From c8cb75d7b14910c75a4a5298775fea147c202aa9 Mon Sep 17 00:00:00 2001 From: Colin Vidal Date: Wed, 12 Mar 2025 10:28:27 +0100 Subject: [PATCH] add support for EDE 20 (Not Authoritative) Extended DNS Error message EDE 20 (Not Authoritative) is now sent when client request recursion (RD) but the server has recursion disabled. RFC 8914 mention EDE 20 should also be returned if the client doesn't have the RD bit set (and recursion is needed) but it doesn't apply for BIND as BIND would try to resolve from the "deepest" referral in AUTHORITY section. For example, if the client asks for "www.isc.org/A" but the server only knows the root domain, it will returns NOERROR but no answer for "www.isc.og/A", just the list of other servers to ask. (cherry picked from commit 24ffbdcfea32b7f3c3feceba23cfc4bf474a1fa3) --- lib/ns/query.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/ns/query.c b/lib/ns/query.c index 9e44554d8f..9d2214573d 100644 --- a/lib/ns/query.c +++ b/lib/ns/query.c @@ -5855,6 +5855,9 @@ ns__query_start(query_ctx_t *qctx) { if (result != ISC_R_SUCCESS) { if (result == DNS_R_REFUSED) { if (WANTRECURSION(qctx->client)) { + dns_ede_add(&qctx->client->edectx, + DNS_EDE_NOTAUTH, + "recursion disabled"); inc_stats(qctx->client, ns_statscounter_recurserej); } else {