---
title: RFC 8914 Extended DNS Errors testbed
---

This is a testbed, for testing propagation of [RFC8914 Extended DNS Errors][RFC8914] in the wild.

```
$ dig blocked.nx.ede.dn5.dk @1.1.1.1

; <<>> DiG 9.20.7-1-Debian <<>> blocked.nx.ede.dn5.dk @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 28690
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 15 (Blocked): (🚧 Blocked 🚧)
;; QUESTION SECTION:
;blocked.nx.ede.dn5.dk.         IN      A

;; Query time: 15 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Sat Apr 19 16:34:11 UTC 2025
;; MSG SIZE  rcvd: 73
```

## What does `RFC 8914` say about propagation?

In `RFC 8914` [section 3 - Extended DNS Error Processing][RFC8914sec3]:

> [...]
>
> When a resolver or forwarder receives an EDE option, whether or not (and how) to pass along EDE information on to their original client is implementation dependent. Implementations MAY choose to not forward information, or they MAY choose to create a new EDE option(s) that conveys the information encoded in the received EDE. When doing so, the source of the error SHOULD be attributed in the EXTRA-TEXT field, since an EDNS0 option received by the original client will appear to have come from the resolver or forwarder sending it.
>
> [...]

We probably need to write an update, at least changing it so that
forwarders SHOULD propagate EDE's.

[draft-ietf-dnsop-structured-dns-error][] is currently working on
changing `EXTRA-TEXT` to a more formal format for a few EDEs,
currently this testbed uses `EXTRA-TEXT` for for static
human readable Unicode messages for each error.

## Adoption status

### Adoption in DNSSEC

The DNSSEC related EDE are probably the most widely deployed EDE's.
The EDE concept also originated from the needs of the DNSSEC working-group,
so it's not that surprising.

### Use with DNS filtering

While there are several EDE's defined for use with DNS filtering,
they are still lacking implementations, hence the need for this testbed.

[draft-ietf-dnsop-structured-dns-error][] is trying to formalize `EXTRA-TEXT` encoding.
Work is needed on integrating EDE's with [RPZ][Response Policy Zone], and ensuring that
DNS forwarders, like home routers, propagate EDE's to end-user applications.

#### STOP pages

Traditionally DNS filtering have often hijacked the filtered domain,
and sent visitors to a "STOP" page, served only over HTTP, sometimes
with a HTTP status code `451 Unavailable for legal reasons`.
As plain HTTP is being phased out, concepts like HSTS Preload and HTTPS-by-default and end-users following `https://` links, means that it is very
unlikely that end-users will actually see these STOP-pages.

Adopting the DNS filtering-related EDE's and formalising `EXTRA-TEXT`,
could lead to end-user applications, like web-browsers, having more
user-friendly error-messages, than simply `Connection refused`.

### Improvement projects

Last updated: 2025-04-18

This is an incomplete list of improvement projects:

* [Unbound: Add support for RPZ to reply with an EDE][unbound-1191]
* Ongoing, use [RIPE Atlas][] to map EDE propagation. (Initial findings: to be presented at RIPE90 DNS-WG)
* Find / file more bugs (TODO)

#### Completed

* [dnsdist: Add support for adding EDE codes with Lua][pdns-12572] (unfortunately, no support for `EXTRA-TEXT` yet)

## Testbed

This testbed was setup, to help with testing EDE propagation.

### Query format

The following queries are currently supported:

- `<label>.nx.ede.dn5.dk` - Responds with `NXDOMAIN`.
- `<label>.cname.ede.dn5.dk` - Responds with `NOERROR` and a `CNAME` record.
- `<label>.addr.ede.dn5.dk` - Responds with `NOERROR` and an `A`/`AAAA` record.

All of them responds with the EDE code assigned to the given `<label>`.

As an alternative, `<label>` can also be substituted with `<code>`, all currently valid values are listed in the following section.

#### Examples queries

* `dig blocked.nx.ede.dn5.dk @1.1.1.1` (the one shown at the top of the page)
* `dig prohibited.cname.ede.dn5.dk @1.1.1.1`
* `dig a filtered.addr.ede.dn5.dk @1.1.1.1`
* `dig aaaa censored.addr.ede.dn5.dk @1.1.1.1`
* `dig 25.nx.ede.dn5.dk @1.1.1.1`

`1.1.1.1` (aka. CloudFlare public DNS resolver) is used in these
examples because it is currently the only public resolver,
that propagates EDE's).

### List of supported error codes

These are the codes currently implemented in the testbed.

<table>
<thead>
<th>Code</th>
<th>Label</th>
<th>Purpose</th>
<th>Reference</th>
</thead>
<tbody>
<tr>
<td>0</td>
<td>other-error</td>
<td>Other Error</td>
<td>[RFC][RFC8914sec4.1]</td>
</tr>
<tr>
<td>1</td>
<td>unsupp-dnskey-algo</td>
<td>Unsupported DNSKEY Algorithm</td>
<td>[RFC][RFC8914sec4.2]</td>
</tr>
<tr>
<td>2</td>
<td>unsupp-ds-digest-type</td>
<td>Unsupported DS Digest Type</td>
<td>[RFC][RFC8914sec4.3]</td>
</tr>
<tr>
<td>3</td>
<td>stale</td>
<td>Stale Answer</td>
<td>[RFC][RFC8914sec4.4]</td>
</tr>
<tr>
<td>4</td>
<td>forged</td>
<td>Forged Answer</td>
<td>[RFC][RFC8914sec4.5]</td>
</tr>
<tr>
<td>5</td>
<td>dnssec-indeterminate</td>
<td>DNSSEC Indeterminate</td>
<td>[RFC][RFC8914sec4.6]</td>
</tr>
<tr>
<td>6</td>
<td>dnssec-bogus</td>
<td>DNSSEC Bogus</td>
<td>[RFC][RFC8914sec4.7]</td>
</tr>
<tr>
<td>7</td>
<td>sig-expired</td>
<td>Signature Expired</td>
<td>[RFC][RFC8914sec4.8]</td>
</tr>
<tr>
<td>8</td>
<td>sig-in-future</td>
<td>Signature Not Yet Valid</td>
<td>[RFC][RFC8914sec4.9]</td>
</tr>
<tr>
<td>9</td>
<td>dnskey-missing</td>
<td>DNSKEY Missing</td>
<td>[RFC][RFC8914sec4.10]</td>
</tr>
<tr>
<td>10</td>
<td>rrsig-missing</td>
<td>RRSIGs Missing</td>
<td>[RFC][RFC8914sec4.11]</td>
</tr>
<tr>
<td>11</td>
<td>no-zone-key-bit</td>
<td>No Zone Key Bit Set</td>
<td>[RFC][RFC8914sec4.12]</td>
</tr>
<tr>
<td>12</td>
<td>nsec-missing</td>
<td>NSEC Missing</td>
<td>[RFC][RFC8914sec4.13]</td>
</tr>
<tr>
<td>13</td>
<td>cached-error</td>
<td>Cached Error</td>
<td>[RFC][RFC8914sec4.14]</td>
</tr>
<tr>
<td>14</td>
<td>not-ready</td>
<td>Not Ready</td>
<td>[RFC][RFC8914sec4.15]</td>
</tr>
<tr>
<td>15</td>
<td>blocked</td>
<td>Blocked</td>
<td>[RFC][RFC8914sec4.16]</td>
</tr>
<tr>
<td>16</td>
<td>censored</td>
<td>Censored</td>
<td>[RFC][RFC8914sec4.17]</td>
</tr>
<tr>
<td>17</td>
<td>filtered</td>
<td>Filtered</td>
<td>[RFC][RFC8914sec4.18]</td>
</tr>
<tr>
<td>18</td>
<td>prohibited</td>
<td>Prohibited</td>
<td>[RFC][RFC8914sec4.19]</td>
</tr>
<tr>
<td>19</td>
<td>stale-nxdomain</td>
<td>Stale NXDomain Answer</td>
<td>[RFC][RFC8914sec4.20]</td>
</tr>
<tr>
<td>20</td>
<td>not-auth</td>
<td>Not Authoritative</td>
<td>[RFC][RFC8914sec4.21]</td>
</tr>
<tr>
<td>21</td>
<td>not-supp</td>
<td>Not Supported</td>
<td>[RFC][RFC8914sec4.22]</td>
</tr>
<tr>
<td>22</td>
<td>auth-ns-out-for-lunch</td>
<td>No Reachable Authority</td>
<td>[RFC][RFC8914sec4.23]</td>
</tr>
<tr>
<td>23</td>
<td>network-error</td>
<td>Network Error</td>
<td>[RFC][RFC8914sec4.24]</td>
</tr>
<tr>
<td>24</td>
<td>invalid-data</td>
<td>Invalid Data</td>
<td>[RFC][RFC8914sec4.25]</td>
</tr>
<tr>
<td>25</td>
<td>sig-reversed-time</td>
<td>Signature Expired before Valid</td>
<td>[unbound][unbound-604]</td>
</tr>
<tr>
<td>26</td>
<td>too-early</td>
<td>Too Early</td>
<td>[RFC][RFC9250]</td>
</tr>
<tr>
<td>27</td>
<td>unsupp-nsec3-iter</td>
<td>Unsupported NSEC3 Iterations Value</td>
<td>[RFC][RFC9276]</td>
</tr>
<tr>
<td>28</td>
<td>bad-proxy-policy</td>
<td>Unable to conform to policy</td>
<td>[I-D][draft-homburg-dnsop-codcp-01]</td>
</tr>
<tr>
<td>29</td>
<td>synthesized</td>
<td>Synthesized</td>
<td>[pdns][pdns-12334]</td>
</tr>
<tr>
<td>30</td>
<td>invalid-query-type</td>
<td>Invalid Query Type</td>
<td>[I-D][draft-ietf-dnsop-compact-denial-of-existence]</td>
</tr>
</tbody>
</table>

## Changelog

* **2025:**
  * April:
    * This page was put together.
    * [CannedDNS][] was extended to be able to serve as authoritative DNS server for this testbed.
  * March:
    * [CannedDNS][] was developed during [DNS Hackathon 2025][].
* **2023:**
  * May:
    * This testbed was [originally implemented][old-doc] at [DNS Hackathon 2023][], using a patched version of [dnsdist][].

## Credits

This testbed was put together by Asbjørn Sloth Tønnesen.

## See also

- [IANA EDE code registry][]
- [Response Policy Zone][]
- [git repo for this testbed][git-repo]

[RFC8914]:
https://datatracker.ietf.org/doc/html/rfc8914
"RFC 8914: Extended DNS Errors"

[RFC8914sec3]:
https://datatracker.ietf.org/doc/html/rfc8914#section-3
"RFC 8914: Extended DNS Errors, section 3 - Extended DNS Error Processing"

[RFC8914sec4.1]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.1
"RFC 8914: Extended DNS Errors, section 4.1 - Other"

[RFC8914sec4.2]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.2
"RFC 8914: Extended DNS Errors, section 4.2 - Unsupported DNSKEY Algorithm"

[RFC8914sec4.3]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.3
"RFC 8914: Extended DNS Errors, section 4.3 - Unsupported DS Digest Type"

[RFC8914sec4.4]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.4
"RFC 8914: Extended DNS Errors, section 4.4 - Stale Answer"

[RFC8914sec4.5]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.5
"RFC 8914: Extended DNS Errors, section 4.5 - Forged Answer"

[RFC8914sec4.6]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.6
"RFC 8914: Extended DNS Errors, section 4.6 - DNSSEC Indeterminate"

[RFC8914sec4.7]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.7
"RFC 8914: Extended DNS Errors, section 4.7 - DNSSEC Bogus"

[RFC8914sec4.8]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.8
"RFC 8914: Extended DNS Errors, section 4.8 - Signature Expired"

[RFC8914sec4.9]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.9
"RFC 8914: Extended DNS Errors, section 4.9 - Signature Not Yet Valid"

[RFC8914sec4.10]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.10
"RFC 8914: Extended DNS Errors, section 4.10 - DNSKEY Missing"

[RFC8914sec4.11]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.11
"RFC 8914: Extended DNS Errors, section 4.11 - RRSIGs Missing"

[RFC8914sec4.12]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.12
"RFC 8914: Extended DNS Errors, section 4.12 - No Zone Key Bit Set"

[RFC8914sec4.13]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.13
"RFC 8914: Extended DNS Errors, section 4.13 - NSEC Missing"

[RFC8914sec4.14]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.14
"RFC 8914: Extended DNS Errors, section 4.14 - Cached Error"

[RFC8914sec4.15]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.15
"RFC 8914: Extended DNS Errors, section 4.15 - Not Ready"

[RFC8914sec4.16]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.16
"RFC 8914: Extended DNS Errors, section 4.16 - Blocked"

[RFC8914sec4.17]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.17
"RFC 8914: Extended DNS Errors, section 4.17 - Censored"

[RFC8914sec4.18]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.18
"RFC 8914: Extended DNS Errors, section 4.18 - Filtered"

[RFC8914sec4.19]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.19
"RFC 8914: Extended DNS Errors, section 4.19 - Prohibited"

[RFC8914sec4.20]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.20
"RFC 8914: Extended DNS Errors, section 4.20 - Stale NXDOMAIN Answer"

[RFC8914sec4.21]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.21
"RFC 8914: Extended DNS Errors, section 4.21 - Not Authoritative"

[RFC8914sec4.22]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.22
"RFC 8914: Extended DNS Errors, section 4.22 - Not Supported"

[RFC8914sec4.23]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.23
"RFC 8914: Extended DNS Errors, section 4.23 - No Reachable Authority"

[RFC8914sec4.24]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.24
"RFC 8914: Extended DNS Errors, section 4.24 - Network Error"

[RFC8914sec4.25]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.25
"RFC 8914: Extended DNS Errors, section 4.25 - Invalid Data"

[unbound-604]:
https://github.com/NLnetLabs/unbound/pull/604#discussion_r802678343
"unbound#604: Add the basic EDE (RFC8914) cases"

[unbound-1191]:
https://github.com/NLnetLabs/unbound/issues/1191
"unbound#1191: [FR] RFC8914 EDE Extended DNS Errors for RPZ"

[RFC9250]:
https://www.rfc-editor.org/rfc/rfc9250.html
"RFC 9250: DNS over Dedicated QUIC Connections"

[RFC9276]:
https://www.rfc-editor.org/rfc/rfc9276.html
"RFC 9276: Guidance for NSEC3 Parameter Settings"

[draft-homburg-dnsop-codcp-01]:
https://datatracker.ietf.org/doc/draft-homburg-dnsop-codcp/
"I-D: Control Options For DNS Client Proxies"

[pdns-12334]:
https://github.com/PowerDNS/pdns/pull/12334
"pdns#12334: rec: Generate EDE in more cases, specifically on unreachable auths or sythesized results."

[pdns-12572]:
https://github.com/PowerDNS/pdns/issues/12572
"pdns#12572: dnsdist: Having the ability to add EDNS Extended Errors to responses"

[draft-ietf-dnsop-compact-denial-of-existence]:
https://datatracker.ietf.org/doc/draft-ietf-dnsop-compact-denial-of-existence/07/
"I-D: Compact Denial of Existence in DNSSEC"

[IANA EDE code registry]:
https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#extended-dns-error-codes

[DNS Hackathon 2023]:
https://labs.ripe.net/author/becha/connected-to-port-53-a-report-from-the-dns-hackathon-2023/
"DNS Hackathon 2023 - Rotterdam"

[DNS Hackathon 2025]:
https://github.com/DNS-Hackathon
"DNS Hackathon 2025 - Stockholm"

[old-doc]:
https://github.com/DNS-Hackathon-2023/DApper/blob/main/EDE-testbed.md
"Original documentation from the DApper project"

[CannedDNS]:
https://gitlab.com/canneddns/canneddns
"CannedDNS"

[dnsdist]:
https://www.dnsdist.org/
"dnsdist"

[Response Policy Zone]:
https://en.wikipedia.org/wiki/Response_policy_zone
"Wikipedia - Response Policy Zone"

[RIPE Atlas]:
https://atlas.ripe.net/
"RIPE Atlas"

[git-repo]:
https://git.2e8.dk/dn5/ede/
"git repo for this testbed"

[draft-ietf-dnsop-structured-dns-error]:
https://datatracker.ietf.org/doc/draft-ietf-dnsop-structured-dns-error/
"I-D: Structured Error Data for Filtered DNS"