Extended DNS Errors

About

The Domain Name System (DNS) relies on response codes to confirm successful transactions or indicate anomalies. Yet, the codes are not sufficiently fine-grained to pinpoint the root causes of resolution failures. RFC 8914 (Extended DNS Errors or EDE) addresses the problem by defining a new extensible registry of error codes to be served inside the OPT resource record. We studied the implementation of EDE by four major DNS resolver vendors and three large public DNS resolvers. They correctly narrow down the cause of underlying problems, but do not agree in 94% of our test cases in terms of the returned EDE codes. We additionally performed a large-scale analysis of more than 303M registered domain names. We show that 17.7M of them trigger EDE codes. Lame delegations and DNSSEC validation failures are the most common problems encountered.

Paper

We describe our findings in greater details in our paper. Please use the below citation to refer to it:

                
                @inproceedings{nosyk2023ede,
                    author = {Nosyk, Yevheniya and Korczyński, Maciej and Duda, Andrzej},
                    title = {Extended DNS Errors: Unlocking the Full Potential of DNS Troubleshooting},
                    year = {2023},
                    publisher = {Association for Computing Machinery},
                    address = {New York, NY, USA},
                    url = {https://doi.org/10.1145/3618257.3624835},
                    doi = {10.1145/3618257.3624835},
                    booktitle = {Proceedings of the 2023 ACM Internet Measurement Conference},
                    location = {Montréal, Canada},
                    series = {IMC '23}
                }
                
            

Testing Infrastructure

This (extended-dns-errors.com) domain name has 63 subdomains with various misconfigurations or corner cases. Feel free to query those to check how your recursive resolver behaves when faced with erroneous domains. All the configuration instructions are provided here:

Subdomain Configuration
validThe correctly configured control domain
unsignedThe domain name is not signed with DNSSEC
allow-query-noneNameserver does not accept queries for the subdomain
allow-query-localhostNameserver only accepts queries from the localhost
no-dsThe subdomain is correctly signed but no DS record was published at the parent zone
ds-bad-tagThe key tag field of the DS record at the parent zone does not correspond to the KSK DNSKEY ID at the child zone
ds-bad-key-algoThe algorithm field of the DS record at the parent zone does not correspond to the KSK DNSKEY algorithm at the child zone
ds-unassigned-key-algoThe algorithm value of the DS record at the parent zone is unassigned (100)
ds-reserved-key-algoThe algorithm value of the DS record at the parent zone is reserved (200)
ds-unassigned-digest-algoThe digest algorithm value of the DS record at the parent zone is unassigned (100)
ds-bogus-digest-valueThe digest value of the DS record at the parent zone does not correspond to the KSK DNSKEY at the child zone
rrsig-exp-allAll the RRSIG records are expired
rrsig-exp-aThe RRSIG over A RRset is expired
rrsig-not-yet-allAll the RRSIG records are not yet valid
rrsig-not-yet-aThe RRSIG over A RRset is not yet valid
rrsig-exp-before-allAll the RRSIGs expired before the inception time
rrsig-exp-before-aThe RRSIG over A RRset expired before the inception time
rrsig-no-allAll the RRSIGs were removed from the zone file
rrsig-no-aThe RRSIG over A RRset was removed from the zone file
no-rrsig-kskThe RRSIG over KSK DNSKEY was removed from the zone file
no-rrsig-dnskeyAll the RRSIGs over DNSKEY RRsets were removed from the zone file
bad-nsec3-hashHashed owner names were modified in all the NSEC3 records
bad-nsec3-nextNext hashed owner names were modified in all the NSEC3 records
bad-nsec3param-saltThe salt value of the NSEC3PARAM resource record is wrong
bad-nsec3-rrsigRRSIGs over NSEC3 RRsets are bogus
nsec3-missingAll the NSEC3 records were removed from the zone file
nsec3-rrsig-missingRRSIGs over NSEC3 RRsets were removed from the zone file
nsec3param-missingNSEC3PARAM resource record was removed from the zone file
no-nsec3param-nsec3NSEC3 and NSECPARAM resource records were removed from the zone file
no-zskThe ZSK DNSKEY was removed from the zone file
bad-zskThe ZSK DNSKEY resource record is wrong
no-kskThe KSK DNSKEY was removed from the zone file
bad-rrsig-kskThe RRSIG over KSK DNSKEY is wrong
bad-kskThe KSK DNSKEY is wrong
bad-rrsig-dnskeyAll the RRSIGs over DNSKEY RRsets are wrong
no-dnskey-256The Zone Key Bit is set to 0 for the ZSK DNSKEY
no-dnskey-257The Zone Key Bit is set to 0 for the KSK DNSKEY
no-dnskey-256-257The Zone Key Bit is set to 0 for both the KSK DNSKEY and ZSK DNSKEY
bad-zsk-algoThe ZSK DNSKEY algorithm number is wrong
unassigned-zsk-algoThe ZSK DNSKEY algorithm number is unassigned (100)
reserved-zsk-algoThe ZSK DNSKEY algorithm number is reserved (200)
ed448The zone is signed with ED448 algorithm
v6-docThe AAAA glue record at the parent zone is from the documentation range
v4-docThe A glue record at the parent zone is a documentation address
dsaThe zone is signed with DSA algorithm
rsamd5The zone is signed with RSAMD5 algorithm
not-authGiven nameservers are not authoritative for this domain
nsec3-iter-1NSEC3 iteration count is set to 1
nsec3-iter-51NSEC3 iteration count is set to 51
nsec3-iter-101NSEC3 iteration count is set to 101
nsec3-iter-151NSEC3 iteration count is set to 151
nsec3-iter-200NSEC3 iteration count is set to 200

Contact Us

If you want to find out more about this project, contact us at yevheniya.nosyk@univ-grenoble-alpes.fr.