| < draft-ietf-dnsop-extended-error-09.txt | draft-ietf-dnsop-extended-error-10.txt > | |||
|---|---|---|---|---|
| Network Working Group W. Kumari | Network Working Group W. Kumari | |||
| Internet-Draft Google | Internet-Draft Google | |||
| Intended status: Standards Track E. Hunt | Intended status: Standards Track E. Hunt | |||
| Expires: March 13, 2020 ISC | Expires: March 30, 2020 ISC | |||
| R. Arends | R. Arends | |||
| ICANN | ICANN | |||
| W. Hardaker | W. Hardaker | |||
| USC/ISI | USC/ISI | |||
| D. Lawrence | D. Lawrence | |||
| Oracle + Dyn | Oracle + Dyn | |||
| September 10, 2019 | September 27, 2019 | |||
| Extended DNS Errors | Extended DNS Errors | |||
| draft-ietf-dnsop-extended-error-09 | draft-ietf-dnsop-extended-error-10 | |||
| Abstract | Abstract | |||
| This document defines an extensible method to return additional | This document defines an extensible method to return additional | |||
| information about the cause of DNS errors. Though created primarily | information about the cause of DNS errors. Though created primarily | |||
| to extend SERVFAIL to provide additional information about the cause | to extend SERVFAIL to provide additional information about the cause | |||
| of DNS and DNSSEC failures, the Extended DNS Errors option defined in | of DNS and DNSSEC failures, the Extended DNS Errors option defined in | |||
| this document allows all response types to contain extended error | this document allows all response types to contain extended error | |||
| information. | information. Extended DNS Error information does not change the | |||
| processing of RCODEs. | ||||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on March 13, 2020. | This Internet-Draft will expire on March 30, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 24 ¶ | skipping to change at page 2, line 24 ¶ | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction and background . . . . . . . . . . . . . . . . . 3 | 1. Introduction and background . . . . . . . . . . . . . . . . . 3 | |||
| 1.1. Requirements notation . . . . . . . . . . . . . . . . . . 4 | 1.1. Requirements notation . . . . . . . . . . . . . . . . . . 4 | |||
| 2. Extended Error EDNS0 option format . . . . . . . . . . . . . 4 | 2. Extended Error EDNS0 option format . . . . . . . . . . . . . 4 | |||
| 3. Defined Extended DNS Errors . . . . . . . . . . . . . . . . . 5 | 3. Defined Extended DNS Errors . . . . . . . . . . . . . . . . . 5 | |||
| 3.1. Extended DNS Error Code 0 - Other . . . . . . . . . . . . 5 | 3.1. Extended DNS Error Code 0 - Other . . . . . . . . . . . . 5 | |||
| 3.2. Extended DNS Error Code 1 - | 3.2. Extended DNS Error Code 1 - | |||
| Unsupported DNSKEY Algorithm . . . . . . . . . . . . . . 5 | Unsupported DNSKEY Algorithm . . . . . . . . . . . . . . 5 | |||
| 3.3. Extended DNS Error Code 2 - Unsupported | 3.3. Extended DNS Error Code 2 - Unsupported DS | |||
| DS Algorithm . . . . . . . . . . . . . . . . . . . . . . 5 | Digest Type . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.4. Extended DNS Error Code 3 - Stale Answer . . . . . . . . 5 | 3.4. Extended DNS Error Code 3 - Stale Answer . . . . . . . . 5 | |||
| 3.5. Extended DNS Error Code 4 - Forged Answer . . . . . . . . 5 | 3.5. Extended DNS Error Code 4 - Forged Answer . . . . . . . . 5 | |||
| 3.6. Extended DNS Error Code 5 - DNSSEC Indeterminate . . . . 5 | 3.6. Extended DNS Error Code 5 - DNSSEC Indeterminate . . . . 6 | |||
| 3.7. Extended DNS Error Code 6 - DNSSEC Bogus . . . . . . . . 6 | 3.7. Extended DNS Error Code 6 - DNSSEC Bogus . . . . . . . . 6 | |||
| 3.8. Extended DNS Error Code 7 - Signature Expired . . . . . . 6 | 3.8. Extended DNS Error Code 7 - Signature Expired . . . . . . 6 | |||
| 3.9. Extended DNS Error Code 8 - Signature Not Yet Valid . . . 6 | 3.9. Extended DNS Error Code 8 - Signature Not Yet Valid . . . 6 | |||
| 3.10. Extended DNS Error Code 9 - DNSKEY Missing . . . . . . . 6 | 3.10. Extended DNS Error Code 9 - DNSKEY Missing . . . . . . . 6 | |||
| 3.11. Extended DNS Error Code 10 - RRSIGs Missing . . . . . . . 6 | 3.11. Extended DNS Error Code 10 - RRSIGs Missing . . . . . . . 6 | |||
| 3.12. Extended DNS Error Code 11 - No Zone Key Bit Set . . . . 6 | 3.12. Extended DNS Error Code 11 - No Zone Key Bit Set . . . . 6 | |||
| 3.13. Extended DNS Error Code 12 - NSEC Missing . . . . . . . . 6 | 3.13. Extended DNS Error Code 12 - NSEC Missing . . . . . . . . 6 | |||
| 3.14. Extended DNS Error Code 13 - Cached Error . . . . . . . . 6 | 3.14. Extended DNS Error Code 13 - Cached Error . . . . . . . . 6 | |||
| 3.15. Extended DNS Error Code 14 - Not Ready . . . . . . . . . 6 | 3.15. Extended DNS Error Code 14 - Not Ready . . . . . . . . . 7 | |||
| 3.16. Extended DNS Error Code 15 - Blocked . . . . . . . . . . 7 | 3.16. Extended DNS Error Code 15 - Blocked . . . . . . . . . . 7 | |||
| 3.17. Extended DNS Error Code 16 - Censored . . . . . . . . . . 7 | 3.17. Extended DNS Error Code 16 - Censored . . . . . . . . . . 7 | |||
| 3.18. Extended DNS Error Code 17 - Prohibited . . . . . . . . . 7 | 3.18. Extended DNS Error Code 17 - Filtered . . . . . . . . . . 7 | |||
| 3.19. Extended DNS Error Code 18 - Filtered . . . . . . . . . . 7 | 3.19. Extended DNS Error Code 17 - Prohibited . . . . . . . . . 7 | |||
| 3.20. Extended DNS Error Code 19 - Stale NXDOMAIN Answer . . . 7 | 3.20. Extended DNS Error Code 19 - Stale NXDOMAIN Answer . . . 7 | |||
| 3.21. Extended DNS Error Code 20 - Lame . . . . . . . . . . . . 7 | 3.21. Extended DNS Error Code 20 - Not Authoritative . . . . . 7 | |||
| 3.22. Extended DNS Error Code 21 - Deprecated . . . . . . . . . 8 | 3.22. Extended DNS Error Code 21 - Deprecated . . . . . . . . . 8 | |||
| 3.23. Extended DNS Error Code 22 - No Reachable Authority . . . 8 | 3.23. Extended DNS Error Code 22 - No Reachable Authority . . . 8 | |||
| 3.24. Extended DNS Error Code 23 - Network Error . . . . . . . 8 | 3.24. Extended DNS Error Code 23 - Network Error . . . . . . . 8 | |||
| 3.25. Extended DNS Error Code 24 - Invalid Data . . . . . . . . 8 | ||||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 4.1. A New Extended DNS Error Code EDNS Option . . . . . . . . 8 | 4.1. A New Extended DNS Error Code EDNS Option . . . . . . . . 8 | |||
| 4.2. New Registry Table for Extended DNS Error Codes . . . . . 8 | 4.2. New Registry Table for Extended DNS Error Codes . . . . . 8 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11 | |||
| 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 11 | 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . 11 | 7.1. Normative References . . . . . . . . . . . . . . . . . . 12 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . 12 | 7.2. Informative References . . . . . . . . . . . . . . . . . 12 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 1. Introduction and background | 1. Introduction and background | |||
| There are many reasons that a DNS query may fail, some of them | There are many reasons that a DNS query may fail, some of them | |||
| transient, some permanent; some can be resolved by querying another | transient, some permanent; some can be resolved by querying another | |||
| server, some are likely best handled by stopping resolution. | server, some are likely best handled by stopping resolution. | |||
| Unfortunately, the error signals that a DNS server can return are | Unfortunately, the error signals that a DNS server can return are | |||
| very limited, and are not very expressive. This means that | very limited, and are not very expressive. This means that | |||
| applications and resolvers often have to "guess" at what the issue is | applications and resolvers often have to "guess" at what the issue is | |||
| - e.g. was the answer marked REFUSED because of a lame delegation, or | - e.g. was the answer marked REFUSED because of a lame delegation, or | |||
| skipping to change at page 3, line 40 ¶ | skipping to change at page 3, line 41 ¶ | |||
| resolver is not a validating resolver, and the user is returned a | resolver is not a validating resolver, and the user is returned a | |||
| potentially harmful result. With an Extended DNS Error (EDE) option | potentially harmful result. With an Extended DNS Error (EDE) option | |||
| enclosed in the response message, the resolver is able to return a | enclosed in the response message, the resolver is able to return a | |||
| more descriptive reason as to why any failures happened, or add | more descriptive reason as to why any failures happened, or add | |||
| additional context to a message containing a NOERROR RCODE. | additional context to a message containing a NOERROR RCODE. | |||
| This document specifies a mechanism to extend DNS errors to provide | This document specifies a mechanism to extend DNS errors to provide | |||
| additional information about the cause of an error. These extended | additional information about the cause of an error. These extended | |||
| DNS error codes described in this document and can be used by any | DNS error codes described in this document and can be used by any | |||
| system that sends DNS queries and receives a response containing an | system that sends DNS queries and receives a response containing an | |||
| EDE option.. Different codes are useful in different circumstances, | EDE option. Different codes are useful in different circumstances, | |||
| and thus different systems (stub resolvers, recursive resolvers, and | and thus different systems (stub resolvers, recursive resolvers, and | |||
| authoritative resolvers) might receive and use them. | authoritative resolvers) might receive and use them. | |||
| This document does not allow or prohibit any particular extended | This document does not allow or prohibit any particular extended | |||
| error codes and information be matched with any particular RCODEs. | error codes and information to be matched with any particular RCODEs. | |||
| Some combinations of extended error codes and RCODEs may seem | Some combinations of extended error codes and RCODEs may seem | |||
| nonsensical (such as resolver-specific extended error codes in | nonsensical (such as resolver-specific extended error codes in | |||
| responses from authoritative servers), so systems interpreting the | responses from authoritative servers), so systems interpreting the | |||
| extended error codes MUST NOT assume that a combination will make | extended error codes MUST NOT assume that a combination will make | |||
| sense. Receivers MUST be able to accept EDE codes and EXTRA-TEXT in | sense. Receivers MUST be able to accept EDE codes and EXTRA-TEXT in | |||
| all messages, including even those with a NOERROR RCODE. | all messages, including those with a NOERROR RCODE. Receivers MUST | |||
| NOT change the processing of RCODEs in messages based on extended | ||||
| error codes. | ||||
| 1.1. Requirements notation | 1.1. Requirements notation | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| 2. Extended Error EDNS0 option format | 2. Extended Error EDNS0 option format | |||
| This draft uses an EDNS0 ([RFC2671]) option to include Extended DNS | This draft uses an EDNS0 ([RFC2671]) option to include Extended DNS | |||
| skipping to change at page 4, line 40 ¶ | skipping to change at page 4, line 43 ¶ | |||
| o OPTION-CODE, 2 octets (defined in [RFC6891]]), for EDE is TBD. | o OPTION-CODE, 2 octets (defined in [RFC6891]]), for EDE is TBD. | |||
| [RFC Editor: change TBD to the proper code once assigned by IANA.] | [RFC Editor: change TBD to the proper code once assigned by IANA.] | |||
| o OPTION-LENGTH, 2 octets ((defined in [RFC6891]]) contains the | o OPTION-LENGTH, 2 octets ((defined in [RFC6891]]) contains the | |||
| length of the payload (everything after OPTION-LENGTH) in octets | length of the payload (everything after OPTION-LENGTH) in octets | |||
| and should be 4 plus the length of the EXTRA-TEXT section (which | and should be 4 plus the length of the EXTRA-TEXT section (which | |||
| may be a zero-length string). | may be a zero-length string). | |||
| o INFO-CODE, 16-bits, which is the principal contribution of this | o INFO-CODE, 16-bits, which is the principal contribution of this | |||
| document. This 16-bit value, encoded in network (MSB) byte order, | document. This 16-bit value, encoded in network (MSB) byte order, | |||
| provides the additional context for the RESPONSE-CODE of the DNS | provides the additional context for the RESPONSE-CODE of the DNS | |||
| message. The INFO-CODE serves as an index to the "Extended DNS | message. The INFO-CODE serves as an index into the "Extended DNS | |||
| Errors" registry Section 4.1. | Errors" registry Section 4.1. | |||
| o EXTRA-TEXT, a variable length, UTF-8 encoded, text field that may | o EXTRA-TEXT, a variable length, UTF-8 encoded, text field that may | |||
| hold additional textual information. Note: EXTRA-TEXT may be zero | hold additional textual information. Note: EXTRA-TEXT may be zero | |||
| octets in length, indicating there is no EXTRA-TEXT included. | octets in length, indicating there is no EXTRA-TEXT included. | |||
| Care should be take not to leak private information that an | Care should be taken not to leak private information that an | |||
| observer would not otherwise have access to, such as account | observer would not otherwise have access to, such as account | |||
| numbers. | numbers. | |||
| The Extended DNS Error (EDE) option can be included in any response | The Extended DNS Error (EDE) option can be included in any response | |||
| (SERVFAIL, NXDOMAIN, REFUSED, and even NOERROR, etc) to a query that | (SERVFAIL, NXDOMAIN, REFUSED, and even NOERROR, etc) to a query that | |||
| includes OPT Pseudo-RR [RFC6891]. This document includes a set of | includes OPT Pseudo-RR [RFC6891]. This document includes a set of | |||
| initial codepoints (and requests to the IANA to add them to the | initial codepoints (and requests to the IANA to add them to the | |||
| registry), but is extensible via the IANA registry to allow | registry), but is extensible via the IANA registry to allow | |||
| additional error and information codes to be defined in the future. | additional error and information codes to be defined in the future. | |||
| skipping to change at page 5, line 25 ¶ | skipping to change at page 5, line 30 ¶ | |||
| 3.1. Extended DNS Error Code 0 - Other | 3.1. Extended DNS Error Code 0 - Other | |||
| The error in question falls into a category that does not match known | The error in question falls into a category that does not match known | |||
| extended error codes. Implementations SHOULD include a EXTRA-TEXT | extended error codes. Implementations SHOULD include a EXTRA-TEXT | |||
| value to augment this error code with additional information. | value to augment this error code with additional information. | |||
| 3.2. Extended DNS Error Code 1 - Unsupported DNSKEY Algorithm | 3.2. Extended DNS Error Code 1 - Unsupported DNSKEY Algorithm | |||
| The resolver attempted to perform DNSSEC validation, but a DNSKEY | The resolver attempted to perform DNSSEC validation, but a DNSKEY | |||
| RRSET contained only unknown algorithms. | RRSET contained only unsupported DNSSEC algorithms. | |||
| 3.3. Extended DNS Error Code 2 - Unsupported DS Algorithm | 3.3. Extended DNS Error Code 2 - Unsupported DS Digest Type | |||
| The resolver attempted to perform DNSSEC validation, but a DS RRSET | The resolver attempted to perform DNSSEC validation, but a DS RRSET | |||
| contained only unknown algorithms. | contained only unsupported Digest Types. | |||
| 3.4. Extended DNS Error Code 3 - Stale Answer | 3.4. Extended DNS Error Code 3 - Stale Answer | |||
| The resolver was unable to resolve answer within its time limits and | The resolver was unable to resolve answer within its time limits and | |||
| decided to answer with previously cached data instead of answering | decided to answer with previously cached data instead of answering | |||
| with an error. This is typically caused by problems communicating | with an error. This is typically caused by problems communicating | |||
| with an authoritative serever, possibly as result of a DoS attack | with an authoritative serever, possibly as result of a DoS attack | |||
| against another network. | against another network. | |||
| 3.5. Extended DNS Error Code 4 - Forged Answer | 3.5. Extended DNS Error Code 4 - Forged Answer | |||
| For policy reasons (legal obligation, or malware filtering, for | For policy reasons (legal obligation, or malware filtering, for | |||
| instance), an answer was forged. | instance), an answer was forged. Note that this should be used when | |||
| an answer is still provided, not when failure codes are returned | ||||
| instead. See Blocked(15), Censored (16), and Filtered (17) for use | ||||
| when returning other response codes. | ||||
| 3.6. Extended DNS Error Code 5 - DNSSEC Indeterminate | 3.6. Extended DNS Error Code 5 - DNSSEC Indeterminate | |||
| The resolver attempted to perform DNSSEC validation, but validation | The resolver attempted to perform DNSSEC validation, but validation | |||
| ended in the Indeterminate state. | ended in the Indeterminate state [RFC4035]. | |||
| 3.7. Extended DNS Error Code 6 - DNSSEC Bogus | 3.7. Extended DNS Error Code 6 - DNSSEC Bogus | |||
| The resolver attempted to perform DNSSEC validation, but validation | The resolver attempted to perform DNSSEC validation, but validation | |||
| ended in the Bogus state. | ended in the Bogus state. | |||
| 3.8. Extended DNS Error Code 7 - Signature Expired | 3.8. Extended DNS Error Code 7 - Signature Expired | |||
| The resolver attempted to perform DNSSEC validation, but a signature | The resolver attempted to perform DNSSEC validation, but all | |||
| in the validation chain was expired. | signatures in an RRset in the validation chain were expired. | |||
| 3.9. Extended DNS Error Code 8 - Signature Not Yet Valid | 3.9. Extended DNS Error Code 8 - Signature Not Yet Valid | |||
| The resolver attempted to perform DNSSEC validation, but the | The resolver attempted to perform DNSSEC validation, but all the | |||
| signatures received were not yet valid. | signatures received were not yet valid. | |||
| 3.10. Extended DNS Error Code 9 - DNSKEY Missing | 3.10. Extended DNS Error Code 9 - DNSKEY Missing | |||
| A DS record existed at a parent, but no supported matching DNSKEY | A DS record existed at a parent, but no supported matching DNSKEY | |||
| record could be found for the child. | record could be found for the child. | |||
| 3.11. Extended DNS Error Code 10 - RRSIGs Missing | 3.11. Extended DNS Error Code 10 - RRSIGs Missing | |||
| The resolver attempted to perform DNSSEC validation, but no RRSIGs | The resolver attempted to perform DNSSEC validation, but no RRSIGs | |||
| skipping to change at page 6, line 43 ¶ | skipping to change at page 6, line 48 ¶ | |||
| Bit was set in a DNSKEY. | Bit was set in a DNSKEY. | |||
| 3.13. Extended DNS Error Code 12 - NSEC Missing | 3.13. Extended DNS Error Code 12 - NSEC Missing | |||
| The resolver attempted to perform DNSSEC validation, but the | The resolver attempted to perform DNSSEC validation, but the | |||
| requested data was missing and a covering NSEC or NSEC3 was not | requested data was missing and a covering NSEC or NSEC3 was not | |||
| provided. | provided. | |||
| 3.14. Extended DNS Error Code 13 - Cached Error | 3.14. Extended DNS Error Code 13 - Cached Error | |||
| The resolver has cached SERVFAIL for this query. | The resolver has Cached SERVFAIL for this query. | |||
| 3.15. Extended DNS Error Code 14 - Not Ready | 3.15. Extended DNS Error Code 14 - Not Ready | |||
| The server is unable to answer the query as it is not fully | The server is unable to answer the query as it is not fully | |||
| functional (yet). | functional (yet). | |||
| 3.16. Extended DNS Error Code 15 - Blocked | 3.16. Extended DNS Error Code 15 - Blocked | |||
| The resolver attempted to perfom a DNS query but the domain is | The server is unable to respond to the request because the domain is | |||
| blacklisted due to a security policy implemented on the server being | blacklisted due to an internal security policy imposed by the | |||
| directly talked to. | operator of the server being directly talked to. | |||
| 3.17. Extended DNS Error Code 16 - Censored | 3.17. Extended DNS Error Code 16 - Censored | |||
| The resolver attempted to perfom a DNS query but the domain was | The server is unable to respond to the request because the domain is | |||
| blacklisted by a security policy imposed upon the server being talked | blacklisted by a security policy imposed upon the server being talked | |||
| to. Note that how the imposed policy is applied is irrelevant (in- | to by an external requirement. Note that how the imposed policy is | |||
| band DNS filtering, court order, etc). | applied is irrelevant (in-band DNS filtering, court order, etc). | |||
| 3.18. Extended DNS Error Code 17 - Prohibited | 3.18. Extended DNS Error Code 17 - Filtered | |||
| The server is unable to respond to the request because the domain is | ||||
| blacklisted as requested by the client. Functionally, this amounts | ||||
| to "you requested that we filter domains like this one." | ||||
| 3.19. Extended DNS Error Code 17 - Prohibited | ||||
| An authoritative or recursive resolver that receives a query from an | An authoritative or recursive resolver that receives a query from an | |||
| "unauthorized" client can annotate its REFUSED message with this | "unauthorized" client can annotate its REFUSED message with this | |||
| code. Examples of "unauthorized" clients are recursive queries from | code. Examples of "unauthorized" clients are recursive queries from | |||
| IP addresses outside the network, blacklisted IP addresses, local | IP addresses outside the network, blacklisted IP addresses, local | |||
| policy, etc. | policy, etc. | |||
| 3.19. Extended DNS Error Code 18 - Filtered | ||||
| An authoritative or recursive resolver that receives a query from a | ||||
| client that had requested certain domains be filtered can annotate | ||||
| its REFUSED message with this code. Functionally, this amounts to | ||||
| "you requested that we filter domains like this one." | ||||
| 3.20. Extended DNS Error Code 19 - Stale NXDOMAIN Answer | 3.20. Extended DNS Error Code 19 - Stale NXDOMAIN Answer | |||
| The resolver was unable to resolve an answer within its configured | The resolver was unable to resolve an answer within its configured | |||
| time limits and decided to answer with a previously cached NXDOMAIN | time limits and decided to answer with a previously cached NXDOMAIN | |||
| answer instead of answering with an error. This is typically caused | answer instead of answering with an error. This is typically caused | |||
| by problems communicating with an authoritative serever, possibly as | by problems communicating with an authoritative server, possibly as | |||
| result of a DoS attack against another network. | result of a DoS attack against another network. | |||
| 3.21. Extended DNS Error Code 20 - Lame | 3.21. Extended DNS Error Code 20 - Not Authoritative | |||
| An authoritative server that receives a query (with the RD bit clear) | An authoritative server that receives a query (with the RD bit clear, | |||
| for a domain for which it is not authoritative SHOULD include this | or when not configured for recursion) for a domain for which it is | |||
| EDE code in the SERVFAIL response. A resolver that receives a query | not authoritative SHOULD include this EDE code in the REFUSED | |||
| (with the RD bit clear) SHOULD include this EDE code in the REFUSED | response. A resolver that receives a query (with the RD bit clear) | |||
| response. | SHOULD include this EDE code in the REFUSED response. | |||
| 3.22. Extended DNS Error Code 21 - Deprecated | 3.22. Extended DNS Error Code 21 - Deprecated | |||
| The requested operation or query is not supported as its use has been | The requested operation or query is not supported as its use has been | |||
| deprecated. | deprecated. | |||
| 3.23. Extended DNS Error Code 22 - No Reachable Authority | 3.23. Extended DNS Error Code 22 - No Reachable Authority | |||
| The resolver could not reach any of the authoritative name servers | The resolver could not reach any of the authoritative name servers | |||
| (or they refused to reply). | (or they refused to reply). | |||
| 3.24. Extended DNS Error Code 23 - Network Error | 3.24. Extended DNS Error Code 23 - Network Error | |||
| An unrecoverable error occurred while communicating with another | An unrecoverable error occurred while communicating with another | |||
| server. | server. | |||
| 3.25. Extended DNS Error Code 24 - Invalid Data | ||||
| An authoritative server that cannot answer with data for a zone it is | ||||
| otherwise configured to support. This may occur because its most | ||||
| recent zone is too old, or has expired, for example. | ||||
| 4. IANA Considerations | 4. IANA Considerations | |||
| 4.1. A New Extended DNS Error Code EDNS Option | 4.1. A New Extended DNS Error Code EDNS Option | |||
| This document defines a new EDNS(0) option, entitled "Extended DNS | This document defines a new EDNS(0) option, entitled "Extended DNS | |||
| Error", assigned a value of TBD1 from the "DNS EDNS0 Option Codes | Error", assigned a value of TBD1 from the "DNS EDNS0 Option Codes | |||
| (OPT)" registry [to be removed upon publication: | (OPT)" registry [to be removed upon publication: | |||
| [http://www.iana.org/assignments/dns-parameters/dns- | [http://www.iana.org/assignments/dns-parameters/dns- | |||
| parameters.xhtml#dns-parameters-11] | parameters.xhtml#dns-parameters-11] | |||
| skipping to change at page 9, line 4 ¶ | skipping to change at page 9, line 11 ¶ | |||
| o 0 - 32767: Expert Review [RFC2434]. | o 0 - 32767: Expert Review [RFC2434]. | |||
| o 32768 - 49151: First come, first served. | o 32768 - 49151: First come, first served. | |||
| o 49152 - 65535: Experimental / Private use. | o 49152 - 65535: Experimental / Private use. | |||
| A starting set of entries, based on the contents of this document, is | A starting set of entries, based on the contents of this document, is | |||
| as follows: | as follows: | |||
| INFO-CODE: 0 | INFO-CODE: 0 | |||
| Purpose: Other Error | Purpose: Other Error | |||
| Reference: Section 3.1 | Reference: Section 3.1 | |||
| INFO-CODE: 1 | INFO-CODE: 1 | |||
| Purpose: Unsupported DNSKEY Algorithm | Purpose: Unsupported DNSKEY Algorithm | |||
| Reference: Section 3.2 | Reference: Section 3.2 | |||
| INFO-CODE: 2 | INFO-CODE: 2 | |||
| Purpose: Unsupported DS Algorithm | Purpose: Unsupported DS Digest Type | |||
| Reference: Section 3.3 | Reference: Section 3.3 | |||
| INFO-CODE: 3 | INFO-CODE: 3 | |||
| Purpose: Stale Answer | Purpose: Stale Answer | |||
| Reference: Section 3.4 | Reference: Section 3.4, [I-D.ietf-dnsop-serve-stale] | |||
| INFO-CODE: 4 | INFO-CODE: 4 | |||
| Purpose: Forged Answer | Purpose: Forged Answer | |||
| Reference: Section 3.5 | Reference: Section 3.5 | |||
| INFO-CODE: 5 | INFO-CODE: 5 | |||
| Purpose: DNSSEC Indeterminate | Purpose: DNSSEC Indeterminate | |||
| Reference: Section 3.6 | Reference: Section 3.6 | |||
| INFO-CODE: 6 | INFO-CODE: 6 | |||
| skipping to change at page 10, line 4 ¶ | skipping to change at page 10, line 10 ¶ | |||
| Purpose: RRSIGs Missing | Purpose: RRSIGs Missing | |||
| Reference: Section 3.11 | Reference: Section 3.11 | |||
| INFO-CODE: 11 | INFO-CODE: 11 | |||
| Purpose: No Zone Key Bit Set | Purpose: No Zone Key Bit Set | |||
| Reference: Section 3.12 | Reference: Section 3.12 | |||
| INFO-CODE: 12 | INFO-CODE: 12 | |||
| Purpose: NSEC Missing | Purpose: NSEC Missing | |||
| Reference: Section 3.13 | Reference: Section 3.13 | |||
| INFO-CODE: 13 | INFO-CODE: 13 | |||
| Purpose: Cached Error | Purpose: Cached Error | |||
| Reference: Section 3.14 | Reference: Section 3.14 | |||
| INFO-CODE: 14 | INFO-CODE: 14 | |||
| Purpose: Not Ready. | Purpose: Not Ready. | |||
| Reference: Section 3.15 | Reference: Section 3.15 | |||
| INFO-CODE: 15 | INFO-CODE: 15 | |||
| Purpose: Blocked | Purpose: Blocked | |||
| Reference: Section 3.16 | Reference: Section 3.16 | |||
| INFO-CODE: 16 | INFO-CODE: 16 | |||
| Purpose: Censored | Purpose: Censored | |||
| Reference: Section 3.17 | Reference: Section 3.17 | |||
| INFO-CODE: 17 | INFO-CODE: 17 | |||
| Purpose: Prohibited | Purpose: Filtered | |||
| Reference: Section 3.18 | Reference: Section 3.18 | |||
| INFO-CODE: 18 | INFO-CODE: 18 | |||
| Purpose: Filtered | Purpose: Prohibited | |||
| Reference: Section 3.19 | Reference: Section 3.19 | |||
| INFO-CODE: 19 | INFO-CODE: 19 | |||
| Purpose: Stale NXDomain Answer | Purpose: Stale NXDomain Answer | |||
| Reference: Section 3.20 | Reference: Section 3.20 | |||
| INFO-CODE: 20 | INFO-CODE: 20 | |||
| Purpose: Lame | Purpose: Not Authoritative | |||
| Reference: Section 3.21 | Reference: Section 3.21 | |||
| INFO-CODE: 21 | INFO-CODE: 21 | |||
| Purpose: Deprecated | Purpose: Deprecated | |||
| Reference: Section 3.22 | Reference: Section 3.22 | |||
| INFO-CODE: 22 | INFO-CODE: 22 | |||
| Purpose: No Reachable Authority | Purpose: No Reachable Authority | |||
| Reference: Section 3.23 | Reference: Section 3.23 | |||
| INFO-CODE: 23 | INFO-CODE: 23 | |||
| Purpose: Network Error | Purpose: Network Error | |||
| Reference: Section 3.24 | Reference: Section 3.24 | |||
| INFO-CODE: 24 | ||||
| Purpose: Invalid Data | ||||
| Reference: Section 3.25 | ||||
| 5. Security Considerations | 5. Security Considerations | |||
| Though DNSSEC continues to be deployed, unfortunately a significant | Though DNSSEC continues to be deployed, unfortunately a significant | |||
| number of clients (~11% according to [GeoffValidation]) that receive | number of clients (~11% according to [GeoffValidation]) that receive | |||
| a SERVFAIL from a validating resolver because of a DNSSEC validaion | a SERVFAIL from a validating resolver because of a DNSSEC validaion | |||
| issue will simply ask the next (potentially non-validating) resolver | issue will simply ask the next (potentially non-validating) resolver | |||
| in their list, and thus don't get any of the protections which DNSSEC | in their list, and thus don't get any of the protections which DNSSEC | |||
| should provide. | should provide. | |||
| This information is unauthenticated information, and an attacker (e.g | This information is unauthenticated information, and an attacker (e.g | |||
| a MITM or malicious recursive server) could insert an extended error | a MITM or malicious recursive server) could insert an extended error | |||
| response into already untrusted data -- ideally clients and resolvers | response into already untrusted data -- ideally clients and resolvers | |||
| would not trust any unauthenticated information, but until we live in | would not trust any unauthenticated information, but until we live in | |||
| an era where all DNS answers are authenticated via DNSSEC or other | an era where all DNS answers are authenticated via DNSSEC or other | |||
| mechanisms [RFC2845] [RFC8094], there are some tradeoffs. As an | mechanisms [RFC2845] [RFC8094], there are some tradeoffs. As an | |||
| example, an attacker who is able to insert the DNSSEC Bogus Extended | example, an attacker who is able to insert the DNSSEC Bogus Extended | |||
| Error into a packet could instead simply reply with a fictitious | Error into a packet could instead simply reply with a fictitious | |||
| address (A or AAAA) record. | address (A or AAAA) record. Note that DNS Response Codes also | |||
| contain no authentication and can be just as easily manipulated. | ||||
| 6. Acknowledgements | 6. Acknowledgements | |||
| The authors wish to thank Joe Abley, Mark Andrews, Vittorio Bertola, | The authors wish to thank Joe Abley, Mark Andrews, Vittorio Bertola, | |||
| Stephane Bortzmeyer, Vladimir Cunat, Ralph Dolmans, Peter DeVries, | Stephane Bortzmeyer, Vladimir Cunat, Ralph Dolmans, Peter DeVries, | |||
| Peter van Dijk, Donald Eastlake, Bob Harold, Paul Hoffman, Geoff | Peter van Dijk, Mats Dufberg, Donald Eastlake, Bob Harold, Paul | |||
| Huston, Shane Kerr, Edward Lewis, Carlos M. Martinez, George | Hoffman, Geoff Huston, Shane Kerr, Edward Lewis, Carlos M. Martinez, | |||
| Michelson, Michael Sheldon, Puneet Sood, Petr Spacek, Ondrej Sury, | George Michelson, Eric Orth, Michael Sheldon, Puneet Sood, Petr | |||
| Loganaden Velvindron, and Paul Vixie. They also vaguely remember | Spacek, Ondrej Sury, John Todd, Loganaden Velvindron, and Paul Vixie. | |||
| discussing this with a number of people over the years, but have | They also vaguely remember discussing this with a number of people | |||
| forgotten who all they were -- if you were one of them, and are not | over the years, but have forgotten who all they were -- if you were | |||
| listed, please let us know and we'll acknowledge you. | one of them, and are not listed, please let us know and we'll | |||
| acknowledge you. | ||||
| One author also wants to thank the band "Infected Mushroom" for | One author also wants to thank the band "Infected Mushroom" for | |||
| providing a good background soundtrack (and to see if he can get away | providing a good background soundtrack (and to see if he can get away | |||
| with this in an RFC!) Another author would like to thank the band | with this in an RFC!) Another author would like to thank the band | |||
| "Mushroom Infectors". This was funny at the time we wrote it, but we | "Mushroom Infectors". This was funny at the time we wrote it, but we | |||
| cannot remember why... | cannot remember why... | |||
| 7. References | 7. References | |||
| 7.1. Normative References | 7.1. Normative References | |||
| [I-D.ietf-dnsop-serve-stale] | ||||
| Lawrence, D., Kumari, W., and P. Sood, "Serving Stale Data | ||||
| to Improve DNS Resiliency", draft-ietf-dnsop-serve- | ||||
| stale-08 (work in progress), September 2019. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, <https://www.rfc- | DOI 10.17487/RFC2119, March 1997, <https://www.rfc- | |||
| editor.org/info/rfc2119>. | editor.org/info/rfc2119>. | |||
| [RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an | [RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an | |||
| IANA Considerations Section in RFCs", RFC 2434, | IANA Considerations Section in RFCs", RFC 2434, | |||
| DOI 10.17487/RFC2434, October 1998, <https://www.rfc- | DOI 10.17487/RFC2434, October 1998, <https://www.rfc- | |||
| editor.org/info/rfc2434>. | editor.org/info/rfc2434>. | |||
| [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", | [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", | |||
| RFC 2671, DOI 10.17487/RFC2671, August 1999, | RFC 2671, DOI 10.17487/RFC2671, August 1999, | |||
| <https://www.rfc-editor.org/info/rfc2671>. | <https://www.rfc-editor.org/info/rfc2671>. | |||
| [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. | ||||
| Rose, "Protocol Modifications for the DNS Security | ||||
| Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005, | ||||
| <https://www.rfc-editor.org/info/rfc4035>. | ||||
| [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms | [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms | |||
| for DNS (EDNS(0))", STD 75, RFC 6891, | for DNS (EDNS(0))", STD 75, RFC 6891, | |||
| DOI 10.17487/RFC6891, April 2013, <https://www.rfc- | DOI 10.17487/RFC6891, April 2013, <https://www.rfc- | |||
| editor.org/info/rfc6891>. | editor.org/info/rfc6891>. | |||
| 7.2. Informative References | 7.2. Informative References | |||
| [GeoffValidation] | [GeoffValidation] | |||
| IANA, "A quick review of DNSSEC Validation in today's | IANA, "A quick review of DNSSEC Validation in today's | |||
| Internet", June 2016, <http://www.potaroo.net/ | Internet", June 2016, <http://www.potaroo.net/ | |||
| End of changes. 47 change blocks. | ||||
| 63 lines changed or deleted | 93 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||