From: Colin Vidal <colin@isc.org>
Date: Wed, 12 Mar 2025 09:28:27 +0000 (+0100)
Subject: add support for EDE 20 (Not Authoritative)
X-Git-Tag: v9.21.7~59^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=24ffbdcfea32b7f3c3feceba23cfc4bf474a1fa3;p=thirdparty%2Fbind9.git

add support for EDE 20 (Not Authoritative)

Extended DNS Error message EDE 20 (Not Authoritative) is now sent when
client request recursion (RD) but the server has recursion disabled.

RFC 8914 mention EDE 20 should also be returned if the client doesn't
have the RD bit set (and recursion is needed) but it doesn't apply for
BIND as BIND would try to resolve from the "deepest" referral in
AUTHORITY section. For example, if the client asks for "www.isc.org/A"
but the server only knows the root domain, it will returns NOERROR but
no answer for "www.isc.og/A", just the list of other servers to ask.
---

diff --git a/lib/ns/query.c b/lib/ns/query.c
index 2bc3fc45e97..2ec0e1109b0 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -5525,6 +5525,9 @@ ns__query_start(query_ctx_t *qctx) {
 	if (result != ISC_R_SUCCESS) {
 		if (result == DNS_R_REFUSED) {
 			if (WANTRECURSION(qctx->client)) {
+				dns_ede_add(&qctx->client->edectx,
+					    DNS_EDE_NOTAUTH,
+					    "recursion disabled");
 				inc_stats(qctx->client,
 					  ns_statscounter_recurserej);
 			} else {