]> Extra Extended DNS Error codes for DNSSEC status bogus NLnet Labs
tom@nlnetlabs.nl
NLnet Labs
willem@nlnetlabs.nl
Internet-Draft While implementing Extended DNS Errors (RFC8914) in our DNSSEC validating resolver software Unbound, we encountered this specific situations regarding the DNSSEC bogus status where no Extended DNS Error were yet defined.
Introduction While implementing Extended DNS Errors () in our DNSSEC validating resolver software Unbound (), we encountered this specific situations regarding the DNSSEC bogus status where no Extended DNS Error were yet defined.
Extended DNS Error Code 26 - Signature Wrong Size The resolver attempted to perform DNSSEC validation, but the signature is either smaller or larger than expected for the specified algorithm.
Extended DNS Error Code 27 - Malformed Signer Name The resolver attempted to perform DNSSEC validation, but the Signer's Name Field in the signature contains a malformed signer (d)name.
Extended DNS Error Code 28 - Signer Name Out of zone The resolver attempted to perform DNSSEC validation, but the Signer's Name Field in the signature does not contain the zone name of the covered RRset.
Extended DNS Error Code 29 - Signature Label Count Wrong The resolver attempted to perform DNSSEC validation, but the number of labels in the Signature Labels Field is incorrect.
Extended DNS Error Code 30 - DNSSEC Insufficient NSEC Proof The resolver attempted to perform DNSSEC validation, but the signed response does not have valid NSEC proof.
Extended DNS Error Code 31 - DNSSEC Unknown Protocol The resolver attempted to perform DNSSEC validation, but found a value not equal to 3 in the DNSKEY protocol number field as specified by RFC4034#section-2.1.2.
IANA Considerations This draft requests the assignment of a new EDE code values for the specified EDE codes.
Security Considerations As this draft only seeks to add code points to the EDE registry, the security considerations as the same as in .
Extended DNS Errors This document defines an extensible method to return additional information about the cause of DNS errors. Though created primarily to extend SERVFAIL to provide additional information about the cause of DNS and DNSSEC failures, the Extended DNS Errors option defined in this document allows all response types to contain extended error information. Extended DNS Error information does not change the processing of RCODEs. EDE for Unbound pull request NLnet Labs NLnet Labs