zonemaster/docs/public/specifications/tests/Nameserver-TP/nameserver10.md

# NAMESERVER10: Test for undefined EDNS version


## Test case identifier

**NAMESERVER10**


## Table of contents

* [Objective](#objective)
* [Scope](#scope)
* [Inputs](#inputs)
* [Summary](#summary)
* [Test procedure](#test-procedure)
* [Outcome(s)](#outcomes)
* [Special procedural requirements](#special-procedural-requirements)
* [Intercase dependencies](#intercase-dependencies)
* [Terminology](#terminology)


## Objective

EDNS ([RFC 6891]) is a mechanism to announce capabilities of a DNS
implementation, and is required by new functionality in DNS such as DNSSEC
([RFC 4033][RFC 4033#section-3], section 3).

[RFC 6891][RFC 6891#section-6.1.3], section 6.1.3, states that if a nameserver
has implemented EDNS but has not implemented the version level of the request,
then it MUST respond with RCODE "BADVERS". Only version "0" has been defined for
EDNS.

Note that RCODE "BADVERS" is an extended RCODE which is calculated from the
combination of the normal RCODE field in the DNS package header
([RFC 1035][RFC 1035#section-4.1.1], section 4.1.1) and the OPT record
EXTENDED-RCODE field ([RFC 6891][RFC 6891#section-6.1.3], section 6.1.3). Also
see [IANA RCODE Registry].


## Scope

Issues covered by [Connectivity01] (basic name server issues) or [Nameserver02] (basic
EDNS issues) will not result in messages from this test case.


## Inputs

* "Child Zone" - The domain name to be tested.

## Summary

* Only relevant for a zone whose name servers correctly support EDNS, version 0.

Message Tag outputted         | Level   | Arguments         | Description of when message tag is outputted
:-----------------------------|:--------|:------------------|:--------------------------------------------
N10_NO_RESPONSE_EDNS1_QUERY   | WARNING | ns_ip_list        | Response when EDNS ver=0, but not when 1.
N10_UNEXPECTED_RCODE          | WARNING | ns_ip_list, rcode | Unexpected RCODE value when EDNS ver=1.
N10_EDNS_RESPONSE_ERROR       | WARNING | ns_ip_list        | Expected RCODE value when EDNS ver=1, but error in response.

The value in the Level column is the default severity level of the message. The
severity level can be changed in the [Zonemaster-Engine profile]. Also see the
[Severity Level Definitions] document.

The argument names in the Arguments column lists the arguments used in the
message. The argument names are defined in the [argument list].


## Test procedure

1. Create the following empty sets:
   1. Name server IP ("No Response EDNS1 Query").
   2. Name server IP and associated RCODE ("Unexpected RCODE").
   3. Name server IP ("EDNS Response Error").

2. Create an SOA query for the *Child Zone* with an OPT record with EDNS version
   set to "0" and with EDNS option of payload size ("bufsize") set to 512 and
   other EDNS options and flags unset ("Query One").

3. Create an SOA query for the *Child Zone* with an OPT record with EDNS version
   set to "1" and with EDNS option of payload size ("bufsize") set to 512 and
   other EDNS options and flags unset ("Query Two").

4. Obtain the set of name server IP addresses using [Method4] and [Method5]
   ("Name Server IP").

5. For each name server in *Name Server IP* do:
   1. Send *Query One* over UDP to the name server, collect the response and do:
      1. If there is no DNS response then go to next name server.
      2. Else, if the RCODE value is not "NOERROR" then go to next name server.
   2. Send *Query Two* over UDP to the name server, collect the response and do:
      1. If there is no DNS response, then add the name server IP to the
         *No Response EDNS1 Query* set.
      2. Else, if the DNS response does not have RCODE with value "BADVERS", then
         add the name server IP and RCODE value to the *Unexpected RCODE* set.
      3. Else, if the DNS response meet all the following three criteria, then
         just go to the next name server (correct response):
         1. It has the RCODE "BADVERS".
         2. It has EDNS version 0.
         3. The answer section is empty.
      4. Else add the name server IP to the *EDNS Response Error* set.

6. If the *No Response EDNS1 Query* set is non-empty, then output
   *[N10_NO_RESPONSE_EDNS1_QUERY]* with the name server IP addresses from the
   set.

7. If the *Unexpected RCODE* set is non-empty, then for each RCODE value in the
   set do:
   * Output *[N10_UNEXPECTED_RCODE]* with the RCODE value and the name server
     IP addresses for that RCODE value.

8. If the *EDNS Response Error* set is non-empty, then output
   *[N10_EDNS_RESPONSE_ERROR]* with the name server IP addresses from the set.


## Outcome(s)

The outcome of this Test Case is "fail" if there is at least one message
with the severity level *[ERROR]* or *[CRITICAL]*.

The outcome of this Test Case is "warning" if there is at least one message
with the severity level *[WARNING]*, but no message with severity level
*ERROR* or *CRITICAL*.

In other cases, no message or only messages with severity level
*[INFO]* or *[NOTICE]*, the outcome of this Test Case is "pass".


## Special procedural requirements	

If either IPv4 or IPv6 transport is disabled, ignore the evaluation of the
result of any test using this transport protocol and log a message reporting
the ignored result.


## Intercase dependencies

None


## Terminology

No special terminology for this test case.


[Argument list]:                           ../ArgumentsForTestCaseMessages.md
[Connectivity01]:                          ../Connectivity-TP/connectivity01.md
[CRITICAL]:                                ../SeverityLevelDefinitions.md#critical
[ERROR]:                                   ../SeverityLevelDefinitions.md#error
[IANA RCODE Registry]:                     https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6
[INFO]:                                    ../SeverityLevelDefinitions.md#info
[Method4]:                                 ../Methods.md#method-4-obtain-glue-address-records-from-parent
[Method5]:                                 ../Methods.md#method-5-obtain-the-name-server-address-records-from-child
[N10_EDNS_RESPONSE_ERROR]:                 #summary
[N10_NO_RESPONSE_EDNS1_QUERY]:             #summary
[N10_UNEXPECTED_RCODE]:                    #summary
[NOTICE]:                                  ../SeverityLevelDefinitions.md#notice
[Nameserver02]:                            ../Nameserver-TP/nameserver02.md
[RFC 1035#section-4.1.1]:                  https://datatracker.ietf.org/doc/html/rfc1035#section-4.1.1
[RFC 4033#section-3]:                      https://datatracker.ietf.org/doc/html/rfc4033#section-3
[RFC 6891#section-6.1.3]:                  https://datatracker.ietf.org/doc/html/rfc6891#section-6.1.3
[RFC 6891]:                                https://datatracker.ietf.org/doc/html/rfc6891
[Severity Level Definitions]:              ../SeverityLevelDefinitions.md
[WARNING]:                                 ../SeverityLevelDefinitions.md#warning
[Zonemaster-Engine profile]:               ../../../configuration/profiles.md
feat: add full Zonemaster stack with Docker and Spanish UI - Clone all 5 Zonemaster component repos (LDNS, Engine, CLI, Backend, GUI) - Dockerfile.backend: 8-stage multi-stage build LDNS→Engine→CLI→Backend - Dockerfile.gui: Astro static build served via nginx - docker-compose.yml: backend (internal) + frontend (port 5353) - nginx.conf: root redirects to /es/, /api/ proxied to backend - zonemaster-gui/config.ts: defaultLanguage set to 'es' (Spanish) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-21 08:19:24 +02:00			`# NAMESERVER10: Test for undefined EDNS version`


			`## Test case identifier`

			`NAMESERVER10`


			`## Table of contents`

			`* [Objective](#objective)`
			`* [Scope](#scope)`
			`* [Inputs](#inputs)`
			`* [Summary](#summary)`
			`* [Test procedure](#test-procedure)`
			`* [Outcome(s)](#outcomes)`
			`* [Special procedural requirements](#special-procedural-requirements)`
			`* [Intercase dependencies](#intercase-dependencies)`
			`* [Terminology](#terminology)`


			`## Objective`

			`EDNS ([RFC 6891]) is a mechanism to announce capabilities of a DNS`
			`implementation, and is required by new functionality in DNS such as DNSSEC`
			`([RFC 4033][RFC 4033#section-3], section 3).`

			`[RFC 6891][RFC 6891#section-6.1.3], section 6.1.3, states that if a nameserver`
			`has implemented EDNS but has not implemented the version level of the request,`
			`then it MUST respond with RCODE "BADVERS". Only version "0" has been defined for`
			`EDNS.`

			`Note that RCODE "BADVERS" is an extended RCODE which is calculated from the`
			`combination of the normal RCODE field in the DNS package header`
			`([RFC 1035][RFC 1035#section-4.1.1], section 4.1.1) and the OPT record`
			`EXTENDED-RCODE field ([RFC 6891][RFC 6891#section-6.1.3], section 6.1.3). Also`
			`see [IANA RCODE Registry].`


			`## Scope`

			`Issues covered by [Connectivity01] (basic name server issues) or [Nameserver02] (basic`
			`EDNS issues) will not result in messages from this test case.`


			`## Inputs`

			`* "Child Zone" - The domain name to be tested.`

			`## Summary`

			`* Only relevant for a zone whose name servers correctly support EDNS, version 0.`

			`Message Tag outputted \| Level \| Arguments \| Description of when message tag is outputted`
			`:-----------------------------\|:--------\|:------------------\|:--------------------------------------------`
			`N10_NO_RESPONSE_EDNS1_QUERY \| WARNING \| ns_ip_list \| Response when EDNS ver=0, but not when 1.`
			`N10_UNEXPECTED_RCODE \| WARNING \| ns_ip_list, rcode \| Unexpected RCODE value when EDNS ver=1.`
			`N10_EDNS_RESPONSE_ERROR \| WARNING \| ns_ip_list \| Expected RCODE value when EDNS ver=1, but error in response.`

			`The value in the Level column is the default severity level of the message. The`
			`severity level can be changed in the [Zonemaster-Engine profile]. Also see the`
			`[Severity Level Definitions] document.`

			`The argument names in the Arguments column lists the arguments used in the`
			`message. The argument names are defined in the [argument list].`


			`## Test procedure`

			`1. Create the following empty sets:`
			`1. Name server IP ("No Response EDNS1 Query").`
			`2. Name server IP and associated RCODE ("Unexpected RCODE").`
			`3. Name server IP ("EDNS Response Error").`

			`2. Create an SOA query for the Child Zone with an OPT record with EDNS version`
			`set to "0" and with EDNS option of payload size ("bufsize") set to 512 and`
			`other EDNS options and flags unset ("Query One").`

			`3. Create an SOA query for the Child Zone with an OPT record with EDNS version`
			`set to "1" and with EDNS option of payload size ("bufsize") set to 512 and`
			`other EDNS options and flags unset ("Query Two").`

			`4. Obtain the set of name server IP addresses using [Method4] and [Method5]`
			`("Name Server IP").`

			`5. For each name server in Name Server IP do:`
			`1. Send Query One over UDP to the name server, collect the response and do:`
			`1. If there is no DNS response then go to next name server.`
			`2. Else, if the RCODE value is not "NOERROR" then go to next name server.`
			`2. Send Query Two over UDP to the name server, collect the response and do:`
			`1. If there is no DNS response, then add the name server IP to the`
			`No Response EDNS1 Query set.`
			`2. Else, if the DNS response does not have RCODE with value "BADVERS", then`
			`add the name server IP and RCODE value to the Unexpected RCODE set.`
			`3. Else, if the DNS response meet all the following three criteria, then`
			`just go to the next name server (correct response):`
			`1. It has the RCODE "BADVERS".`
			`2. It has EDNS version 0.`
			`3. The answer section is empty.`
			`4. Else add the name server IP to the EDNS Response Error set.`

			`6. If the No Response EDNS1 Query set is non-empty, then output`
			`[N10_NO_RESPONSE_EDNS1_QUERY] with the name server IP addresses from the`
			`set.`

			`7. If the Unexpected RCODE set is non-empty, then for each RCODE value in the`
			`set do:`
			`* Output [N10_UNEXPECTED_RCODE] with the RCODE value and the name server`
			`IP addresses for that RCODE value.`

			`8. If the EDNS Response Error set is non-empty, then output`
			`[N10_EDNS_RESPONSE_ERROR] with the name server IP addresses from the set.`


			`## Outcome(s)`

			`The outcome of this Test Case is "fail" if there is at least one message`
			`with the severity level [ERROR] or [CRITICAL].`

			`The outcome of this Test Case is "warning" if there is at least one message`
			`with the severity level [WARNING], but no message with severity level`
			`ERROR or CRITICAL.`

			`In other cases, no message or only messages with severity level`
			`[INFO] or [NOTICE], the outcome of this Test Case is "pass".`


			`## Special procedural requirements`

			`If either IPv4 or IPv6 transport is disabled, ignore the evaluation of the`
			`result of any test using this transport protocol and log a message reporting`
			`the ignored result.`


			`## Intercase dependencies`

			`None`


			`## Terminology`

			`No special terminology for this test case.`


			`[Argument list]: ../ArgumentsForTestCaseMessages.md`
			`[Connectivity01]: ../Connectivity-TP/connectivity01.md`
			`[CRITICAL]: ../SeverityLevelDefinitions.md#critical`
			`[ERROR]: ../SeverityLevelDefinitions.md#error`
			`[IANA RCODE Registry]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6`
			`[INFO]: ../SeverityLevelDefinitions.md#info`
			`[Method4]: ../Methods.md#method-4-obtain-glue-address-records-from-parent`
			`[Method5]: ../Methods.md#method-5-obtain-the-name-server-address-records-from-child`
			`[N10_EDNS_RESPONSE_ERROR]: #summary`
			`[N10_NO_RESPONSE_EDNS1_QUERY]: #summary`
			`[N10_UNEXPECTED_RCODE]: #summary`
			`[NOTICE]: ../SeverityLevelDefinitions.md#notice`
			`[Nameserver02]: ../Nameserver-TP/nameserver02.md`
			`[RFC 1035#section-4.1.1]: https://datatracker.ietf.org/doc/html/rfc1035#section-4.1.1`
			`[RFC 4033#section-3]: https://datatracker.ietf.org/doc/html/rfc4033#section-3`
			`[RFC 6891#section-6.1.3]: https://datatracker.ietf.org/doc/html/rfc6891#section-6.1.3`
			`[RFC 6891]: https://datatracker.ietf.org/doc/html/rfc6891`
			`[Severity Level Definitions]: ../SeverityLevelDefinitions.md`
			`[WARNING]: ../SeverityLevelDefinitions.md#warning`
			`[Zonemaster-Engine profile]: ../../../configuration/profiles.md`