The Domain Name System (DNS) relies on response codes to confirm successful transactions or indicate anomalies. Yet, the codes are not sufficiently fine-grained to pinpoint the root causes of resolution failures. RFC 8914 (Extended DNS Errors or EDE) addresses the problem by defining a new extensible registry of error codes to be served inside the OPT resource record. We studied the implementation of EDE by four major DNS resolver vendors and three large public DNS resolvers. They correctly narrow down the cause of underlying problems, but do not agree in 94% of our test cases in terms of the returned EDE codes. We additionally performed a large-scale analysis of more than 303M registered domain names. We show that 17.7M of them trigger EDE codes. Lame delegations and DNSSEC validation failures are the most common problems encountered.
We describe our findings in greater details in our paper. Please use the below citation to refer to it:
@inproceedings{nosyk2023ede,
author = {Nosyk, Yevheniya and Korczyński, Maciej and Duda, Andrzej},
title = {Extended DNS Errors: Unlocking the Full Potential of DNS Troubleshooting},
year = {2023},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/3618257.3624835},
doi = {10.1145/3618257.3624835},
booktitle = {Proceedings of the 2023 ACM Internet Measurement Conference},
location = {Montréal, Canada},
series = {IMC '23}
}
This (extended-dns-errors.com) domain name has 63 subdomains with various misconfigurations or corner cases. Feel free to query those to check how your recursive resolver behaves when faced with erroneous domains. All the configuration instructions are provided here:
| Subdomain | Configuration |
|---|---|
valid | The correctly configured control domain |
unsigned | The domain name is not signed with DNSSEC |
allow-query-none | Nameserver does not accept queries for the subdomain |
allow-query-localhost | Nameserver only accepts queries from the localhost |
no-ds | The subdomain is correctly signed but no DS record was published at the parent zone |
ds-bad-tag | The key tag field of the DS record at the parent zone does not correspond to the KSK DNSKEY ID at the child zone |
ds-bad-key-algo | The algorithm field of the DS record at the parent zone does not correspond to the KSK DNSKEY algorithm at the child zone |
ds-unassigned-key-algo | The algorithm value of the DS record at the parent zone is unassigned (100) |
ds-reserved-key-algo | The algorithm value of the DS record at the parent zone is reserved (200) |
ds-unassigned-digest-algo | The digest algorithm value of the DS record at the parent zone is unassigned (100) |
ds-bogus-digest-value | The digest value of the DS record at the parent zone does not correspond to the KSK DNSKEY at the child zone |
rrsig-exp-all | All the RRSIG records are expired |
rrsig-exp-a | The RRSIG over A RRset is expired |
rrsig-not-yet-all | All the RRSIG records are not yet valid |
rrsig-not-yet-a | The RRSIG over A RRset is not yet valid |
rrsig-exp-before-all | All the RRSIGs expired before the inception time |
rrsig-exp-before-a | The RRSIG over A RRset expired before the inception time |
rrsig-no-all | All the RRSIGs were removed from the zone file |
rrsig-no-a | The RRSIG over A RRset was removed from the zone file |
no-rrsig-ksk | The RRSIG over KSK DNSKEY was removed from the zone file |
no-rrsig-dnskey | All the RRSIGs over DNSKEY RRsets were removed from the zone file |
bad-nsec3-hash | Hashed owner names were modified in all the NSEC3 records |
bad-nsec3-next | Next hashed owner names were modified in all the NSEC3 records |
bad-nsec3param-salt | The salt value of the NSEC3PARAM resource record is wrong |
bad-nsec3-rrsig | RRSIGs over NSEC3 RRsets are bogus |
nsec3-missing | All the NSEC3 records were removed from the zone file |
nsec3-rrsig-missing | RRSIGs over NSEC3 RRsets were removed from the zone file |
nsec3param-missing | NSEC3PARAM resource record was removed from the zone file |
no-nsec3param-nsec3 | NSEC3 and NSECPARAM resource records were removed from the zone file |
no-zsk | The ZSK DNSKEY was removed from the zone file |
bad-zsk | The ZSK DNSKEY resource record is wrong |
no-ksk | The KSK DNSKEY was removed from the zone file |
bad-rrsig-ksk | The RRSIG over KSK DNSKEY is wrong |
bad-ksk | The KSK DNSKEY is wrong |
bad-rrsig-dnskey | All the RRSIGs over DNSKEY RRsets are wrong |
no-dnskey-256 | The Zone Key Bit is set to 0 for the ZSK DNSKEY |
no-dnskey-257 | The Zone Key Bit is set to 0 for the KSK DNSKEY |
no-dnskey-256-257 | The Zone Key Bit is set to 0 for both the KSK DNSKEY and ZSK DNSKEY |
bad-zsk-algo | The ZSK DNSKEY algorithm number is wrong |
unassigned-zsk-algo | The ZSK DNSKEY algorithm number is unassigned (100) |
reserved-zsk-algo | The ZSK DNSKEY algorithm number is reserved (200) |
ed448 | The zone is signed with ED448 algorithm |
v6-mapped | The AAAA glue record at the parent zone is an IPv6-mapped IPv4 address |
v6-unspecified | The AAAA glue record at the parent zone is an unspecified address |
v4-hex | The AAAA glue record at the parent zone is an IPv4 address in hex form |
v6-link-local | The AAAA glue record at the parent zone is a link local address |
v6-localhost | The AAAA glue record at the parent zone is a localhost |
v6-mapped-dep | The AAAA glue record at the parent zone is a deprecated IPv6-mapped IPv4 address |
v6-doc | The AAAA glue record at the parent zone is from the documentation range |
v6-unique-local | The AAAA glue record at the parent zone is from a unique local address |
v6-nat64 | The AAAA glue record at the parent zone is used for NAT64 |
v6-multicast | The AAAA glue record at the parent zone is from a multicast range |
v4-private-10 | The A glue record at the parent zone is a private address |
v4-private-172 | The A glue record at the parent zone is a private address |
v4-private-192 | The A glue record at the parent zone is a private address |
v4-this-host | The A glue record at the parent zone is a 0.0.0.0 |
v4-loopback | The A glue record at the parent zone is a loopback address |
v4-link-local | The A glue record at the parent zone is a link-local address |
v4-doc | The A glue record at the parent zone is a documentation address |
v4-reserved | The A glue record at the parent zone is a reserved address |
dsa | The zone is signed with DSA algorithm |
nsec3-iter-200 | NSEC3 iteration count is set to 200 |
rsamd5 | The zone is signed with RSAMD5 algorithm |
If you want to find out more about this project, contact us at yevheniya.nosyk@univ-grenoble-alpes.fr.