add support for EDE 20 (Not Authoritative)

Extended DNS Error message EDE 20 (Not Authoritative) is now sent when
client request recursion (RD) but the server has recursion disabled.

RFC 8914 mention EDE 20 should also be returned if the client doesn't
have the RD bit set (and recursion is needed) but it doesn't apply for
BIND as BIND would try to resolve from the "deepest" referral in
AUTHORITY section. For example, if the client asks for "www.isc.org/A"
but the server only knows the root domain, it will returns NOERROR but
no answer for "www.isc.og/A", just the list of other servers to ask.

diff --git a/lib/ns/query.c b/lib/ns/query.c
index 2bc3fc45e97be537d4b837b48c85ed1c88cf0228..2ec0e1109b0d64fa8f9a9214c39536b1e317322d 100644 (file)
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -5525,6 +5525,9 @@ ns__query_start(query_ctx_t *qctx) {
        if (result != ISC_R_SUCCESS) {
                if (result == DNS_R_REFUSED) {
                        if (WANTRECURSION(qctx->client)) {
+                               dns_ede_add(&qctx->client->edectx,
+                                           DNS_EDE_NOTAUTH,
+                                           "recursion disabled");
                                inc_stats(qctx->client,
                                          ns_statscounter_recurserej);
                        } else {