On Fri, Oct 30, 2020 at 03:04:03PM +0100, Florian Obser wrote: Love it,
-Otto > $ obj/dig @1.1.1.1 dnssec-failed.org > > ; <<>> dig 9.10.8-P1 <<>> @1.1.1.1 dnssec-failed.org > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26772 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 1232 > ; EDE: 6 (DNSSEC Bogus) > ;; QUESTION SECTION: > ;dnssec-failed.org. IN A > > ;; Query time: 244 msec > ;; SERVER: 1.1.1.1#53(1.1.1.1) > ;; WHEN: Fri Oct 30 14:59:09 CET 2020 > ;; MSG SIZE rcvd: 52 > > Since I'm not aware of a server/query combination that responds with > UTF-8 encoded EXTENDED-TEXT I didn't implement anything special for > this so it will use the default renderer that's also used for NSIDs, > printing a hexdump + printable ascii, e.g.: > > $ dig @k.root-servers.net +nsid . soa > [...] > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 1232 > ; NSID: 6e 73 33 2e 6e 6c 2d 61 6d 73 2e 6b 2e 72 69 70 65 2e 6e 65 74 > ("ns3.nl-ams.k.ripe.net") > > OK? > > diff --git lib/dns/include/dns/message.h lib/dns/include/dns/message.h > index 65ffcfd4c3f..a70720eee39 100644 > --- lib/dns/include/dns/message.h > +++ lib/dns/include/dns/message.h > @@ -104,6 +104,7 @@ > #define DNS_OPT_COOKIE 10 /*%< COOKIE opt code */ > #define DNS_OPT_PAD 12 /*%< PAD opt code */ > #define DNS_OPT_KEY_TAG 14 /*%< Key tag opt code */ > +#define DNS_OPT_EDE 15 /* RFC 8914 */ > > /*%< The number of EDNS options we know about. */ > #define DNS_EDNSOPTIONS 4 > diff --git lib/dns/message.c lib/dns/message.c > index 5e0fb167382..9721f9c0ef4 100644 > --- lib/dns/message.c > +++ lib/dns/message.c > @@ -2434,6 +2434,68 @@ render_ecs(isc_buffer_t *ecsbuf, isc_buffer_t *target) > { > return (ISC_R_SUCCESS); > } > > +static const char * > +ede_info_code2str(uint16_t info_code) > +{ > + if (info_code > 49151) > + return "Private Use"; > + > + switch (info_code) { > + case 0: > + return "Other Error"; > + case 1: > + return "Unsupported DNSKEY Algorithm"; > + case 2: > + return "Unsupported DS Digest Type"; > + case 3: > + return "Stale Answer"; > + case 4: > + return "Forged Answer"; > + case 5: > + return "DNSSEC Indeterminate"; > + case 6: > + return "DNSSEC Bogus"; > + case 7: > + return "Signature Expired"; > + case 8: > + return "Signature Not Yet Valid"; > + case 9: > + return "DNSKEY Missing"; > + case 10: > + return "RRSIGs Missing"; > + case 11: > + return "No Zone Key Bit Set"; > + case 12: > + return "NSEC Missing"; > + case 13: > + return "Cached Error"; > + case 14: > + return "Not Ready"; > + case 15: > + return "Blocked"; > + case 16: > + return "Censored"; > + case 17: > + return "Filtered"; > + case 18: > + return "Prohibited"; > + case 19: > + return "Stale NXDomain Answer"; > + case 20: > + return "Not Authoritative"; > + case 21: > + return "Not Supported"; > + case 22: > + return "No Reachable Authority"; > + case 23: > + return "Network Error"; > + case 24: > + return "Invalid Data"; > + default: > + return "Unassigned"; > + } > +} > + > isc_result_t > dns_message_pseudosectiontotext(dns_message_t *msg, > dns_pseudosection_t section, > @@ -2557,6 +2619,20 @@ dns_message_pseudosectiontotext(dns_message_t *msg, > ADD_STRING(target, "\n"); > continue; > } > + } else if (optcode == DNS_OPT_EDE) { > + uint16_t info_code; > + ADD_STRING(target, "; EDE"); > + if (optlen >= 2) { > + info_code = > + isc_buffer_getuint16(&optbuf); > + optlen -= 2; > + snprintf(buf, sizeof(buf), ": %u (", > + info_code); > + ADD_STRING(target, buf); > + ADD_STRING(target, > + ede_info_code2str(info_code)); > + ADD_STRING(target, ")"); > + } > } else { > ADD_STRING(target, "; OPT="); > snprintf(buf, sizeof(buf), "%u", optcode); > > > -- > I'm not entirely sure you are real. >