Re: [DNSOP] [Ext] Re: draft-ietf-dnsop-extended-error and combinations of EDEs and RCODEs

Viktor Dukhovni <> Fri, 13 September 2019 17:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CA95F1200D5 for <>; Fri, 13 Sep 2019 10:02:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id CcYGbu-OzZE2 for <>; Fri, 13 Sep 2019 10:02:11 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 31F8E1200FA for <>; Fri, 13 Sep 2019 10:02:11 -0700 (PDT)
Received: from [] (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id F33EF2A69D0 for <>; Fri, 13 Sep 2019 13:02:09 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Viktor Dukhovni <>
In-Reply-To: <>
Date: Fri, 13 Sep 2019 13:02:07 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <>
Subject: Re: [DNSOP] [Ext] Re: draft-ietf-dnsop-extended-error and combinations of EDEs and RCODEs
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 13 Sep 2019 17:02:14 -0000

> On Sep 13, 2019, at 9:38 AM, Paul Hoffman <> wrote:
>> "There are many reasons that a DNS query may fail, some of them
>> transient, some permanent; some can be resolved by querying another
>> server, some are likely best handled by stopping resolution.
>> Unfortunately, the error signals that a DNS server can return are
>> very limited, and are not very expressive."
> Fully agree. That's why I'm pressing for clarification by addition of determinative text, not just removal of confusing text.

If more fine-grained RCODEs are needed, then perhaps bite
the bullet and add them as EXTENDED-RCODEs in the currently
unassigned range:

       23 - 3,840
   0x0017 - 0x0F00

with the limitation that new EXTENDED-RCODE values are for
legacy clients implicitly refinements of SERVFAIL, since a
client that does not understand a new RCODE can only treat
it as some sort of unknown failure.

With EDEs as largely diagnostic refinement, the EXTENDED-RCODE
remains unchanged and dispositive, and the EDE do not generally
change client behaviour.

There are perhaps cases where a client might choose to not retry
a query that returned REFUSED when the EDE is:

  3.16. Extended DNS Error Code 15 - Blocked
  3.17. Extended DNS Error Code 16 - Censored
  3.18. Extended DNS Error Code 17 - Prohibited
  3.19. Extended DNS Error Code 18 - Filtered
  3.22. Extended DNS Error Code 21 - Deprecated

or not retry a SERVFAIL when the EDE is:

  3.21. Extended DNS Error Code 20 - Lame

if it is reasonable to expect the same response from any
other nameservers one might use in retries.  Is it the
intent of this draft that the above or similar would
be used by some clients to make retry/abort decisions?

If so, perhaps it then makes sense to specify the EXTENDED-RCODE + EDE
combinations that go beyond mere diagnostic information, and would be
potential "permanent" errors.

If an iterative resolver encounters a REFUSED from its upstream,
in combination with one of the "permanent" EDEs, might it then
in turn return REFUSED with the same EDE to its client (without
retrying) rather than SERVFAIL after exhausting all upstream
servers (presumably its present behaviour)?