DNS response codes have traditionally been used to confirm successful resolutions or signal anomalies. However, they are of little help to pinpoint the root causes behind failures. The RFC-8914 addressed the problem by introducing the Extended DNS Errors mechanism, which defines a new registry of extended error codes that can be returned along with regular response codes.
This (extended-dns-errors.com) domain name has 63 subdomains with various misconfigurations or corner cases. Feel free to query those to check how your recursive resolver behaves when faced with erroneous domains. All the configuration instructions are provided here:
| Subdomain | Configuration |
|---|---|
valid | The correctly configured control domain |
unsigned | The domain name is not signed with DNSSEC |
allow-query-none | Nameserver does not accept queries for the subdomain |
allow-query-localhost | Nameserver only accepts queries from the localhost |
no-ds | The subdomain is correctly signed but no DS record was published at the parent zone |
ds-bad-tag | The key tag field of the DS record at the parent zone does not correspond to the KSK DNSKEY ID at the child zone |
ds-bad-key-algo | The algorithm field of the DS record at the parent zone does not correspond to the KSK DNSKEY algorithm at the child zone |
ds-unassigned-key-algo | The algorithm value of the DS record at the parent zone is unassigned (100) |
ds-reserved-key-algo | The algorithm value of the DS record at the parent zone is reserved (200) |
ds-unassigned-digest-algo | The digest algorithm value of the DS record at the parent zone is unassigned (100) |
ds-bogus-digest-value | The digest value of the DS record at the parent zone does not correspond to the KSK DNSKEY at the child zone |
rrsig-exp-all | All the RRSIG records are expired |
rrsig-exp-a | The RRSIG over A RRset is expired |
rrsig-not-yet-all | All the RRSIG records are not yet valid |
rrsig-not-yet-a | The RRSIG over A RRset is not yet valid |
rrsig-exp-before-all | All the RRSIGs expired before the inception time |
rrsig-exp-before-a | The RRSIG over A RRset expired before the inception time |
rrsig-no-all | All the RRSIGs were removed from the zone file |
rrsig-no-a | The RRSIG over A RRset was removed from the zone file |
no-rrsig-ksk | The RRSIG over KSK DNSKEY was removed from the zone file |
no-rrsig-dnskey | All the RRSIGs over DNSKEY RRsets were removed from the zone file |
bad-nsec3-hash | Hashed owner names were modified in all the NSEC3 records |
bad-nsec3-next | Next hashed owner names were modified in all the NSEC3 records |
bad-nsec3param-salt | The salt value of the NSEC3PARAM resource record is wrong |
bad-nsec3-rrsig | RRSIGs over NSEC3 RRsets are bogus |
nsec3-missing | All the NSEC3 records were removed from the zone file |
nsec3-rrsig-missing | RRSIGs over NSEC3 RRsets were removed from the zone file |
nsec3param-missing | NSEC3PARAM resource record was removed from the zone file |
no-nsec3param-nsec3 | NSEC3 and NSECPARAM resource records were removed from the zone file |
no-zsk | The ZSK DNSKEY was removed from the zone file |
bad-zsk | The ZSK DNSKEY resource record is wrong |
no-ksk | TheKSK DNSKEYwas removed from the zone file |
bad-rrsig-ksk | TheRRSIGoverKSK DNSKEYis wrong |
bad-ksk | TheKSK DNSKEYis wrong |
bad-rrsig-dnskey | All theRRSIGs overDNSKEYRRsets are wrong |
no-dnskey-256 | The Zone Key Bit is set to 0 for the ZSK DNSKEY |
no-dnskey-257 | The Zone Key Bit is set to 0 for the KSK DNSKEY |
no-dnskey-256-257 | The Zone Key Bit is set to 0 for both the KSK DNSKEY and ZSK DNSKEY |
bad-zsk-algo | The ZSK DNSKEY algorithm number is wrong |
unassigned-zsk-algo | The ZSK DNSKEY algorithm number is unassigned (100) |
reserved-zsk-algo | The ZSK DNSKEY algorithm number is reserved (200) |
ed448 | The zone is signed with ED448 algorithm |
v6-mapped | The AAAA glue record at the parent zone is an IPv6-mapped IPv4 address |
v6-unspecified | The AAAA glue record at the parent zone is an unspecified address |
v4-hex | The AAAA glue record at the parent zone is an IPv4 address in hex form |
v6-link-local | The AAAA glue record at the parent zone is a link local address |
v6-localhost | The AAAA glue record at the parent zone is a localhost |
v6-mapped-dep | The AAAA glue record at the parent zone is a deprecated IPv6-mapped IPv4 address |
v6-doc | The AAAA glue record at the parent zone is from the documentation range |
v6-unique-local | The AAAA glue record at the parent zone is from a unique local address |
v6-nat64 | The AAAA glue record at the parent zone is used for NAT64 |
v6-multicast | The AAAA glue record at the parent zone is from a multicast range |
v4-private-10 | The A glue record at the parent zone is a private address |
v4-private-172 | The A glue record at the parent zone is a private address |
v4-private-192 | The A glue record at the parent zone is a private address |
v4-this-host | The A glue record at the parent zone is a 0.0.0.0 |
v4-loopback | The A glue record at the parent zone is a loopback address |
v4-link-local | The A glue record at the parent zone is a link-local address |
v4-doc | The A glue record at the parent zone is a documentation address |
v4-reserved | The A glue record at the parent zone is a reserved address |
dsa | The zone is signed with DSA algorithm |
nsec3-iter-200 | NSEC3 iteration count is set to 200 |
rsamd5 | The zone is signed with RSAMD5 algorithm |
If you want to find out more about this project, contact us at yevheniya.nosyk@univ-grenoble-alpes.fr.