domain/base/iana/exterr.rs
1//! Extended DNS Error
2
3//------------ Extended Error Code -------------------------------------------
4
5int_enum! {
6 /// Extended DNS error codes.
7 ///
8 /// A complementary data can be put in EDNS opt, providing
9 /// additional information about the cause of DNS errors. Defined
10 /// in [RFC 8914]. Current registered values can be found in [IANA
11 /// registry].
12 ///
13 /// [RFC 8914]: https://tools.ietf.org/html/rfc8914
14 /// [IANA registry]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#extended-dns-error-codes
15 =>
16 ExtendedErrorCode, u16;
17
18 /// The error in question falls into a category that does not
19 /// match known extended error codes. Implementations SHOULD
20 /// include an EXTRA-TEXT value to augment this error code with
21 /// additional information.
22 (OTHER => 0, "Other Error")
23
24 /// The resolver attempted to perform DNSSEC validation, but a DNSKEY
25 /// RRset contained only unsupported DNSSEC algorithms.
26 (UNSUPPORTED_DNSKEY_ALGORITHM => 1, "Unsupported DNSKEY Algorithm")
27
28 /// The resolver attempted to perform DNSSEC validation, but a DS
29 /// RRset contained only unsupported Digest Types.
30 (UNSUPPORTED_DS_DIGEST_TYPE => 2, "Unsupported DS Digest Type")
31
32 /// The resolver was unable to resolve the answer within its time
33 /// limits and decided to answer with previously cached data
34 /// instead of answering with an error. This is typically caused
35 /// by problems communicating with an authoritative server,
36 /// possibly as result of a denial of service (DoS) attack against
37 /// another network. (See also Code 19.)
38 (STALE_ANSWER => 3, "Stale Answer")
39
40 /// For policy reasons (legal obligation or malware filtering, for
41 /// instance), an answer was forged. Note that this should be
42 /// used when an answer is still provided, not when failure
43 /// codes are returned instead. See Blocked (15), Censored
44 /// (16), and Filtered (17) for use when returning other
45 /// response codes.
46 (FORGED_ANSWER => 4, "Forged Answer")
47
48 /// The resolver attempted to perform DNSSEC validation, but
49 /// validation ended in the Indeterminate state [RFC 4035].
50 ///
51 /// [RFC 4035]: https://tools.ietf.org/html/rfc4035
52 (DNSSEC_INDETERMINATE => 5, "DNSSEC Indeterminate")
53
54 /// The resolver attempted to perform DNSSEC validation, but
55 /// validation ended in the Bogus state.
56 (DNSSEC_BOGUS => 6, "DNSSEC Bogus")
57
58 /// The resolver attempted to perform DNSSEC validation, but no
59 /// signatures are presently valid and some (often all) are
60 /// expired.
61 (SIGNATURE_EXPIRED => 7, "Signature Expired")
62
63 /// The resolver attempted to perform DNSSEC validation, but no
64 /// signatures are presently valid and at least some are not yet
65 /// valid.
66 (SIGNATURE_NOT_YET_VALID => 8, "Signature Not Yet Valid")
67
68 /// A DS record existed at a parent, but no supported matching
69 /// DNSKEY record could be found for the child.
70 (DNSKEY_MISSING => 9, "DNSKEY Missing")
71
72 /// The resolver attempted to perform DNSSEC validation, but no
73 /// RRSIGs could be found for at least one RRset where RRSIGs were
74 /// expected.
75 (RRSIGS_MISSING => 10, "RRSIGs Missing")
76
77 /// The resolver attempted to perform DNSSEC validation, but no
78 /// Zone Key Bit was set in a DNSKEY.
79 (NO_ZONE_KEY_BIT_SET => 11, "No Zone Key Bit Set")
80
81 /// The resolver attempted to perform DNSSEC validation, but the
82 /// requested data was missing and a covering NSEC or NSEC3 was
83 /// not provided.
84 (NSEC_MISSING => 12, "NSEC Missing")
85
86 /// The resolver is returning the SERVFAIL RCODE from its cache.
87 (CACHED_ERROR => 13, "Cached Error")
88
89 /// The server is unable to answer the query, as it was not fully
90 /// functional when the query was received.
91 (NOT_READY => 14, "Not Ready")
92
93 /// The server is unable to respond to the request because the
94 /// domain is on a blocklist due to an internal security policy
95 /// imposed by the operator of the server resolving or forwarding
96 /// the query.
97 (BLOCKED => 15, "Blocked")
98
99 /// The server is unable to respond to the request because the
100 /// domain is on a blocklist due to an external requirement
101 /// imposed by an entity other than the operator of the server
102 /// resolving or forwarding the query. Note that how the imposed
103 /// policy is applied is irrelevant (in-band DNS filtering, court
104 /// order, etc.).
105 (CENSORED => 16, "Censored")
106
107 /// The server is unable to respond to the request because the
108 /// domain is on a blocklist as requested by the client.
109 /// Functionally, this amounts to "you requested that we filter
110 /// domains like this one."
111 (FILTERED => 17, "Filtered")
112
113 /// An authoritative server or recursive resolver that receives a
114 /// query from an "unauthorized" client can annotate its REFUSED
115 /// message with this code. Examples of "unauthorized" clients are
116 /// recursive queries from IP addresses outside the network,
117 /// blocklisted IP addresses, local policy, etc.
118 (PROHIBITED => 18, "Prohibited")
119
120 /// The resolver was unable to resolve an answer within its
121 /// configured time limits and decided to answer with a previously
122 /// cached NXDOMAIN answer instead of answering with an error.
123 /// This may be caused, for example, by problems communicating
124 /// with an authoritative server, possibly as result of a denial
125 /// of service (DoS) attack against another network. (See also
126 /// Code 3.)
127 (STALE_NXDOMAIN_ANSWER => 19, "Stale NXDomain Answer")
128
129 /// An authoritative server that receives a query with the
130 /// Recursion Desired (RD) bit clear, or when it is not configured
131 /// for recursion for a domain for which it is not authoritative,
132 /// SHOULD include this EDE code in the REFUSED response. A
133 /// resolver that receives a query with the RD bit clear SHOULD
134 /// include this EDE code in the REFUSED response.
135 (NOT_AUTHORITATIVE => 20, "Not Authoritative")
136
137 /// The requested operation or query is not supported.
138 (NOT_SUPPORTED => 21, "Not Supported")
139
140 /// The resolver could not reach any of the authoritative name
141 /// servers (or they potentially refused to reply).
142 (NO_REACHABLE_AUTHORITY => 22, "No Reachable Authority")
143
144 /// An unrecoverable error occurred while communicating with
145 /// another server.
146 (NETWORK_ERROR => 23, "Network Error")
147
148 /// The authoritative server cannot answer with data for a zone it
149 /// is otherwise configured to support. Examples of this include
150 /// its most recent zone being too old or having expired.
151 (INVALID_DATA => 24, "Invalid Data")
152
153 /// The requested resource record type should not appear in a query.
154 (INVALID_QUERY_TYPE => 30, "Invalid Query Type")
155}
156
157/// Start of the private range for EDE codes.
158///
159/// ```text
160/// Registration Procedures:
161/// o 0 - 49151: First come, first served.
162/// o 49152 - 65535: Private use.
163/// ```
164pub const EDE_PRIVATE_RANGE_BEGIN: u16 = 49152;
165
166int_enum_str_with_prefix!(
167 ExtendedErrorCode,
168 "EDE",
169 b"EDE",
170 u16,
171 "unknown error code"
172);