researchdnsv4.radianceis.com
Open in
urlscan Pro
129.88.46.51
Public Scan
URL:
https://researchdnsv4.radianceis.com/
Submission: On August 29 via api from US — Scanned from FR
Submission: On August 29 via api from US — Scanned from FR
Form analysis 0 forms found in the DOM
Text Content
* Home
* About
* Paper
* Testing Infrastructure
* Contact Us
EXTENDED DNS ERRORS
ABOUT
The Domain Name System (DNS) relies on response codes to confirm successful
transactions or indicate anomalies. Yet, the codes are not sufficiently
fine-grained to pinpoint the root causes of resolution failures. RFC 8914
(Extended DNS Errors or EDE) addresses the problem by defining a new extensible
registry of error codes to be served inside the OPT resource record. We studied
the implementation of EDE by four major DNS resolver vendors and three large
public DNS resolvers. They correctly narrow down the cause of underlying
problems, but do not agree in 94% of our test cases in terms of the returned EDE
codes. We additionally performed a large-scale analysis of more than 303M
registered domain names. We show that 17.7M of them trigger EDE codes. Lame
delegations and DNSSEC validation failures are the most common problems
encountered.
PAPER
We describe our findings in greater details in our paper. Please use the below
citation to refer to it:
@inproceedings{nosyk2023ede,
author = {Nosyk, Yevheniya and Korczyński, Maciej and Duda, Andrzej},
title = {Extended DNS Errors: Unlocking the Full Potential of DNS Troubleshooting},
year = {2023},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/3618257.3624835},
doi = {10.1145/3618257.3624835},
booktitle = {Proceedings of the 2023 ACM Internet Measurement Conference},
location = {Montréal, Canada},
series = {IMC '23}
}
TESTING INFRASTRUCTURE
This (extended-dns-errors.com) domain name has 63 subdomains with various
misconfigurations or corner cases. Feel free to query those to check how your
recursive resolver behaves when faced with erroneous domains. All the
configuration instructions are provided here:
Subdomain Configuration validThe correctly configured control domain unsignedThe
domain name is not signed with DNSSEC allow-query-noneNameserver does not accept
queries for the subdomain allow-query-localhostNameserver only accepts queries
from the localhost no-dsThe subdomain is correctly signed but no DS record was
published at the parent zone ds-bad-tagThe key tag field of the DS record at the
parent zone does not correspond to the KSK DNSKEY ID at the child zone
ds-bad-key-algoThe algorithm field of the DS record at the parent zone does not
correspond to the KSK DNSKEY algorithm at the child zone
ds-unassigned-key-algoThe algorithm value of the DS record at the parent zone is
unassigned (100) ds-reserved-key-algoThe algorithm value of the DS record at the
parent zone is reserved (200) ds-unassigned-digest-algoThe digest algorithm
value of the DS record at the parent zone is unassigned (100)
ds-bogus-digest-valueThe digest value of the DS record at the parent zone does
not correspond to the KSK DNSKEY at the child zone rrsig-exp-allAll the RRSIG
records are expired rrsig-exp-aThe RRSIG over A RRset is expired
rrsig-not-yet-allAll the RRSIG records are not yet valid rrsig-not-yet-aThe
RRSIG over A RRset is not yet valid rrsig-exp-before-allAll the RRSIGs expired
before the inception time rrsig-exp-before-aThe RRSIG over A RRset expired
before the inception time rrsig-no-allAll the RRSIGs were removed from the zone
file rrsig-no-aThe RRSIG over A RRset was removed from the zone file
no-rrsig-kskThe RRSIG over KSK DNSKEY was removed from the zone file
no-rrsig-dnskeyAll the RRSIGs over DNSKEY RRsets were removed from the zone file
bad-nsec3-hashHashed owner names were modified in all the NSEC3 records
bad-nsec3-nextNext hashed owner names were modified in all the NSEC3 records
bad-nsec3param-saltThe salt value of the NSEC3PARAM resource record is wrong
bad-nsec3-rrsigRRSIGs over NSEC3 RRsets are bogus nsec3-missingAll the NSEC3
records were removed from the zone file nsec3-rrsig-missingRRSIGs over NSEC3
RRsets were removed from the zone file nsec3param-missingNSEC3PARAM resource
record was removed from the zone file no-nsec3param-nsec3NSEC3 and NSECPARAM
resource records were removed from the zone file no-zskThe ZSK DNSKEY was
removed from the zone file bad-zskThe ZSK DNSKEY resource record is wrong
no-kskThe KSK DNSKEY was removed from the zone file bad-rrsig-kskThe RRSIG over
KSK DNSKEY is wrong bad-kskThe KSK DNSKEY is wrong bad-rrsig-dnskeyAll the
RRSIGs over DNSKEY RRsets are wrong no-dnskey-256The Zone Key Bit is set to 0
for the ZSK DNSKEY no-dnskey-257The Zone Key Bit is set to 0 for the KSK DNSKEY
no-dnskey-256-257The Zone Key Bit is set to 0 for both the KSK DNSKEY and ZSK
DNSKEY bad-zsk-algoThe ZSK DNSKEY algorithm number is wrong
unassigned-zsk-algoThe ZSK DNSKEY algorithm number is unassigned (100)
reserved-zsk-algoThe ZSK DNSKEY algorithm number is reserved (200) ed448The zone
is signed with ED448 algorithm v6-mappedThe AAAA glue record at the parent zone
is an IPv6-mapped IPv4 address v6-unspecifiedThe AAAA glue record at the parent
zone is an unspecified address v4-hexThe AAAA glue record at the parent zone is
an IPv4 address in hex form v6-link-localThe AAAA glue record at the parent zone
is a link local address v6-localhostThe AAAA glue record at the parent zone is a
localhost v6-mapped-depThe AAAA glue record at the parent zone is a deprecated
IPv6-mapped IPv4 address v6-docThe AAAA glue record at the parent zone is from
the documentation range v6-unique-localThe AAAA glue record at the parent zone
is from a unique local address v6-nat64The AAAA glue record at the parent zone
is used for NAT64 v6-multicastThe AAAA glue record at the parent zone is from a
multicast range v4-private-10The A glue record at the parent zone is a private
address v4-private-172The A glue record at the parent zone is a private address
v4-private-192The A glue record at the parent zone is a private address
v4-this-hostThe A glue record at the parent zone is a 0.0.0.0 v4-loopbackThe A
glue record at the parent zone is a loopback address v4-link-localThe A glue
record at the parent zone is a link-local address v4-docThe A glue record at the
parent zone is a documentation address v4-reservedThe A glue record at the
parent zone is a reserved address dsaThe zone is signed with DSA algorithm
nsec3-iter-200NSEC3 iteration count is set to 200 rsamd5The zone is signed with
RSAMD5 algorithm
CONTACT US
If you want to find out more about this project, contact us at
yevheniya.nosyk@univ-grenoble-alpes.fr.