Can Bind report errors through EDE responses?

Danilo Godec danilo.godec at agenda.si
Thu Feb 20 08:28:13 UTC 2025 

Hello,


I was testing / debugging some sub-zone delegation for a friend's domain 
(something about email marketing service that want's their clients to 
delegate a subzone to their NSs) and couldn't quite see the issue - 
apart from my local resolver reporting 'SERVFAIL':

; <<>> DiG 9.18.33 <<>> ns send.dom24.si
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status:*SERVFAIL*, id: 62197
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 58d59532ac7efb7b0100000067b6d70ac2a22d96114e96b0 (good)
;; QUESTION SECTION:
;send.dom24.si.                 IN      NS


I eventually figured out that the target NS servers that should host the 
delegated sub-zone, refuse the query - probably they're not yet configured:

; <<>> DiG 9.18.33 <<>> ns send.dom24.si*@ns1.klaviyo.com.*
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status:*REFUSED,* id: 21094
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;send.dom24.si.                 IN      NS



But then I tried using Google's 8.8.8.8 and Cloudflare's 1.1.1.1 and 
they provide more info that I can see directly in dig's output:

; <<>> DiG 9.18.33 <<>> ns send.dom24.si @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33277
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
*; EDE: 23 (Network Error): ([205.251.196.237] rcode=REFUSED for 
send.dom24.si/ns) ; EDE: 23 (Network Error): ([205.251.192.111] 
rcode=REFUSED for send.dom24.si/ns) ; EDE: 23 (Network Error): 
([205.251.195.79] rcode=REFUSED for send.dom24.si/ns) ; EDE: 23 (Network 
Error): ([205.251.198.128] rcode=REFUSED for send.dom24.si/ns) ; EDE: 22 
(No Reachable Authority): (At delegation send.dom24.si for send.dom24.si/ns)*
;; QUESTION SECTION:
;send.dom24.si.                 IN      NS


; <<>> DiG 9.18.33 <<>> ns send.dom24.si @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18432
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
*; EDE: 22 (No Reachable Authority): (at delegation send.dom24.si.) ; 
EDE: 23 (Network Error): (205.251.198.128:53 rcode=REFUSED for 
send.dom24.si NS)*
;; QUESTION SECTION:
;send.dom24.si.                 IN      NS


I thought that's neat and started digging (pun intended) in docs if Bind 
could be configured to provide something like that (ideally just for my 
'inside' view), but I couldn't find anything.


Is there a way to have Bind report such info through dig?


    Danilo

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250220/207a3516/attachment.htm>

More information about the bind-users mailing list