12. RFC and internet draft notes
12.1. RFC 8914 (Extended DNS Errors)
The EDNS Extended DNS Errors and RPZ and Extended DNS Errors sections contain many details about Loop's EDNS Extended DNS Errors implementation.
The ede-enable and ede-extra-text-enable configuration options
of named.conf(5) control whether and how the EDNS Extended
DNS Error option is returned in responses.
12.2. RFC 9276 (Guidance for NSEC3 Parameter Settings)
The max-nsec3-iterations configuration option of
named.conf(5) can be used to configure the maximum permitted
number of additional NSEC3 iterations in the validating resolver.
named will return a SERVFAIL response if the number of additional NSEC3 iterations required during DNSSEC validation is larger than the configured value.
Currently, named does not return the Unsupported NSEC3 Iterations Value (83) INFO-CODE in the EDNS Extended DNS Error option as specified in RFC 9276.
12.3. draft-muks-dns-filtering
The view-level edns-filtering-info-enable configuration option of
named.conf(5) controls whether EDNS options for filtering
information are returned in query responses when
blocking/filtering/censoring is performed.
The view-level edns-filtering-info-contacts configuration option of
named.conf(5) can be used to configure the list of contacts
that are returned in FILTERING-CONTACT EDNS options.
The view-level edns-filtering-info-organization configuration option
of named.conf(5) can be used to configure the organization
name that is returned in the FILTERING-ORGANIZATION EDNS option.
When it is enabled, EDNS options for filtering information are returned in query responses only when blocking/filtering/censoring is performed and negative responses are generated.
The filtering-db RPZ zone configuration clause of
named.conf(5) can be used to configure the identifier, name,
or description that is returned in the FILTERING-DB EDNS option when an
RPZ rewrite was performed.
When RPZ processing is performed for a query and when the triggered RPZ policy action causes a "Local Data" action to be applied such as a CNAME or address record, a regular RFC 8914 Extended DNS Error option is returned (if enabled) in the response to the query with INFO-CODE set to Forged Answer (4). No EDNS options for filtering information are returned as they do not apply to forged answers. This is the case even if the forged answer was generated due to the result of blocking/filtering/censoring action.
Also see the RPZ and EDNS filtering information section.
The view-level ede-extra-text-language configuration option of
named.conf(5) can be used to configure the language tag of
the language used in the EXTRA-TEXT field of EDNS Extended DNS Error
options in the same DNS message. This configuration option is unrelated
to filtering and can be configured even if filtering is not occurring.
12.4. draft-ietf-dnsop-structured-dns-error
Error
Use the RFC number for draft-ietf-dnsop-structured-dns-error in the section title once issued.
The view-level edns-filtering-info-enable configuration option of
named.conf(5) controls whether Structured Error Data for
Filtered DNS JSON is returned in the EDNS Extended DNS Error option in
responses when blocking/filtering/censoring is performed.
The view-level edns-filtering-info-contacts configuration option of
named.conf(5) can be used to configure the list of contacts
that are returned in the "c" field within the JSON.
The view-level edns-filtering-info-organization configuration option
of named.conf(5) can be used to configure the organization
name that is returned in the "o" field within the JSON.
When it is enabled and requested by the client, Structured Error Data for Filtered DNS JSON is returned in the EDNS Extended DNS Error option in responses only when blocking/filtering/censoring is performed and negative responses are generated. When blocking/filtering/censoring is not performed, or when negative responses are not generated due to their actions, the regular RFC 8914 Extended DNS Error option is returned.
When RPZ processing is performed for a query and when the triggered RPZ policy action causes a "Local Data" action to be applied such as a CNAME or address record, a regular RFC 8914 Extended DNS Error option is returned (if enabled) in the response to the query with INFO-CODE set to Forged Answer (4). No Structured Error Data for Filtered DNS JSON is returned as the latter draft forbids forged answers. This is the case even if the forged answer was generated due to the result of blocking/filtering/censoring action.
Also see the RPZ and EDNS filtering information section.
Warning
Although this draft has been adopted by the IETF DNSOP
working group, we consider this draft to be poorly
designed. Its purpose is to transmit filtering-related
information such as contact information, but it rides over
RFC 8914. Communicating contact information over a
secure transport using free-formatted text in the
EXTRA-TEXT field or using separate EDNS options to
communicate filtering related information would have
complemented the well-written RFC 8914. However, the
draft appears to have gathered support and is being
approved, and operators will want to generate its JSON to
serve to web browsers, so we have implemented it in Loop.
We recommend that you use the EDNS options in
draft-muks-dns-filtering instead, which Loop also
implements. See the draft-muks-dns-filtering
section.