Introduction
This document describes Cisco Umbrella support for extended DNS errors.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on Cisco Umbrella.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Overview
Cisco Umbrella announced preliminary support for Extended DNS Errors (EDE) as defined in this IETF document on Extended DNS Errors.
Umbrella's initial support is focused on DNSSEC error codes for SERVFAIL responses. Umbrella plans to add support for other error codes in the future, as well as the text representations of the error codes.
Supported Error Codes
| Code |
Name |
Supported |
Error Encountered |
| 0 |
Other |
No |
|
| 1 |
Unsupported DNSKEY Algorithm |
Yes |
DNSKEY Algorithm not supported. |
| 2 |
Unsupported DS Digest Type |
Yes |
DS Digest type not supported |
| 3 |
Stale Answer |
No |
|
| 4 |
Forged Answer |
No |
|
| 5 |
DNSSEC Indeterminate |
No |
|
| 6 |
DNSSEC Bogus |
Yes |
- If all relevant records found and validation failed (signature hash did not match)
- RRSIG signer/owner mismatch
- RRSIG not valid
- Negative proof is invalid NXDOMAIN expected found NODATA and vice versa
- Reached a signed zone but not a delegation point.
|
| 7 |
Signature Expired |
Yes |
RRSIG matched DNSKEY (keytag and algorithm) but has an expired signature |
| 8 |
Signature Not Yet Valid |
Yes |
RRSIG matched DNSKEY (keytag and algorithm) but has a signature inception time that is after now. |
| 9 |
DNSKEY Missing |
Yes |
DS matching the DNSKEY not found. |
| 10 |
RRSIGs Missing |
Yes |
RRSIG that matches the DNSKEY (keytag and algorithm) not found. |
| 11 |
No Zone Key Bit Set |
Yes |
When the DNSKEY does not have the zone bit set. |
| 12 |
NSEC Missing |
Yes |
Negative proof not found or insufficient. |
| 13 |
Cached Error |
No |
|
| 14 |
Not Ready |
No |
|
| 15 |
Blocked |
No |
|
| 16 |
Censored |
No |
|
| 17 |
Filtered |
No |
|
| 18 |
Prohibited |
No |
|
| 19 |
Stale NXDOMAIN Answer |
No |
|
| 20 |
Not Authoritative |
No |
|
| 21 |
Not Supported |
No |
|
| 22 |
No Reachable Authority |
No |
|
| 23 |
Network Error |
No |
|
| 24 |
Invalid Data |
No |
|
Example Response
A query returning an Extended DNS Error can show the error code in the EDNS section using OPT code 15. For example, in this query, the error code returned is 6, corresponding to the "DNSSEC Bogus" error:
; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> +dnssec +nocrypt bogus.d2a10n3.rootcanary.net @m81.sjc.opendns.com;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 63825;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:; EDNS: version: 0, flags: do; udp: 16384; OPT=15: 00 06 ("..");; QUESTION SECTION:;bogus.d2a10n3.rootcanary.net. IN A
Feedback