1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
|
---
title: RFC 8914 Extended DNS Errors testbed
---
This is a testbed, for testing propagation of [RFC8914 Extended DNS Errors][RFC8914] in the wild.
```
$ dig blocked.nx.ede.dn5.dk @1.1.1.1
; <<>> DiG 9.20.7-1-Debian <<>> blocked.nx.ede.dn5.dk @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 28690
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 15 (Blocked): (🚧 Blocked 🚧)
;; QUESTION SECTION:
;blocked.nx.ede.dn5.dk. IN A
;; Query time: 15 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Sat Apr 19 16:34:11 UTC 2025
;; MSG SIZE rcvd: 73
```
## What does `RFC 8914` say about propagation?
In `RFC 8914` [section 3 - Extended DNS Error Processing][RFC8914sec3]:
> [...]
>
> When a resolver or forwarder receives an EDE option, whether or not (and how) to pass along EDE information on to their original client is implementation dependent. Implementations MAY choose to not forward information, or they MAY choose to create a new EDE option(s) that conveys the information encoded in the received EDE. When doing so, the source of the error SHOULD be attributed in the EXTRA-TEXT field, since an EDNS0 option received by the original client will appear to have come from the resolver or forwarder sending it.
>
> [...]
We probably need to write an update, at least changing it so that
forwarders SHOULD propagate EDE's.
[draft-ietf-dnsop-structured-dns-error][] is currently working on
changing `EXTRA-TEXT` to a more formal format for a few EDEs,
currently this testbed uses `EXTRA-TEXT` for for static
human readable Unicode messages for each error.
## Adoption status
### Adoption in DNSSEC
The DNSSEC related EDE are probably the most widely deployed EDE's.
The EDE concept also originated from the needs of the DNSSEC working-group,
so it's not that surprising.
### Use with DNS filtering
While there are several EDE's defined for use with DNS filtering,
they are still lacking implementations, hence the need for this testbed.
[draft-ietf-dnsop-structured-dns-error][] is trying to formalize `EXTRA-TEXT` encoding.
Work is needed on integrating EDE's with [RPZ][Response Policy Zone], and ensuring that
DNS forwarders, like home routers, propagate EDE's to end-user applications.
#### STOP pages
Traditionally DNS filtering have often hijacked the filtered domain,
and sent visitors to a "STOP" page, served only over HTTP, sometimes
with a HTTP status code `451 Unavailable for legal reasons`.
As plain HTTP is being phased out, concepts like HSTS Preload and HTTPS-by-default and end-users following `https://` links, means that it is very
unlikely that end-users will actually see these STOP-pages.
Adopting the DNS filtering-related EDE's and formalising `EXTRA-TEXT`,
could lead to end-user applications, like web-browsers, having more
user-friendly error-messages, than simply `Connection refused`.
### Improvement projects
Last updated: 2025-04-18
This is an incomplete list of improvement projects:
* [Unbound: Add support for RPZ to reply with an EDE][unbound-1191]
* Ongoing, use [RIPE Atlas][] to map EDE propagation. (Initial findings: to be presented at RIPE90 DNS-WG)
* Find / file more bugs (TODO)
#### Completed
* [dnsdist: Add support for adding EDE codes with Lua][pdns-12572] (unfortunately, no support for `EXTRA-TEXT` yet)
## Testbed
This testbed was setup, to help with testing EDE propagation.
### Query format
The following queries are currently supported:
- `<label>.nx.ede.dn5.dk` - Responds with `NXDOMAIN`.
- `<label>.cname.ede.dn5.dk` - Responds with `NOERROR` and a `CNAME` record.
- `<label>.addr.ede.dn5.dk` - Responds with `NOERROR` and an `A`/`AAAA` record.
All of them responds with the EDE code assigned to the given `<label>`.
As an alternative, `<label>` can also be substituted with `<code>`, all currently valid values are listed in the following section.
#### Examples queries
* `dig blocked.nx.ede.dn5.dk @1.1.1.1` (the one shown at the top of the page)
* `dig prohibited.cname.ede.dn5.dk @1.1.1.1`
* `dig a filtered.addr.ede.dn5.dk @1.1.1.1`
* `dig aaaa censored.addr.ede.dn5.dk @1.1.1.1`
* `dig 25.nx.ede.dn5.dk @1.1.1.1`
`1.1.1.1` (aka. CloudFlare public DNS resolver) is used in these
examples because it is currently the only public resolver,
that propagates EDE's).
### List of supported error codes
These are the codes currently implemented in the testbed.
<table>
<thead>
<th>Code</th>
<th>Label</th>
<th>Purpose</th>
<th>Reference</th>
</thead>
<tbody>
<tr>
<td>0</td>
<td>other-error</td>
<td>Other Error</td>
<td>[RFC][RFC8914sec4.1]</td>
</tr>
<tr>
<td>1</td>
<td>unsupp-dnskey-algo</td>
<td>Unsupported DNSKEY Algorithm</td>
<td>[RFC][RFC8914sec4.2]</td>
</tr>
<tr>
<td>2</td>
<td>unsupp-ds-digest-type</td>
<td>Unsupported DS Digest Type</td>
<td>[RFC][RFC8914sec4.3]</td>
</tr>
<tr>
<td>3</td>
<td>stale</td>
<td>Stale Answer</td>
<td>[RFC][RFC8914sec4.4]</td>
</tr>
<tr>
<td>4</td>
<td>forged</td>
<td>Forged Answer</td>
<td>[RFC][RFC8914sec4.5]</td>
</tr>
<tr>
<td>5</td>
<td>dnssec-indeterminate</td>
<td>DNSSEC Indeterminate</td>
<td>[RFC][RFC8914sec4.6]</td>
</tr>
<tr>
<td>6</td>
<td>dnssec-bogus</td>
<td>DNSSEC Bogus</td>
<td>[RFC][RFC8914sec4.7]</td>
</tr>
<tr>
<td>7</td>
<td>sig-expired</td>
<td>Signature Expired</td>
<td>[RFC][RFC8914sec4.8]</td>
</tr>
<tr>
<td>8</td>
<td>sig-in-future</td>
<td>Signature Not Yet Valid</td>
<td>[RFC][RFC8914sec4.9]</td>
</tr>
<tr>
<td>9</td>
<td>dnskey-missing</td>
<td>DNSKEY Missing</td>
<td>[RFC][RFC8914sec4.10]</td>
</tr>
<tr>
<td>10</td>
<td>rrsig-missing</td>
<td>RRSIGs Missing</td>
<td>[RFC][RFC8914sec4.11]</td>
</tr>
<tr>
<td>11</td>
<td>no-zone-key-bit</td>
<td>No Zone Key Bit Set</td>
<td>[RFC][RFC8914sec4.12]</td>
</tr>
<tr>
<td>12</td>
<td>nsec-missing</td>
<td>NSEC Missing</td>
<td>[RFC][RFC8914sec4.13]</td>
</tr>
<tr>
<td>13</td>
<td>cached-error</td>
<td>Cached Error</td>
<td>[RFC][RFC8914sec4.14]</td>
</tr>
<tr>
<td>14</td>
<td>not-ready</td>
<td>Not Ready</td>
<td>[RFC][RFC8914sec4.15]</td>
</tr>
<tr>
<td>15</td>
<td>blocked</td>
<td>Blocked</td>
<td>[RFC][RFC8914sec4.16]</td>
</tr>
<tr>
<td>16</td>
<td>censored</td>
<td>Censored</td>
<td>[RFC][RFC8914sec4.17]</td>
</tr>
<tr>
<td>17</td>
<td>filtered</td>
<td>Filtered</td>
<td>[RFC][RFC8914sec4.18]</td>
</tr>
<tr>
<td>18</td>
<td>prohibited</td>
<td>Prohibited</td>
<td>[RFC][RFC8914sec4.19]</td>
</tr>
<tr>
<td>19</td>
<td>stale-nxdomain</td>
<td>Stale NXDomain Answer</td>
<td>[RFC][RFC8914sec4.20]</td>
</tr>
<tr>
<td>20</td>
<td>not-auth</td>
<td>Not Authoritative</td>
<td>[RFC][RFC8914sec4.21]</td>
</tr>
<tr>
<td>21</td>
<td>not-supp</td>
<td>Not Supported</td>
<td>[RFC][RFC8914sec4.22]</td>
</tr>
<tr>
<td>22</td>
<td>auth-ns-out-for-lunch</td>
<td>No Reachable Authority</td>
<td>[RFC][RFC8914sec4.23]</td>
</tr>
<tr>
<td>23</td>
<td>network-error</td>
<td>Network Error</td>
<td>[RFC][RFC8914sec4.24]</td>
</tr>
<tr>
<td>24</td>
<td>invalid-data</td>
<td>Invalid Data</td>
<td>[RFC][RFC8914sec4.25]</td>
</tr>
<tr>
<td>25</td>
<td>sig-reversed-time</td>
<td>Signature Expired before Valid</td>
<td>[unbound][unbound-604]</td>
</tr>
<tr>
<td>26</td>
<td>too-early</td>
<td>Too Early</td>
<td>[RFC][RFC9250]</td>
</tr>
<tr>
<td>27</td>
<td>unsupp-nsec3-iter</td>
<td>Unsupported NSEC3 Iterations Value</td>
<td>[RFC][RFC9276]</td>
</tr>
<tr>
<td>28</td>
<td>bad-proxy-policy</td>
<td>Unable to conform to policy</td>
<td>[I-D][draft-homburg-dnsop-codcp-01]</td>
</tr>
<tr>
<td>29</td>
<td>synthesized</td>
<td>Synthesized</td>
<td>[pdns][pdns-12334]</td>
</tr>
<tr>
<td>30</td>
<td>invalid-query-type</td>
<td>Invalid Query Type</td>
<td>[I-D][draft-ietf-dnsop-compact-denial-of-existence]</td>
</tr>
</tbody>
</table>
## Changelog
* **2025:**
* April:
* This page was put together.
* [CannedDNS][] was extended to be able to serve as authoritative DNS server for this testbed.
* March:
* [CannedDNS][] was developed during [DNS Hackathon 2025][].
* **2023:**
* May:
* This testbed was [originally implemented][old-doc] at [DNS Hackathon 2023][], using a patched version of [dnsdist][].
## Credits
This testbed was put together by Asbjørn Sloth Tønnesen.
## See also
- [IANA EDE code registry][]
- [Response Policy Zone][]
- [git repo for this testbed][git-repo]
[RFC8914]:
https://datatracker.ietf.org/doc/html/rfc8914
"RFC 8914: Extended DNS Errors"
[RFC8914sec3]:
https://datatracker.ietf.org/doc/html/rfc8914#section-3
"RFC 8914: Extended DNS Errors, section 3 - Extended DNS Error Processing"
[RFC8914sec4.1]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.1
"RFC 8914: Extended DNS Errors, section 4.1 - Other"
[RFC8914sec4.2]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.2
"RFC 8914: Extended DNS Errors, section 4.2 - Unsupported DNSKEY Algorithm"
[RFC8914sec4.3]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.3
"RFC 8914: Extended DNS Errors, section 4.3 - Unsupported DS Digest Type"
[RFC8914sec4.4]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.4
"RFC 8914: Extended DNS Errors, section 4.4 - Stale Answer"
[RFC8914sec4.5]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.5
"RFC 8914: Extended DNS Errors, section 4.5 - Forged Answer"
[RFC8914sec4.6]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.6
"RFC 8914: Extended DNS Errors, section 4.6 - DNSSEC Indeterminate"
[RFC8914sec4.7]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.7
"RFC 8914: Extended DNS Errors, section 4.7 - DNSSEC Bogus"
[RFC8914sec4.8]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.8
"RFC 8914: Extended DNS Errors, section 4.8 - Signature Expired"
[RFC8914sec4.9]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.9
"RFC 8914: Extended DNS Errors, section 4.9 - Signature Not Yet Valid"
[RFC8914sec4.10]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.10
"RFC 8914: Extended DNS Errors, section 4.10 - DNSKEY Missing"
[RFC8914sec4.11]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.11
"RFC 8914: Extended DNS Errors, section 4.11 - RRSIGs Missing"
[RFC8914sec4.12]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.12
"RFC 8914: Extended DNS Errors, section 4.12 - No Zone Key Bit Set"
[RFC8914sec4.13]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.13
"RFC 8914: Extended DNS Errors, section 4.13 - NSEC Missing"
[RFC8914sec4.14]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.14
"RFC 8914: Extended DNS Errors, section 4.14 - Cached Error"
[RFC8914sec4.15]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.15
"RFC 8914: Extended DNS Errors, section 4.15 - Not Ready"
[RFC8914sec4.16]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.16
"RFC 8914: Extended DNS Errors, section 4.16 - Blocked"
[RFC8914sec4.17]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.17
"RFC 8914: Extended DNS Errors, section 4.17 - Censored"
[RFC8914sec4.18]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.18
"RFC 8914: Extended DNS Errors, section 4.18 - Filtered"
[RFC8914sec4.19]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.19
"RFC 8914: Extended DNS Errors, section 4.19 - Prohibited"
[RFC8914sec4.20]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.20
"RFC 8914: Extended DNS Errors, section 4.20 - Stale NXDOMAIN Answer"
[RFC8914sec4.21]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.21
"RFC 8914: Extended DNS Errors, section 4.21 - Not Authoritative"
[RFC8914sec4.22]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.22
"RFC 8914: Extended DNS Errors, section 4.22 - Not Supported"
[RFC8914sec4.23]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.23
"RFC 8914: Extended DNS Errors, section 4.23 - No Reachable Authority"
[RFC8914sec4.24]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.24
"RFC 8914: Extended DNS Errors, section 4.24 - Network Error"
[RFC8914sec4.25]:
https://datatracker.ietf.org/doc/html/rfc8914#section-4.25
"RFC 8914: Extended DNS Errors, section 4.25 - Invalid Data"
[unbound-604]:
https://github.com/NLnetLabs/unbound/pull/604#discussion_r802678343
"unbound#604: Add the basic EDE (RFC8914) cases"
[unbound-1191]:
https://github.com/NLnetLabs/unbound/issues/1191
"unbound#1191: [FR] RFC8914 EDE Extended DNS Errors for RPZ"
[RFC9250]:
https://www.rfc-editor.org/rfc/rfc9250.html
"RFC 9250: DNS over Dedicated QUIC Connections"
[RFC9276]:
https://www.rfc-editor.org/rfc/rfc9276.html
"RFC 9276: Guidance for NSEC3 Parameter Settings"
[draft-homburg-dnsop-codcp-01]:
https://datatracker.ietf.org/doc/draft-homburg-dnsop-codcp/
"I-D: Control Options For DNS Client Proxies"
[pdns-12334]:
https://github.com/PowerDNS/pdns/pull/12334
"pdns#12334: rec: Generate EDE in more cases, specifically on unreachable auths or sythesized results."
[pdns-12572]:
https://github.com/PowerDNS/pdns/issues/12572
"pdns#12572: dnsdist: Having the ability to add EDNS Extended Errors to responses"
[draft-ietf-dnsop-compact-denial-of-existence]:
https://datatracker.ietf.org/doc/draft-ietf-dnsop-compact-denial-of-existence/07/
"I-D: Compact Denial of Existence in DNSSEC"
[IANA EDE code registry]:
https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#extended-dns-error-codes
[DNS Hackathon 2023]:
https://labs.ripe.net/author/becha/connected-to-port-53-a-report-from-the-dns-hackathon-2023/
"DNS Hackathon 2023 - Rotterdam"
[DNS Hackathon 2025]:
https://github.com/DNS-Hackathon
"DNS Hackathon 2025 - Stockholm"
[old-doc]:
https://github.com/DNS-Hackathon-2023/DApper/blob/main/EDE-testbed.md
"Original documentation from the DApper project"
[CannedDNS]:
https://gitlab.com/canneddns/canneddns
"CannedDNS"
[dnsdist]:
https://www.dnsdist.org/
"dnsdist"
[Response Policy Zone]:
https://en.wikipedia.org/wiki/Response_policy_zone
"Wikipedia - Response Policy Zone"
[RIPE Atlas]:
https://atlas.ripe.net/
"RIPE Atlas"
[git-repo]:
https://git.2e8.dk/dn5/ede/
"git repo for this testbed"
[draft-ietf-dnsop-structured-dns-error]:
https://datatracker.ietf.org/doc/draft-ietf-dnsop-structured-dns-error/
"I-D: Structured Error Data for Filtered DNS"
|
