Can Bind report errors through EDE responses?
Emmanuel Fusté
manu.fuste at gmail.com
Thu Feb 20 14:44:52 UTC 2025
Hello,
Functional EDE 22 is available in Bind 9.20.6.
RFC say :
4.23. Extended DNS Error Code 22 - No Reachable Authority
The resolver could not reach any of the authoritative name servers (or
they potentially refused to reply)
Bind does not map a rcode REFUSED to EDE 22 so in your case I don't
think it will help as the problem is that the targets servers refused to
reply with the expected data (but they replied). Certainly because they
are not authoritative.
As they not implement EDE (would be EDE 21), the resolver is "alone" to
map the reason of the rcode=REFUSED to any EDE.
I personally think that the reported EDE 23 and 22 are wrong or at least
misleading:
- The "unrecoverable error" is not network oriented, the servers
response are perfectly valid with no "unrecoverable error occurred while
communicating" with them.
- The designated authorities are reachable and does not refused to reply
to the request even if they not give us the expected answer (a protocol
level "REFUSED", not a communication level "REFUSED"/ no reply).
but they give you hint in the comments about the real reason of the
failure, they certainly not authoritative, but it is only an hypothesis.
Emmanuel.
Le 20/02/2025 à 09:28, Danilo Godec via bind-users a écrit :
>
> Hello,
>
>
> I was testing / debugging some sub-zone delegation for a friend's
> domain (something about email marketing service that want's their
> clients to delegate a subzone to their NSs) and couldn't quite see the
> issue - apart from my local resolver reporting 'SERVFAIL':
>
> ; <<>> DiG 9.18.33 <<>> ns send.dom24.si
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status:*SERVFAIL*, id: 62197
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; COOKIE: 58d59532ac7efb7b0100000067b6d70ac2a22d96114e96b0 (good)
> ;; QUESTION SECTION:
> ;send.dom24.si. IN NS
>
>
> I eventually figured out that the target NS servers that should host
> the delegated sub-zone, refuse the query - probably they're not yet
> configured:
>
> ; <<>> DiG 9.18.33 <<>> ns send.dom24.si*@ns1.klaviyo.com.*
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status:*REFUSED,* id: 21094
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
> ;; QUESTION SECTION:
> ;send.dom24.si. IN NS
>
>
>
> But then I tried using Google's 8.8.8.8 and Cloudflare's 1.1.1.1 and
> they provide more info that I can see directly in dig's output:
>
> ; <<>> DiG 9.18.33 <<>> ns send.dom24.si @8.8.8.8
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33277
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> *; EDE: 23 (Network Error): ([205.251.196.237] rcode=REFUSED for
> send.dom24.si/ns) ; EDE: 23 (Network Error): ([205.251.192.111]
> rcode=REFUSED for send.dom24.si/ns) ; EDE: 23 (Network Error):
> ([205.251.195.79] rcode=REFUSED for send.dom24.si/ns) ; EDE: 23
> (Network Error): ([205.251.198.128] rcode=REFUSED for
> send.dom24.si/ns) ; EDE: 22 (No Reachable Authority): (At delegation
> send.dom24.si for send.dom24.si/ns)*
> ;; QUESTION SECTION:
> ;send.dom24.si. IN NS
>
>
> ; <<>> DiG 9.18.33 <<>> ns send.dom24.si @1.1.1.1
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18432
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> *; EDE: 22 (No Reachable Authority): (at delegation send.dom24.si.) ;
> EDE: 23 (Network Error): (205.251.198.128:53 rcode=REFUSED for
> send.dom24.si NS)*
> ;; QUESTION SECTION:
> ;send.dom24.si. IN NS
>
>
> I thought that's neat and started digging (pun intended) in docs if
> Bind could be configured to provide something like that (ideally just
> for my 'inside' view), but I couldn't find anything.
>
>
> Is there a way to have Bind report such info through dig?
>
>
> Danilo
>
>
>
More information about the bind-users
mailing list