Extended DNS Errors

Unlocking the Full Potential of DNS Troubleshooting

The Domain Name System (DNS) relies on response codes to confirm successful transactions or indicate anomalies. Yet, the codes are not sufficiently fine-grained to pinpoint the root causes of resolution failures. RFC 8914 (Extended DNS Errors or EDE) addresses the problem by defining a new extensible registry of error codes to be served inside the OPT resource record. We studied the implementation of EDE by four major DNS resolver vendors and three large public DNS resolvers. They correctly narrow down the cause of underlying problems, but do not agree in 94% of our test cases in terms of the returned EDE codes. We additionally performed a large-scale analysis of more than 303M registered domain names. We show that 17.7M of them trigger EDE codes. Lame delegations and DNSSEC validation failures are the most common problems encountered.

Paper

ACM IMC research paper

Publication Date
Oct 24, 2023
.bib .pdf

Latest news

December 13, 2024

All the domains were resigned

October 29, 2024

The project was presented at RIPE 89 in Prague during the DNS WG session

The recording and slides are available here.

October 8, 2024

Major cleanup

  • All the domains (apart from nsec3-iter-*) are now RFC 9276 compliant, meaning they are using 0 additional iterations and no salt
  • Added more domains that are not compliant with RFC 9276
  • Removed most of the domains with non-routable glue records due to redundant results
July 22, 2024

The project was presented at IETF 120 in Vancouver

The recording of the IRTFOPEN session available here.

July 15, 2024

The project was presented at APAC DNS Forum 2024 Pre-Event Webinar 3

The recording is available here.

January 6, 2024

Major news - our paper won the IRTF Applied Networking Research Prize!

It will be presented later this year in Vancouver during IETF 120.

October 25, 2023

The paper was presented at the ACM Internet Measurement Conference in Montréal

September 14, 2023

This website is up, welcome!

Domains

This (extended-dns-errors.com) domain name has 52 subdomains with various misconfigurations or corner cases. Feel free to query those to check how your recursive resolver behaves when faced with erroneous domains. All the configuration instructions are provided on GitHub:

Subdomain Configuration
validThe correctly configured control domain
unsignedThe domain name is not signed with DNSSEC
allow-query-noneNameserver does not accept queries for the subdomain
allow-query-localhostNameserver only accepts queries from the localhost
no-dsThe subdomain is correctly signed but no DS record was published at the parent zone
ds-bad-tagThe key tag field of the DS record at the parent zone does not correspond to the KSK DNSKEY ID at the child zone
ds-bad-key-algoThe algorithm field of the DS record at the parent zone does not correspond to the KSK DNSKEY algorithm at the child zone
ds-unassigned-key-algoThe algorithm value of the DS record at the parent zone is unassigned (100)
ds-reserved-key-algoThe algorithm value of the DS record at the parent zone is reserved (200)
ds-unassigned-digest-algoThe digest algorithm value of the DS record at the parent zone is unassigned (100)
ds-bogus-digest-valueThe digest value of the DS record at the parent zone does not correspond to the KSK DNSKEY at the child zone
rrsig-exp-allAll the RRSIG records are expired
rrsig-exp-aThe RRSIG over A RRset is expired
rrsig-not-yet-allAll the RRSIG records are not yet valid
rrsig-not-yet-aThe RRSIG over A RRset is not yet valid
rrsig-exp-before-allAll the RRSIGs expired before the inception time
rrsig-exp-before-aThe RRSIG over A RRset expired before the inception time
rrsig-no-allAll the RRSIGs were removed from the zone file
rrsig-no-aThe RRSIG over A RRset was removed from the zone file
no-rrsig-kskThe RRSIG over KSK DNSKEY was removed from the zone file
no-rrsig-dnskeyAll the RRSIGs over DNSKEY RRsets were removed from the zone file
bad-nsec3-hashHashed owner names were modified in all the NSEC3 records
bad-nsec3-nextNext hashed owner names were modified in all the NSEC3 records
bad-nsec3param-saltThe salt value of the NSEC3PARAM resource record is wrong
bad-nsec3-rrsigRRSIGs over NSEC3 RRsets are bogus
nsec3-missingAll the NSEC3 records were removed from the zone file
nsec3-rrsig-missingRRSIGs over NSEC3 RRsets were removed from the zone file
nsec3param-missingNSEC3PARAM resource record was removed from the zone file
no-nsec3param-nsec3NSEC3 and NSECPARAM resource records were removed from the zone file
no-zskThe ZSK DNSKEY was removed from the zone file
bad-zskThe ZSK DNSKEY resource record is wrong
no-kskThe KSK DNSKEY was removed from the zone file
bad-rrsig-kskThe RRSIG over KSK DNSKEY is wrong
bad-kskThe KSK DNSKEY is wrong
bad-rrsig-dnskeyAll the RRSIGs over DNSKEY RRsets are wrong
no-dnskey-256The Zone Key Bit is set to 0 for the ZSK DNSKEY
no-dnskey-257The Zone Key Bit is set to 0 for the KSK DNSKEY
no-dnskey-256-257The Zone Key Bit is set to 0 for both the KSK DNSKEY and ZSK DNSKEY
bad-zsk-algoThe ZSK DNSKEY algorithm number is wrong
unassigned-zsk-algoThe ZSK DNSKEY algorithm number is unassigned (100)
reserved-zsk-algoThe ZSK DNSKEY algorithm number is reserved (200)
ed448The zone is signed with ED448 algorithm
v6-docThe AAAA glue record at the parent zone is from the documentation range
v4-docThe A glue record at the parent zone is a documentation address
dsaThe zone is signed with DSA algorithm
rsamd5The zone is signed with RSAMD5 algorithm
not-authGiven nameservers are not authoritative for this domain
nsec3-iter-1NSEC3 iteration count is set to 1
nsec3-iter-51NSEC3 iteration count is set to 51
nsec3-iter-101NSEC3 iteration count is set to 101
nsec3-iter-151NSEC3 iteration count is set to 151
nsec3-iter-200NSEC3 iteration count is set to 200

Contact

If you want to find out more about this project or have an interesting misconfiguration in mind, please contact me at yevheniya.nosyk@korlabs.io.