Hello,
Functional EDE 22 is available in Bind 9.20.6.
RFC say :
4.23. Extended DNS Error Code 22 - No Reachable Authority
The resolver could not reach any of the authoritative name servers (or
they potentially refused to reply)
Bind does not map a rcode REFUSED to EDE 22 so in your case I don't
think it will help as the problem is that the targets servers refused to
reply with the expected data (but they replied). Certainly because they
are not authoritative.
As they not implement EDE (would be EDE 21), the resolver is "alone" to
map the reason of the rcode=REFUSED to any EDE.
I personally think that the reported EDE 23 and 22 are wrong or at least
misleading:
- The "unrecoverable error" is not network oriented, the servers
response are perfectly valid with no "unrecoverable error occurred while
communicating" with them.
- The designated authorities are reachable and does not refused to reply
to the request even if they not give us the expected answer (a protocol
level "REFUSED", not a communication level "REFUSED"/ no reply).
but they give you hint in the comments about the real reason of the
failure, they certainly not authoritative, but it is only an hypothesis.
Emmanuel.
Le 20/02/2025 à 09:28, Danilo Godec via bind-users a écrit :
Hello,
I was testing / debugging some sub-zone delegation for a friend's
domain (something about email marketing service that want's their
clients to delegate a subzone to their NSs) and couldn't quite see the
issue - apart from my local resolver reporting 'SERVFAIL':
; <<>> DiG 9.18.33 <<>> ns send.dom24.si
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status:*SERVFAIL*, id: 62197
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 58d59532ac7efb7b0100000067b6d70ac2a22d96114e96b0 (good)
;; QUESTION SECTION:
;send.dom24.si. IN NS
I eventually figured out that the target NS servers that should host
the delegated sub-zone, refuse the query - probably they're not yet
configured:
; <<>> DiG 9.18.33 <<>> ns send.dom24.si*@ns1.klaviyo.com.*
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status:*REFUSED,* id: 21094
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;send.dom24.si. IN NS
But then I tried using Google's 8.8.8.8 and Cloudflare's 1.1.1.1 and
they provide more info that I can see directly in dig's output:
; <<>> DiG 9.18.33 <<>> ns send.dom24.si @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33277
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
*; EDE: 23 (Network Error): ([205.251.196.237] rcode=REFUSED for
send.dom24.si/ns) ; EDE: 23 (Network Error): ([205.251.192.111]
rcode=REFUSED for send.dom24.si/ns) ; EDE: 23 (Network Error):
([205.251.195.79] rcode=REFUSED for send.dom24.si/ns) ; EDE: 23
(Network Error): ([205.251.198.128] rcode=REFUSED for
send.dom24.si/ns) ; EDE: 22 (No Reachable Authority): (At delegation
send.dom24.si for send.dom24.si/ns)*
;; QUESTION SECTION:
;send.dom24.si. IN NS
; <<>> DiG 9.18.33 <<>> ns send.dom24.si @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18432
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
*; EDE: 22 (No Reachable Authority): (at delegation send.dom24.si.) ;
EDE: 23 (Network Error): (205.251.198.128:53 rcode=REFUSED for
send.dom24.si NS)*
;; QUESTION SECTION:
;send.dom24.si. IN NS
I thought that's neat and started digging (pun intended) in docs if
Bind could be configured to provide something like that (ideally just
for my 'inside' view), but I couldn't find anything.
Is there a way to have Bind report such info through dig?
Danilo
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
