Extended DNS Errors

Unlocking the Full Potential of DNS Troubleshooting

Explore all the domains

Latest news

July 22, 2025

Major project reorganisation is over!

  • More subdomains were added
  • Subdomains are now grouped by misconfiguration type
  • All the subdomains were resigned
July 7, 2025

The domains are under maintenance

It SHOULD take a couple of days only. There MAY be unexpected delays.

June 22, 2025

All the domains were resigned

December 13, 2024

All the domains were resigned

October 29, 2024

The project was presented at RIPE 89 in Prague during the DNS WG session

The recording and slides are available here.

October 8, 2024

Major cleanup

  • All the domains (apart from nsec3-iter-*) are now RFC 9276 compliant, meaning they are using 0 additional iterations and no salt
  • Added more domains that are not compliant with RFC 9276
  • Removed most of the domains with non-routable glue records due to redundant results
July 22, 2024

The project was presented at IETF 120 in Vancouver

The recording of the IRTFOPEN session available here.

July 15, 2024

The project was presented at APAC DNS Forum 2024 Pre-Event Webinar 3

The recording is available here.

January 6, 2024

Major news - our paper won the IRTF Applied Networking Research Prize!

It will be presented later this year in Vancouver during IETF 120.

October 25, 2023

The paper was presented at the ACM Internet Measurement Conference in Montréal

September 14, 2023

This website is up, welcome!

Domains

This domain — extended-dns-errors.com — contains 101 subdomains, each showcasing different misconfigurations or edge cases. You're welcome to query them to observe how your recursive resolver handles erroneous DNS scenarios. Configuration instructions are available on GitHub. You can also access the text file with all the domains here.

Control subdomains

These two are configured correctly. If they do not resolve, then we have a bigger problem!

validDNSSEC-signed subdomain
unsignedNot signed with DNSSEC

DNSSEC signing algorithms

The full list of Domain Name System Security (DNSSEC) Algorithm Numbers is maintained by IANA. Note that some MUST NOT be used for zone signing and validation, others are RECOMMENDED, MAY, etc.

rsamd5DNSSEC algorithm number 1 (RSAMD5)
dsaDNSSEC algorithm number 3 (DSA)
rsasha1DNSSEC algorithm number 5 (RSASHA1)
dsa-nsec3-sha1DNSSEC algorithm number 6 (DSA-NSEC3-SHA1)
rsasha1-nsec3-sha1DNSSEC algorithm number 7 (RSASHA1-NSEC3-SHA1)
rsasha256DNSSEC algorithm number 8 (RSASHA256)
rsasha512DNSSEC algorithm number 10 (RSASHA512)
ecdsap256sha256DNSSEC algorithm number 13 (ECDSAP256SHA256)
ecdsap384sha384DNSSEC algorithm number 14 (ECDSAP384SHA384)
ed25519DNSSEC algorithm number 15 (ED25519)
ed448DNSSEC algorithm number 16 (ED448)

NSEC3 additional iterations

The Guidance for NSEC3 Parameter Settings (RFC 9276) states that "if NSEC3 must be used, then an iterations count of 0 MUST be used to alleviate computational burdens". Only the first domain below complies with this requirement. The easiest way to trigger these misconfigurations is to request a non-existing subdomain (e.g., foo.nsec3-iter...).

nsec3-iter-0The number of additional iterations is 0
nsec3-iter-1The number of additional iterations is 1
nsec3-iter-50The number of additional iterations is 50
nsec3-iter-100The number of additional iterations is 100
nsec3-iter-150The number of additional iterations is 150
nsec3-iter-200The number of additional iterations is 200
nsec3-iter-500The number of additional iterations is 500
nsec3-iter-1000The number of additional iterations is 1000
nsec3-iter-1500The number of additional iterations is 1500
nsec3-iter-2000The number of additional iterations is 2000
nsec3-iter-2500The number of additional iterations is 2500

DS record manipulations

Check Resource Records for the DNS Security Extensions (RFC 4034) for the format of this resource record. The full list of DNSSEC Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms is maintained by IANA. Note that some MUST NOT be used anymore, others are RECOMMENDED, MAY, etc.

no-dsThe subdomain is correctly signed but no DS record was published at the parent zone
ds-bad-tagThe key tag value is set to 00000
ds-bad-key-algoThe algorithm value is changed from 8 to 7
ds-unassigned-key-algoThe algorithm value is changed from 8 to 100
ds-reserved-key-algoThe algorithm value is changed from 8 to 200
ds-unassigned-digest-algoThe digest type value is changed from 2 to 100
ds-bogus-digest-valueThe digest value is computed from the "I am not a real DNSKEY digest" string

NSEC3 record manipulations

Check DNS Security (DNSSEC) Hashed Authenticated Denial of Existence (RFC 5155) for the format of this resource record. The easiest way to trigger these misconfigurations is to request a non-existing subdomain (e.g., foo.nsec3-iter...).

no-nsec3All the NSEC3 records were removed
no-nsec3-rrsigRRSIGs over NSEC3 resource records were removed
no-nsec3paramNSEC3PARAM resource record was removed
no-nsec3param-nsec3NSEC3 and NSECPARAM resource records were removed
bad-nsec3-hashHash parts of the owner names are computed from "I am not a real hash" string
bad-nsec3-nextNext hashed owner names are computed from "I am not a real hash" string
bad-nsec3-rrsigRRSIGs over NSEC3 RRsets are bogus
bad-nsec3param-saltThe salt value of the NSEC3PARAM resource record is changed from "-" to "01"

DNSKEY record manipulations

Check Resource Records for the DNS Security Extensions (RFC 4034) for the format of this resource record. The full list of Domain Name System Security (DNSSEC) Algorithm Numbers is maintained by IANA. None of these subdomains are DNSSEC-signed

no-zskThe Zone Signing Key was removed
no-kskThe Key Signing Key was removed
no-dnskeyBoth DNSKEYs were removed
bad-zskThe Zone Signing Key is wrong
bad-kskThe Key Signing Key is wrong
no-dnskey-rrsigRRSIGs over DNSKEY resource records were removed
bad-dnskey-rrsigRRSIGs over DNSKEY resource records are bogus
no-dnskey-256The zone key bit of the Zone Signing Key is set to 0
no-dnskey-257The zone key bit of the Key Signing Key is set to 0
no-dnskey-256-257The zone key bits of both DNSKEYs are set to 0
bad-zsk-algoThe algorithm field of the ZSK is set to 7
bad-ksk-algoThe algorithm field of the KSK is set to 7
unassigned-zsk-algoThe algorithm field of the ZSK is set to 100
unassigned-ksk-algoThe algorithm field of the KSK is set to 100
reserved-zsk-algoThe algorithm field of the ZSK is set to 200
reserved-ksk-algoThe algorithm field of the KSK is set to 200

RRSIG record manipulations

Check Resource Records for the DNS Security Extensions (RFC 4034) for the format of this resource record.

no-rrsig-allAll the RRSIGs were removed
no-rrsig-aThe RRSIG over the A RRset was removed
rrsig-exp-allAll the RRSIGs expired one minute after the inception
rrsig-exp-aThe RRSIG over the A RRset expired one minute after the inception
rrsig-exp-before-allAll the signatured had expired before the inception
rrsig-exp-before-aThe RRSIG over the A RRset expired before the inception
rrsig-not-yet-allAll the RRSIGs will be valid in one year
rrsig-not-yet-aThe RRSIG over the A RRset will be valid in one year

Lame delegations

As per RFC 1713, a lame delegation "happens when a name server is listed in the NS records for some domain and in fact it is not a server for that domain".

allow-query-noneThe nameserver does not accept queries for a subdomain
allow-query-localhostThe nameserver only accepts queries from a localhost
v4-docThe nameserver IP is set to a documentation IPv4 address
v6-docThe nameserver IP is set to a documentation IPv6 address
not-authThe nameserver does not serve this subdomain

Extended DNS Error codes

All the below domains are correctly configured, but we insert one EDE code (IANA maintains the full list) in the response using dnsdist. Such errors have the EXTRA-TEXT of "This EDE was intentionally inserted by dnsdist" to be distinguishable from those generated by recursive resolvers. Note that the last two EDEs are unassigned and reserved for private use, respectively. None of these subdomains are DNSSEC-signed.

ede-0EDE 0 (Other Error)
ede-1EDE 1 (Unsupported DNSKEY Algorithm)
ede-2EDE 2 (Unsupported DS Digest Type)
ede-3EDE 3 (Stale Answer)
ede-4EDE 4 (Forged Answer)
ede-5EDE 5 (DNSSEC Indeterminate)
ede-6EDE 6 (DNSSEC Bogus)
ede-7EDE 7 (Signature Expired)
ede-8EDE 8 (Signature Not Yet Valid)
ede-9EDE 9 (DNSKEY Missing)
ede-10EDE 10 (RRSIGs Missing)
ede-11EDE 11 (No Zone Key Bit Set)
ede-12EDE 12 (NSEC Missing)
ede-13EDE 13 (Cached Error)
ede-14EDE 14 (Not Ready)
ede-15EDE 15 (Blocked)
ede-16EDE 16 (Censored)
ede-17EDE 17 (Filtered)
ede-18EDE 18 (Prohibited)
ede-19EDE 19 (Stale NXDomain Answer)
ede-20EDE 20 (Not Authoritative)
ede-21EDE 21 (Not Supported)
ede-22EDE 22 (No Reachable Authority)
ede-23EDE 23 (Network Error)
ede-24EDE 24 (Invalid Data)
ede-25EDE 25 (Signature Expired before Valid)
ede-26EDE 26 (Too Early)
ede-27EDE 27 (Unsupported NSEC3 Iterations Value)
ede-28EDE 28 (Unable to conform to policy)
ede-29EDE 29 (Synthesized)
ede-30EDE 30 (Invalid Query Type)
ede-10000EDE 10000 is unassigned
ede-50000EDE 50000 is reserved for private use

Papers

Zeros Are Heroes: NSEC3 Parameter Settings in the Wild

Publication Date
Nov 4, 2024
.pdf

Extended DNS Errors: Unlocking the Full Potential of DNS Troubleshooting

Publication Date
Oct 24, 2023
.pdf

Contact

If you want to find out more about this project or have an interesting misconfiguration in mind, please contact me at yevheniya.nosyk@korlabs.io.