023

This website is up, welcome!

Domains

This domain — extended-dns-errors.com — contains 68 subdomains, each showcasing different misconfigurations or edge cases. You're welcome to query them to observe how your recursive resolver handles erroneous DNS scenarios. Configuration instructions are available on GitHub. You can also access the text file with all the domains here.

Control subdomains

These two domains are correctly configured.

validDNSSEC-signed subdomain
unsignedUnsigned subdomain

DNSSEC signing algorithms

The full list of Domain Name System Security (DNSSEC) Algorithm Numbers is maintained by IANA. Note that some MUST NOT be used for zone signing and validation, others are RECOMMENDED, MAY, etc.

rsamd5DNSSEC algorithm number 1 (RSAMD5)
dsaDNSSEC algorithm number 3 (DSA)
rsasha1DNSSEC algorithm number 5 (RSASHA1)
dsa-nsec3-sha1DNSSEC algorithm number 6 (DSA-NSEC3-SHA1)
rsasha1-nsec3-sha1DNSSEC algorithm number 7 (RSASHA1-NSEC3-SHA1)
rsasha256DNSSEC algorithm number 8 (RSASHA256)
rsasha512DNSSEC algorithm number 10 (RSASHA512)
ecdsap256sha256DNSSEC algorithm number 13 (ECDSAP256SHA256)
ecdsap384sha384DNSSEC algorithm number 14 (ECDSAP384SHA384)
ed25519DNSSEC algorithm number 15 (ED25519)
ed448DNSSEC algorithm number 16 (ED448)

NSEC3 additional iterations

The Guidance for NSEC3 Parameter Settings (RFC 9276) states that "if NSEC3 must be used, then an iterations count of 0 MUST be used to alleviate computational burdens". Only the first domain below complies with this requirement.

nsec3-iter-0The number of additional iterations is 0
nsec3-iter-1The number of additional iterations is 1
nsec3-iter-50The number of additional iterations is 50
nsec3-iter-100The number of additional iterations is 100
nsec3-iter-150The number of additional iterations is 150
nsec3-iter-200The number of additional iterations is 200
nsec3-iter-500The number of additional iterations is 500
nsec3-iter-1000The number of additional iterations is 1000
nsec3-iter-1500The number of additional iterations is 1500
nsec3-iter-2000The number of additional iterations is 2000
nsec3-iter-2500The number of additional iterations is 2500

DS record manipulations

The full list of DNSSEC Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms is maintained by IANA. Note that some MUST NOT be used anymore, others are RECOMMENDED, MAY, etc.

no-dsThe subdomain is correctly signed but no DS record was published at the parent zone
ds-bad-tagThe key tag value is set to 00000
ds-bad-key-algoThe algorithm value is changed from 8 to 7
ds-unassigned-key-algoThe algorithm value is changed from 8 to 100
ds-reserved-key-algoThe algorithm value is changed from 8 to 200
ds-unassigned-digest-algoThe digest type value is changed from 2 to 100
ds-bogus-digest-valueThe digest value is computed from the "I am not a real DNSKEY digest" string

NSEC3 record manipulations

DNS Security (DNSSEC) Hashed Authenticated Denial of Existence (RFC 5155) describes the inner workings of NSEC3.

no-nsec3All the NSEC3 records were removed from the zone file
no-nsec3-rrsigRRSIGs over NSEC3 resource records were removed from the zone file
no-nsec3paramNSEC3PARAM resource record was removed from the zone file
no-nsec3param-nsec3NSEC3 and NSECPARAM resource records were removed from the zone file
bad-nsec3-hashHash parts of the owner names are computed from "I am not a real hash" string
bad-nsec3-nextNext hashed owner names are computed from "I am not a real hash" string
bad-nsec3-rrsigRRSIGs over NSEC3 RRsets are bogus
bad-nsec3param-saltThe salt value of the NSEC3PARAM resource record is changed from - to 1

DNSKEY record manipulations

Check Resource Records for the DNS Security Extensions (RFC 4034) for the format of this resource record.

no-zskThe Zone Signing Key was removed
no-kskThe Key Signing Key was removed
no-dnskeyBoth DNSKEYs were removed
bad-zskThe Zone Signing Key is wrong
bad-kskThe Key Signing Key is wrong
no-dnskey-rrsigRRSIGs over DNSKEY resource records were removed
bad-dnskey-rrsigRRSIGs over DNSKEY resource records are bogus
no-dnskey-256The zone key bit of the Zone Signing Key is set to 0
no-dnskey-257The zone key bit of the Key Signing Key is set to 0
no-dnskey-256-257The zone key bits of both DNSKEYs are set to 0
bad-zsk-algoThe algorithm field of the ZSK is set to 7
bad-ksk-algoThe algorithm field of the KSK is set to 7
unassigned-zsk-algoThe algorithm field of the ZSK is set to 100
unassigned-ksk-algoThe algorithm field of the KSK is set to 100
reserved-zsk-algoThe algorithm field of the ZSK is set to 200
reserved-ksk-algoThe algorithm field of the KSK is set to 200

RRSIG record manipulations

Check Resource Records for the DNS Security Extensions (RFC 4034) for the format of this resource record.

no-rrsig-allAll the RRSIGs were removed
no-rrsig-aThe RRSIG over the A RRset was removed
rrsig-exp-allAll the RRSIGs expired one minute after the inception
rrsig-exp-aThe RRSIG over the A RRset expired one minute after the inception
rrsig-exp-before-allAll the signatured had expired before the inception
rrsig-exp-before-aThe RRSIG over the A RRset expired before the inception
rrsig-not-yet-allAll the RRSIGs will be valid in one year
rrsig-not-yet-aThe RRSIG over the A RRset will be valid in one year

Lame delegations

As per RFC 1713, a lame delegation "happens when a name server is listed in the NS records for some domain and in fact it is not a server for that domain".

allow-query-noneThe nameserver does not accept queries for a subdomain
allow-query-localhostThe nameserver only accepts queries from a localhost
v4-docThe nameserver IP is set to a documentation IPv4 address
v6-docThe nameserver IP is set to a documentation IPv6 address
not-authThe nameserver does not serve this subdomain

Papers

Zeros Are Heroes: NSEC3 Parameter Settings in the Wild

Publication Date
Nov 4, 2024

Extended DNS Errors: Unlocking the Full Potential of DNS Troubleshooting

Publication Date
Oct 24, 2023

Contact

If you want to find out more about this project or have an interesting misconfiguration in mind, please contact me at yevheniya.nosyk@korlabs.io.