From 24ffbdcfea32b7f3c3feceba23cfc4bf474a1fa3 Mon Sep 17 00:00:00 2001 From: Colin Vidal Date: Wed, 12 Mar 2025 10:28:27 +0100 Subject: [PATCH 1/2] add support for EDE 20 (Not Authoritative) Extended DNS Error message EDE 20 (Not Authoritative) is now sent when client request recursion (RD) but the server has recursion disabled. RFC 8914 mention EDE 20 should also be returned if the client doesn't have the RD bit set (and recursion is needed) but it doesn't apply for BIND as BIND would try to resolve from the "deepest" referral in AUTHORITY section. For example, if the client asks for "www.isc.org/A" but the server only knows the root domain, it will returns NOERROR but no answer for "www.isc.og/A", just the list of other servers to ask. --- lib/ns/query.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/ns/query.c b/lib/ns/query.c index 2bc3fc45e9..2ec0e1109b 100644 --- a/lib/ns/query.c +++ b/lib/ns/query.c @@ -5525,6 +5525,9 @@ ns__query_start(query_ctx_t *qctx) { if (result != ISC_R_SUCCESS) { if (result == DNS_R_REFUSED) { if (WANTRECURSION(qctx->client)) { + dns_ede_add(&qctx->client->edectx, + DNS_EDE_NOTAUTH, + "recursion disabled"); inc_stats(qctx->client, ns_statscounter_recurserej); } else { From 7f613c207fa209335239d41ca7a51b52be4f0e9a Mon Sep 17 00:00:00 2001 From: Colin Vidal Date: Wed, 12 Mar 2025 10:29:10 +0100 Subject: [PATCH 2/2] add system test covering EDE 20 Add system test to cover extended DNS error 20 (Not authoritative). --- bin/tests/system/resolver/ns11/named.conf.in | 24 ++++++++++++++++++++ bin/tests/system/resolver/setup.sh | 1 + bin/tests/system/resolver/tests.sh | 9 ++++++++ 3 files changed, 34 insertions(+) create mode 100644 bin/tests/system/resolver/ns11/named.conf.in diff --git a/bin/tests/system/resolver/ns11/named.conf.in b/bin/tests/system/resolver/ns11/named.conf.in new file mode 100644 index 0000000000..14ed048629 --- /dev/null +++ b/bin/tests/system/resolver/ns11/named.conf.in @@ -0,0 +1,24 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.11; + notify-source 10.53.0.11; + transfer-source 10.53.0.11; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.11; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; +}; diff --git a/bin/tests/system/resolver/setup.sh b/bin/tests/system/resolver/setup.sh index eeda13bcd0..ae64e5f93e 100644 --- a/bin/tests/system/resolver/setup.sh +++ b/bin/tests/system/resolver/setup.sh @@ -24,5 +24,6 @@ copy_setports ns5/named.conf.in ns5/named.conf copy_setports ns6/named.conf.in ns6/named.conf copy_setports ns7/named1.conf.in ns7/named.conf copy_setports ns9/named.conf.in ns9/named.conf +copy_setports ns11/named.conf.in ns11/named.conf (cd ns6 && $SHELL keygen.sh) diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh index d667a2b2dd..95e8617ad9 100755 --- a/bin/tests/system/resolver/tests.sh +++ b/bin/tests/system/resolver/tests.sh @@ -1015,5 +1015,14 @@ ttl=$(awk '{print $2}' dig.ns1.out.${n}) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) +n=$((n + 1)) +echo_i "client requests recursion but it is disabled - expect EDE 20 code with REFUSED($n)" +ret=0 +dig_with_opts +recurse www.isc.org @10.53.0.11 a >dig.out.ns11.test${n} || ret=1 +grep "status: REFUSED" dig.out.ns11.test${n} >/dev/null || ret=1 +grep -F "EDE: 20 (Not Authoritative)" dig.out.ns11.test${n} >/dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1