$ obj/dig @1.1.1.1 dnssec-failed.org
; <<>> dig 9.10.8-P1 <<>> @1.1.1.1 dnssec-failed.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26772
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 6 (DNSSEC Bogus)
;; QUESTION SECTION:
;dnssec-failed.org. IN A
;; Query time: 244 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Fri Oct 30 14:59:09 CET 2020
;; MSG SIZE rcvd: 52
Since I'm not aware of a server/query combination that responds with
UTF-8 encoded EXTENDED-TEXT I didn't implement anything special for
this so it will use the default renderer that's also used for NSIDs,
printing a hexdump + printable ascii, e.g.:
$ dig @k.root-servers.net +nsid . soa
[...]
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; NSID: 6e 73 33 2e 6e 6c 2d 61 6d 73 2e 6b 2e 72 69 70 65 2e 6e 65 74
("ns3.nl-ams.k.ripe.net")
OK?
diff --git lib/dns/include/dns/message.h lib/dns/include/dns/message.h
index 65ffcfd4c3f..a70720eee39 100644
--- lib/dns/include/dns/message.h
+++ lib/dns/include/dns/message.h
@@ -104,6 +104,7 @@
#define DNS_OPT_COOKIE 10 /*%< COOKIE opt code */
#define DNS_OPT_PAD 12 /*%< PAD opt code */
#define DNS_OPT_KEY_TAG 14 /*%< Key tag opt code */
+#define DNS_OPT_EDE 15 /* RFC 8914 */
/*%< The number of EDNS options we know about. */
#define DNS_EDNSOPTIONS 4
diff --git lib/dns/message.c lib/dns/message.c
index 5e0fb167382..9721f9c0ef4 100644
--- lib/dns/message.c
+++ lib/dns/message.c
@@ -2434,6 +2434,68 @@ render_ecs(isc_buffer_t *ecsbuf, isc_buffer_t *target) {
return (ISC_R_SUCCESS);
}
+static const char *
+ede_info_code2str(uint16_t info_code)
+{
+ if (info_code > 49151)
+ return "Private Use";
+
+ switch (info_code) {
+ case 0:
+ return "Other Error";
+ case 1:
+ return "Unsupported DNSKEY Algorithm";
+ case 2:
+ return "Unsupported DS Digest Type";
+ case 3:
+ return "Stale Answer";
+ case 4:
+ return "Forged Answer";
+ case 5:
+ return "DNSSEC Indeterminate";
+ case 6:
+ return "DNSSEC Bogus";
+ case 7:
+ return "Signature Expired";
+ case 8:
+ return "Signature Not Yet Valid";
+ case 9:
+ return "DNSKEY Missing";
+ case 10:
+ return "RRSIGs Missing";
+ case 11:
+ return "No Zone Key Bit Set";
+ case 12:
+ return "NSEC Missing";
+ case 13:
+ return "Cached Error";
+ case 14:
+ return "Not Ready";
+ case 15:
+ return "Blocked";
+ case 16:
+ return "Censored";
+ case 17:
+ return "Filtered";
+ case 18:
+ return "Prohibited";
+ case 19:
+ return "Stale NXDomain Answer";
+ case 20:
+ return "Not Authoritative";
+ case 21:
+ return "Not Supported";
+ case 22:
+ return "No Reachable Authority";
+ case 23:
+ return "Network Error";
+ case 24:
+ return "Invalid Data";
+ default:
+ return "Unassigned";
+ }
+}
+
isc_result_t
dns_message_pseudosectiontotext(dns_message_t *msg,
dns_pseudosection_t section,
@@ -2557,6 +2619,20 @@ dns_message_pseudosectiontotext(dns_message_t *msg,
ADD_STRING(target, "\n");
continue;
}
+ } else if (optcode == DNS_OPT_EDE) {
+ uint16_t info_code;
+ ADD_STRING(target, "; EDE");
+ if (optlen >= 2) {
+ info_code =
+ isc_buffer_getuint16(&optbuf);
+ optlen -= 2;
+ snprintf(buf, sizeof(buf), ": %u (",
+ info_code);
+ ADD_STRING(target, buf);
+ ADD_STRING(target,
+ ede_info_code2str(info_code));
+ ADD_STRING(target, ")");
+ }
} else {
ADD_STRING(target, "; OPT=");
snprintf(buf, sizeof(buf), "%u", optcode);
--
I'm not entirely sure you are real.
