Addition of Extended DNS Errors codes
Afnic
7, avenue du 8 mai 1945
Guyancourt
78280
FR
bortzmeyer+ietf@nic.fr
https://www.afnic.fr/
General
Internet Engineering Task Force
DNS EDE
This document is the specification of three new EDE (Extended
DNS Errors) codes, for minimal answers, local roots and
tailoring based on the client IP address.
Introduction
created the EDE (Extended DNS
Errors). Each error is identified by a code, and there is an
IANA registry of these codes. This specification adds four
codes:
- One to say that the response has been tailored from the IP
address of the end-client, for instance through ECS (EDNS
Client Subnet),
- One to say that the response was deliberately minimal,
- One to say that the response comes from a local root.
- One to say that the request was rejected because of rate-limiting.
Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT
RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be
interpreted as described in BCP 14
when, and only when, they appear in
all capitals, as shown here.
Tailoring
This response code, TBD, means that the response has been
tailored on the basis of the IP address of the client. It can be
from its actual IP address in the query (DNS-based load
balancing), or because of ECS (EDNS Client Subnet, ). It MAY be sent by authoritative servers or
resolvers, for instance when they implement ECS. Note that the
fact that the server accepts ECS can also be seen in the EDNS
part of the response, but it does not mean that ECS was actually
used to tailor the answer. Also, this response code is more
general than just ECS. To differentiate between the type of
tailoring, the EXTRA-TEXT field MAY be used.
If a resolver receives this EDE from an authoritative server,
it SHOULD copy it in the response sent to its client.
Minimal response
This response code, TBD, means that the response was
deliberately minimal. It can be because the request was using
the QTYPE ANY, as documented by . Or it
can be also for cases like "glue records not sent since I wanted
to save bits". It MAY be sent by authoritative servers or
resolvers.
Local root
This response code, TBD, means that the response comes from
a local root, as documented in . It MAY
be sent by resolvers using a local root.
Rate-limiting
This response code, TBD, means that the request was
rejected because the DNS client queries too much . It MAY
be sent by resolvers or authoritative name servers, probably
together with a REFUSED response code.
IANA Considerations
IANA is requested to allocate codes to these four EDE and to
add them to the "Extended DNS Error Codes", with a reference to
this document.
Note that the policy for the registry "Extended DNS Error
Codes" is just "First come, first served" so this document is
not strictly necessary.
Security Considerations
The EDE are sent with EDNS and are not signed. They should be
used with care (see , section 6).
References
Normative References
Informative references
A Quick Introduction to Response Rate
Limiting
ISC
Surveys of implementors
This appendix lists the various issues open againt diverse
DNS programs, to gather input from the implementors about these
new EDE.
- Knot
resolver
- PowerDNS,
PowerDNS recursor and dnsdist
- Knot
- BIND
- Unbound
Acknowledgements
Original idea by Marco Davids.