domain/base/iana/
exterr.rs

1//! Extended DNS Error
2
3//------------ Extended Error Code -------------------------------------------
4
5int_enum! {
6    /// Extended DNS error codes.
7    ///
8    /// A complementary data can be put in EDNS opt, providing
9    /// additional information about the cause of DNS errors. Defined
10    /// in [RFC 8914]. Current registered values can be found in [IANA
11    /// registry].
12    ///
13    /// [RFC 8914]: https://tools.ietf.org/html/rfc8914
14    /// [IANA registry]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#extended-dns-error-codes
15    =>
16    ExtendedErrorCode, u16;
17
18    /// The error in question falls into a category that does not
19    /// match known extended error codes. Implementations SHOULD
20    /// include an EXTRA-TEXT value to augment this error code with
21    /// additional information.
22    (OTHER => 0, "Other Error")
23
24    /// The resolver attempted to perform DNSSEC validation, but a DNSKEY
25    /// RRset contained only unsupported DNSSEC algorithms.
26    (UNSUPPORTED_DNSKEY_ALGORITHM => 1, "Unsupported DNSKEY Algorithm")
27
28    /// The resolver attempted to perform DNSSEC validation, but a DS
29    /// RRset contained only unsupported Digest Types.
30    (UNSUPPORTED_DS_DIGEST_TYPE => 2, "Unsupported DS Digest Type")
31
32    /// The resolver was unable to resolve the answer within its time
33    /// limits and decided to answer with previously cached data
34    /// instead of answering with an error. This is typically caused
35    /// by problems communicating with an authoritative server,
36    /// possibly as result of a denial of service (DoS) attack against
37    /// another network. (See also Code 19.)
38    (STALE_ANSWER => 3, "Stale Answer")
39
40    /// For policy reasons (legal obligation or malware filtering, for
41    /// instance), an answer was forged. Note that this should be
42    /// used when an answer is still provided, not when failure
43    /// codes are returned instead. See Blocked (15), Censored
44    /// (16), and Filtered (17) for use when returning other
45    /// response codes.
46    (FORGED_ANSWER => 4, "Forged Answer")
47
48    /// The resolver attempted to perform DNSSEC validation, but
49    /// validation ended in the Indeterminate state [RFC 4035].
50    ///
51    /// [RFC 4035]: https://tools.ietf.org/html/rfc4035
52    (DNSSEC_INDETERMINATE => 5, "DNSSEC Indeterminate")
53
54    /// The resolver attempted to perform DNSSEC validation, but
55    /// validation ended in the Bogus state.
56    (DNSSEC_BOGUS => 6, "DNSSEC Bogus")
57
58    /// The resolver attempted to perform DNSSEC validation, but no
59    /// signatures are presently valid and some (often all) are
60    /// expired.
61    (SIGNATURE_EXPIRED => 7, "Signature Expired")
62
63    /// The resolver attempted to perform DNSSEC validation, but no
64    /// signatures are presently valid and at least some are not yet
65    /// valid.
66    (SIGNATURE_NOT_YET_VALID => 8, "Signature Not Yet Valid")
67
68    /// A DS record existed at a parent, but no supported matching
69    /// DNSKEY record could be found for the child.
70    (DNSKEY_MISSING => 9, "DNSKEY Missing")
71
72    /// The resolver attempted to perform DNSSEC validation, but no
73    /// RRSIGs could be found for at least one RRset where RRSIGs were
74    /// expected.
75    (RRSIGS_MISSING => 10, "RRSIGs Missing")
76
77    /// The resolver attempted to perform DNSSEC validation, but no
78    /// Zone Key Bit was set in a DNSKEY.
79    (NO_ZONE_KEY_BIT_SET => 11, "No Zone Key Bit Set")
80
81    /// The resolver attempted to perform DNSSEC validation, but the
82    /// requested data was missing and a covering NSEC or NSEC3 was
83    /// not provided.
84    (NSEC_MISSING => 12, "NSEC Missing")
85
86    /// The resolver is returning the SERVFAIL RCODE from its cache.
87    (CACHED_ERROR => 13, "Cached Error")
88
89    /// The server is unable to answer the query, as it was not fully
90    /// functional when the query was received.
91    (NOT_READY => 14, "Not Ready")
92
93    /// The server is unable to respond to the request because the
94    /// domain is on a blocklist due to an internal security policy
95    /// imposed by the operator of the server resolving or forwarding
96    /// the query.
97    (BLOCKED => 15, "Blocked")
98
99    /// The server is unable to respond to the request because the
100    /// domain is on a blocklist due to an external requirement
101    /// imposed by an entity other than the operator of the server
102    /// resolving or forwarding the query. Note that how the imposed
103    /// policy is applied is irrelevant (in-band DNS filtering, court
104    /// order, etc.).
105    (CENSORED => 16, "Censored")
106
107    /// The server is unable to respond to the request because the
108    /// domain is on a blocklist as requested by the client.
109    /// Functionally, this amounts to "you requested that we filter
110    /// domains like this one."
111    (FILTERED => 17, "Filtered")
112
113    /// An authoritative server or recursive resolver that receives a
114    /// query from an "unauthorized" client can annotate its REFUSED
115    /// message with this code. Examples of "unauthorized" clients are
116    /// recursive queries from IP addresses outside the network,
117    /// blocklisted IP addresses, local policy, etc.
118    (PROHIBITED => 18, "Prohibited")
119
120    /// The resolver was unable to resolve an answer within its
121    /// configured time limits and decided to answer with a previously
122    /// cached NXDOMAIN answer instead of answering with an error.
123    /// This may be caused, for example, by problems communicating
124    /// with an authoritative server, possibly as result of a denial
125    /// of service (DoS) attack against another network. (See also
126    /// Code 3.)
127    (STALE_NXDOMAIN_ANSWER => 19, "Stale NXDomain Answer")
128
129    /// An authoritative server that receives a query with the
130    /// Recursion Desired (RD) bit clear, or when it is not configured
131    /// for recursion for a domain for which it is not authoritative,
132    /// SHOULD include this EDE code in the REFUSED response. A
133    /// resolver that receives a query with the RD bit clear SHOULD
134    /// include this EDE code in the REFUSED response.
135    (NOT_AUTHORITATIVE => 20, "Not Authoritative")
136
137    /// The requested operation or query is not supported.
138    (NOT_SUPPORTED => 21, "Not Supported")
139
140    /// The resolver could not reach any of the authoritative name
141    /// servers (or they potentially refused to reply).
142    (NO_REACHABLE_AUTHORITY => 22, "No Reachable Authority")
143
144    /// An unrecoverable error occurred while communicating with
145    /// another server.
146    (NETWORK_ERROR => 23, "Network Error")
147
148    /// The authoritative server cannot answer with data for a zone it
149    /// is otherwise configured to support. Examples of this include
150    /// its most recent zone being too old or having expired.
151    (INVALID_DATA => 24, "Invalid Data")
152
153    /// The requested resource record type should not appear in a query.
154    (INVALID_QUERY_TYPE => 30, "Invalid Query Type")
155}
156
157/// Start of the private range for EDE codes.
158///
159/// ```text
160/// Registration Procedures:
161///  o  0     - 49151: First come, first served.
162///  o  49152 - 65535: Private use.
163/// ```
164pub const EDE_PRIVATE_RANGE_BEGIN: u16 = 49152;
165
166int_enum_str_with_prefix!(
167    ExtendedErrorCode,
168    "EDE",
169    b"EDE",
170    u16,
171    "unknown error code"
172);