Prepare dnssec for EDE answers

ibauersachs · ibauersachs · commit 90abb2b6f261 · 2021-10-23T00:11:37.000+02:00
diff --git a/src/main/java/org/xbill/DNS/ExtendedErrorCodeOption.java b/src/main/java/org/xbill/DNS/ExtendedErrorCodeOption.java
@@ -46,31 +46,49 @@ public class ExtendedErrorCodeOption extends EDNSOption {
   static {
     codes.setMaximum(0xFFFF);
     codes.setPrefix("EDE");
-    codes.add(OTHER, "Other");
-    codes.add(UNSUPPORTED_DNSKEY_ALGORITHM, "Unsupported DNSKEY Algorithm");
-    codes.add(UNSUPPORTED_DS_DIGEST_TYPE, "Unsupported DS Digest Type");
-    codes.add(STALE_ANSWER, "Stale Answer");
-    codes.add(FORGED_ANSWER, "Forged Answer");
-    codes.add(DNSSEC_INDETERMINATE, "DNSSEC Indeterminate");
-    codes.add(DNSSEC_BOGUS, "DNSSEC Bogus");
-    codes.add(SIGNATURE_EXPIRED, "Signature Expired");
-    codes.add(SIGNATURE_NOT_YET_VALID, "Signature Not Yet Valid");
-    codes.add(DNSKEY_MISSING, "DNSKEY Missing");
-    codes.add(RRSIGS_MISSING, "RRSIGs Missing");
-    codes.add(NO_ZONE_KEY_BIT_SET, "No Zone Key Bit Set");
-    codes.add(NSEC_MISSING, "NSEC Missing");
-    codes.add(CACHED_ERROR, "Cached Error");
-    codes.add(NOT_READY, "Not Ready");
-    codes.add(BLOCKED, "Blocked");
-    codes.add(CENSORED, "Censored");
-    codes.add(FILTERED, "Filtered");
-    codes.add(PROHIBITED, "Prohibited");
-    codes.add(STALE_NXDOMAIN_ANSWER, "Stale NXDOMAIN Answer");
-    codes.add(NOT_AUTHORITATIVE, "Not Authoritative");
-    codes.add(NOT_SUPPORTED, "Not Supported");
-    codes.add(NO_REACHABLE_AUTHORITY, "No Reachable Authority");
-    codes.add(NETWORK_ERROR, "Network Error");
-    codes.add(INVALID_DATA, "Invalid Data");
+    codes.add(OTHER, "OTHER");
+    codes.add(UNSUPPORTED_DNSKEY_ALGORITHM, "UNSUPPORTED_DNSKEY_ALGORITHM");
+    codes.add(UNSUPPORTED_DS_DIGEST_TYPE, "UNSUPPORTED_DS_DIGEST_TYPE");
+    codes.add(STALE_ANSWER, "STALE_ANSWER");
+    codes.add(FORGED_ANSWER, "FORGED_ANSWER");
+    codes.add(DNSSEC_INDETERMINATE, "DNSSEC_INDETERMINATE");
+    codes.add(DNSSEC_BOGUS, "DNSSEC_BOGUS");
+    codes.add(SIGNATURE_EXPIRED, "SIGNATURE_EXPIRED");
+    codes.add(SIGNATURE_NOT_YET_VALID, "SIGNATURE_NOT_YET_VALID");
+    codes.add(DNSKEY_MISSING, "DNSKEY_MISSING");
+    codes.add(RRSIGS_MISSING, "RRSIGS_MISSING");
+    codes.add(NO_ZONE_KEY_BIT_SET, "NO_ZONE_KEY_BIT_SET");
+    codes.add(NSEC_MISSING, "NSEC_MISSING");
+    codes.add(CACHED_ERROR, "CACHED_ERROR");
+    codes.add(NOT_READY, "NOT_READY");
+    codes.add(BLOCKED, "BLOCKED");
+    codes.add(CENSORED, "CENSORED");
+    codes.add(FILTERED, "FILTERED");
+    codes.add(PROHIBITED, "PROHIBITED");
+    codes.add(STALE_NXDOMAIN_ANSWER, "STALE_NXDOMAIN_ANSWER");
+    codes.add(NOT_AUTHORITATIVE, "NOT_AUTHORITATIVE");
+    codes.add(NOT_SUPPORTED, "NOT_SUPPORTED");
+    codes.add(NO_REACHABLE_AUTHORITY, "NO_REACHABLE_AUTHORITY");
+    codes.add(NETWORK_ERROR, "NETWORK_ERROR");
+    codes.add(INVALID_DATA, "INVALID_DATA");
+  }
+
+  /**
+   * Gets the text mnemonic corresponding to an EDE value.
+   *
+   * @since 3.5
+   */
+  public static String text(int code) {
+    return codes.getText(code);
+  }
+
+  /**
+   * Gets the numeric value corresponding to an EDE text mnemonic.
+   *
+   * @since 3.5
+   */
+  public static int code(String text) {
+    return codes.getValue(text);
   }
 
   /** Creates an extended error code EDNS option. */
diff --git a/src/main/java/org/xbill/DNS/dnssec/KeyEntry.java b/src/main/java/org/xbill/DNS/dnssec/KeyEntry.java
@@ -145,14 +145,14 @@ JustifiedSecStatus validateKeyFor(Name signerName) {
 
       return new JustifiedSecStatus(
           SecurityStatus.BOGUS,
-          ExtendedErrorCodeOption.DNSSEC_BOGUS,
+          edeReason,
           R.get("validate.bogus", this.badReason));
     }
 
     if (this.isBad()) {
       return new JustifiedSecStatus(
           SecurityStatus.BOGUS,
-          ExtendedErrorCodeOption.DNSSEC_BOGUS,
+          edeReason,
           R.get("validate.bogus.badkey", this.getName(), this.badReason));
     }
 
diff --git a/src/main/java/org/xbill/DNS/dnssec/ValidatingResolver.java b/src/main/java/org/xbill/DNS/dnssec/ValidatingResolver.java
@@ -967,7 +967,7 @@ private KeyEntry dsResponseToKE(SMessage response, Message request, SRRset keyRr
         SRRset dsRrset = response.findAnswerRRset(qname, Type.DS, qclass);
         res = this.valUtils.verifySRRset(dsRrset, keyRrset, this.clock.instant());
         if (res.status != SecurityStatus.SECURE) {
-          bogusKE.setBadReason(ExtendedErrorCodeOption.DNSSEC_BOGUS, R.get("failed.ds"));
+          bogusKE.setBadReason(res.edeReason, res.reason);
           return bogusKE;
         }
 
diff --git a/src/main/resources/messages.properties b/src/main/resources/messages.properties
@@ -23,7 +23,7 @@ dnskey.key_offtree=Key {0} for signature {1} is off tree
 dnskey.no_match=Key does not match signature
 dnskey.expired=Key exired
 dnskey.not_yet_valid=Key is not yet valid
-dnskey.invalid=Key does not verify signaure
+dnskey.invalid=Key does not verify signature
 failed.ds=DS rrset in DS response did not verify.
 failed.ds.cname=CNAME in DS response was not secure.
 ds.secure=CNAME validated, proof that DS does not exist.
diff --git a/src/test/java/org/xbill/DNS/dnssec/TestBase.java b/src/test/java/org/xbill/DNS/dnssec/TestBase.java
@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: BSD-3-Clause
 package org.xbill.DNS.dnssec;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.fail;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
@@ -245,14 +246,29 @@ protected String firstA(Message response) {
   }
 
   protected int getEdeReason(Message m) {
-    return Optional.ofNullable(m.getOPT())
+    int edeReason = Optional.ofNullable(m.getOPT())
         .flatMap(
             opt ->
                 opt.getOptions(Code.EDNS_EXTENDED_ERROR).stream()
                     .filter(o -> o instanceof ExtendedErrorCodeOption)
                     .findFirst()
                     .map(o -> ((ExtendedErrorCodeOption) o).getErrorCode()))
         .orElse(-1);
+    if (edeReason != -1) {
+      assertEquals(getReason(m), getEdeText(m));
+    }
+    return edeReason;
+  }
+
+  protected String getEdeText(Message m) {
+    return Optional.ofNullable(m.getOPT())
+        .flatMap(
+            opt ->
+                opt.getOptions(Code.EDNS_EXTENDED_ERROR).stream()
+                    .filter(o -> o instanceof ExtendedErrorCodeOption)
+                    .findFirst()
+                    .map(o -> ((ExtendedErrorCodeOption) o).getText()))
+        .orElse(null);
   }
 
   protected String getReason(Message m) {
diff --git a/src/test/java/org/xbill/DNS/dnssec/TestBogusReasonMessage.java b/src/test/java/org/xbill/DNS/dnssec/TestBogusReasonMessage.java
@@ -6,6 +6,7 @@
 
 import java.io.IOException;
 import org.junit.jupiter.api.Test;
+import org.xbill.DNS.ExtendedErrorCodeOption;
 import org.xbill.DNS.Flags;
 import org.xbill.DNS.Message;
 import org.xbill.DNS.Rcode;
@@ -22,5 +23,6 @@ void testLongBogusReasonIsSplitCorrectly() throws IOException {
     assertEquals(
         "failed.nxdomain.authority:{ isc.org. 2962 IN NSEC [01234567890123456789012345678901234567890123456789.01234567890123456789012345678901234567890123456789.01234567890123456789012345678901234567890123456789.01234567890123456789012345678901234567890123456789.isc.org. A NS SOA MX TXT AAAA NAPTR RRSIG NSEC DNSKEY SPF] sigs: [NSEC 5 2 3600 20160706234032 20160606234032 13953 isc.org. fnOJeQG2vOwrERAPIqAenLOosbIBT7UvmxOV8Az2ExOhlGxP2CEqZEc5NPVbidq4oZC2kHyG7x31D6LBJXeXgOuanv+uqPNe9UIiUhdj+Egf8FEWIOKp8nxgjQGiGSNbQenWjeWoR91sReFEU+Pn7NPlEI072MzEESOT8oVucx8=] }",
         getReason(response));
+    assertEquals(ExtendedErrorCodeOption.DNSSEC_BOGUS, getEdeReason(response));
   }
 }
diff --git a/src/test/java/org/xbill/DNS/dnssec/TestDNames.java b/src/test/java/org/xbill/DNS/dnssec/TestDNames.java
@@ -11,6 +11,7 @@
 import org.junit.jupiter.api.Test;
 import org.xbill.DNS.DClass;
 import org.xbill.DNS.DNAMERecord;
+import org.xbill.DNS.ExtendedErrorCodeOption;
 import org.xbill.DNS.Flags;
 import org.xbill.DNS.Lookup;
 import org.xbill.DNS.Message;
@@ -30,6 +31,7 @@ void testDNameToExistingIsValid() throws IOException {
     assertEquals(Rcode.NOERROR, response.getRcode());
     assertEquals(5, response.getSection(Section.ANSWER).size());
     assertNull(getReason(response));
+    assertEquals(-1, getEdeReason(response));
   }
 
   @Test
@@ -39,6 +41,7 @@ void testDNameToNoDataIsValid() throws IOException {
     assertEquals(Rcode.NOERROR, response.getRcode());
     assertEquals(3, response.getSection(Section.ANSWER).size());
     assertNull(getReason(response));
+    assertEquals(-1, getEdeReason(response));
   }
 
   @Test
@@ -47,6 +50,7 @@ void testDNameToNxDomainIsValid() throws IOException {
     assertTrue(response.getHeader().getFlag(Flags.AD), "AD flag must be set");
     assertEquals(Rcode.NXDOMAIN, response.getRcode());
     assertNull(getReason(response));
+    assertEquals(-1, getEdeReason(response));
   }
 
   @Test
@@ -61,6 +65,7 @@ void testDNameDirectQueryIsValid() throws IOException {
         assertEquals(Name.fromString("ingotronic.ch."), r.getTarget());
       }
     }
+    assertEquals(-1, getEdeReason(response));
   }
 
   @Test
@@ -74,6 +79,7 @@ void testDNameWithFakedCnameIsInvalid() throws IOException {
     assertFalse(response.getHeader().getFlag(Flags.AD), "AD flag must not be set");
     assertEquals(Rcode.SERVFAIL, response.getRcode());
     assertEquals("failed.synthesize.nomatch:www.isc.org.:www.ingotronic.ch.", getReason(response));
+    assertEquals(ExtendedErrorCodeOption.DNSSEC_BOGUS, getEdeReason(response));
   }
 
   @Test
@@ -92,6 +98,7 @@ void testDNameWithNoCnameIsValid() throws IOException {
     Record[] results = l.run();
     assertNotNull(results);
     assertTrue(results.length >= 1);
+    assertEquals(-1, getEdeReason(response));
   }
 
   @Test
@@ -105,6 +112,7 @@ void testDNameWithMultipleCnamesIsInvalid() throws IOException {
     assertFalse(response.getHeader().getFlag(Flags.AD), "AD flag must not be set");
     assertEquals(Rcode.SERVFAIL, response.getRcode());
     assertEquals("failed.synthesize.multiple", getReason(response));
+    assertEquals(ExtendedErrorCodeOption.DNSSEC_BOGUS, getEdeReason(response));
   }
 
   @Test
@@ -122,6 +130,7 @@ void testDNameWithTooLongCnameIsInvalid() throws IOException {
     assertFalse(response.getHeader().getFlag(Flags.AD), "AD flag must not be set");
     assertEquals(Rcode.SERVFAIL, response.getRcode());
     assertEquals("failed.synthesize.toolong", getReason(response));
+    assertEquals(ExtendedErrorCodeOption.DNSSEC_BOGUS, getEdeReason(response));
   }
 
   @Test
@@ -154,6 +163,7 @@ void testDNameInNsecIsUnderstood_Rfc6672_5_3_4_1() throws IOException {
     assertFalse(response.getHeader().getFlag(Flags.AD), "AD flag must not be set");
     assertEquals(Rcode.SERVFAIL, response.getRcode());
     assertEquals("failed.nxdomain.exists:www.alias.ingotronic.ch.", getReason(response));
+    assertEquals(ExtendedErrorCodeOption.DNSSEC_BOGUS, getEdeReason(response));
   }
 
   @Test
@@ -162,6 +172,7 @@ void testDNameToExternal() throws IOException {
     assertTrue(response.getHeader().getFlag(Flags.AD), "AD flag must be set");
     assertEquals(Rcode.NOERROR, response.getRcode());
     assertNull(getReason(response));
+    assertEquals(-1, getEdeReason(response));
   }
 
   @Test
@@ -170,5 +181,6 @@ void testDNameChain() throws IOException {
     assertTrue(response.getHeader().getFlag(Flags.AD), "AD flag must be set");
     assertEquals(Rcode.NOERROR, response.getRcode());
     assertNull(getReason(response));
+    assertEquals(-1, getEdeReason(response));
   }
 }
diff --git a/src/test/java/org/xbill/DNS/dnssec/TestInvalid.java b/src/test/java/org/xbill/DNS/dnssec/TestInvalid.java
@@ -10,10 +10,12 @@
 import java.time.Instant;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.CsvSource;
 import org.junit.jupiter.params.provider.ValueSource;
 import org.xbill.DNS.ARecord;
 import org.xbill.DNS.DClass;
 import org.xbill.DNS.DNSSEC.Algorithm;
+import org.xbill.DNS.ExtendedErrorCodeOption;
 import org.xbill.DNS.Flags;
 import org.xbill.DNS.Message;
 import org.xbill.DNS.Name;
@@ -24,22 +26,22 @@
 import org.xbill.DNS.Type;
 
 class TestInvalid extends TestBase {
-  @ParameterizedTest(name = "testInvalid_{arguments}")
-  @ValueSource(
-      strings = {
-        "unknownalgorithm.dnssec",
-        "sigexpired.dnssec",
-        "bogussig.dnssec",
-        "unknownalgorithm.nsec3",
-        "sigexpired.nsec3",
-        "bogussig.nsec3"
-      })
+  @ParameterizedTest(name = "testInvalid_{0}")
+  @CsvSource({
+    "bogussig.dnssec,dnskey.invalid,DNSSEC_BOGUS",
+    "bogussig.nsec3,dnskey.invalid,DNSSEC_BOGUS",
+    "sigexpired.dnssec,dnskey.expired,SIGNATURE_EXPIRED",
+    "sigexpired.nsec3,dnskey.expired,SIGNATURE_EXPIRED",
+    "unknownalgorithm.dnssec,failed.ds.noalg,UNSUPPORTED_DNSKEY_ALGORITHM",
+    "unknownalgorithm.nsec3,failed.ds.noalg,UNSUPPORTED_DNSKEY_ALGORITHM",
+  })
   @AlwaysOffline
-  void testInvalid(String param) throws IOException {
+  void testInvalid(String param, String dnssecReason, String edeMnemonic) throws IOException {
     Message response = resolver.send(createMessage(param + ".tjeb.nl./A"));
     assertFalse(response.getHeader().getFlag(Flags.AD), "AD flag must not be set");
     assertEquals(Rcode.SERVFAIL, response.getRcode());
-    assertEquals("validate.bogus.badkey:" + param + ".tjeb.nl.:failed.ds", getReason(response));
+    assertEquals("validate.bogus.badkey:" + param + ".tjeb.nl.:" + dnssecReason, getReason(response));
+    assertEquals(ExtendedErrorCodeOption.code(edeMnemonic), getEdeReason(response));
   }
 
   @Test
@@ -50,6 +52,7 @@ void testSignedBelowUnsignedBelowSigned() throws IOException {
     assertEquals(Rcode.NOERROR, response.getRcode());
     assertFalse(isEmptyAnswer(response));
     assertEquals("insecure.ds.nsec", getReason(response));
+    assertEquals(-1, getEdeReason(response));
   }
 
   @Test

Original file line number	Diff line number	Diff line change
`@@ -145,14 +145,14 @@ JustifiedSecStatus validateKeyFor(Name signerName) {`
`145`	`145`
`146`	`146`	`return new JustifiedSecStatus(`
`147`	`147`	`SecurityStatus.BOGUS,`
`148`		`- ExtendedErrorCodeOption.DNSSEC_BOGUS,`
	`148`	`+ edeReason,`
`149`	`149`	`R.get("validate.bogus", this.badReason));`
`150`	`150`	`}`
`151`	`151`
`152`	`152`	`if (this.isBad()) {`
`153`	`153`	`return new JustifiedSecStatus(`
`154`	`154`	`SecurityStatus.BOGUS,`
`155`		`- ExtendedErrorCodeOption.DNSSEC_BOGUS,`
	`155`	`+ edeReason,`
`156`	`156`	`R.get("validate.bogus.badkey", this.getName(), this.badReason));`
`157`	`157`	`}`
`158`	`158`
Original file line number	Diff line number	Diff line change
`@@ -967,7 +967,7 @@ private KeyEntry dsResponseToKE(SMessage response, Message request, SRRset keyRr`
`967`	`967`	`SRRset dsRrset = response.findAnswerRRset(qname, Type.DS, qclass);`
`968`	`968`	`res = this.valUtils.verifySRRset(dsRrset, keyRrset, this.clock.instant());`
`969`	`969`	`if (res.status != SecurityStatus.SECURE) {`
`970`		`- bogusKE.setBadReason(ExtendedErrorCodeOption.DNSSEC_BOGUS, R.get("failed.ds"));`
	`970`	`+ bogusKE.setBadReason(res.edeReason, res.reason);`
`971`	`971`	`return bogusKE;`
`972`	`972`	`}`
`973`	`973`
Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,7 @@`
`6`	`6`
`7`	`7`	`import java.io.IOException;`
`8`	`8`	`import org.junit.jupiter.api.Test;`
	`9`	`+import org.xbill.DNS.ExtendedErrorCodeOption;`
`9`	`10`	`import org.xbill.DNS.Flags;`
`10`	`11`	`import org.xbill.DNS.Message;`
`11`	`12`	`import org.xbill.DNS.Rcode;`
`@@ -22,5 +23,6 @@ void testLongBogusReasonIsSplitCorrectly() throws IOException {`
`22`	`23`	`assertEquals(`
`23`	`24`	"failed.nxdomain.authority:{ isc.org. 2962 IN NSEC [01234567890123456789012345678901234567890123456789.01234567890123456789012345678901234567890123456789.01234567890123456789012345678901234567890123456789.01234567890123456789012345678901234567890123456789.isc.org. A NS SOA MX TXT AAAA NAPTR RRSIG NSEC DNSKEY SPF] sigs: [NSEC 5 2 3600 20160706234032 20160606234032 13953 isc.org. fnOJeQG2vOwrERAPIqAenLOosbIBT7UvmxOV8Az2ExOhlGxP2CEqZEc5NPVbidq4oZC2kHyG7x31D6LBJXeXgOuanv+uqPNe9UIiUhdj+Egf8FEWIOKp8nxgjQGiGSNbQenWjeWoR91sReFEU+Pn7NPlEI072MzEESOT8oVucx8=] }",
`24`	`25`	`getReason(response));`
	`26`	`+ assertEquals(ExtendedErrorCodeOption.DNSSEC_BOGUS, getEdeReason(response));`
`25`	`27`	`}`
`26`	`28`	`}`
Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,7 @@`
`11`	`11`	`import org.junit.jupiter.api.Test;`
`12`	`12`	`import org.xbill.DNS.DClass;`
`13`	`13`	`import org.xbill.DNS.DNAMERecord;`
	`14`	`+import org.xbill.DNS.ExtendedErrorCodeOption;`
`14`	`15`	`import org.xbill.DNS.Flags;`
`15`	`16`	`import org.xbill.DNS.Lookup;`
`16`	`17`	`import org.xbill.DNS.Message;`
`@@ -30,6 +31,7 @@ void testDNameToExistingIsValid() throws IOException {`
`30`	`31`	`assertEquals(Rcode.NOERROR, response.getRcode());`
`31`	`32`	`assertEquals(5, response.getSection(Section.ANSWER).size());`
`32`	`33`	`assertNull(getReason(response));`
	`34`	`+ assertEquals(-1, getEdeReason(response));`
`33`	`35`	`}`
`34`	`36`
`35`	`37`	`@Test`
`@@ -39,6 +41,7 @@ void testDNameToNoDataIsValid() throws IOException {`
`39`	`41`	`assertEquals(Rcode.NOERROR, response.getRcode());`
`40`	`42`	`assertEquals(3, response.getSection(Section.ANSWER).size());`
`41`	`43`	`assertNull(getReason(response));`
	`44`	`+ assertEquals(-1, getEdeReason(response));`
`42`	`45`	`}`
`43`	`46`
`44`	`47`	`@Test`
`@@ -47,6 +50,7 @@ void testDNameToNxDomainIsValid() throws IOException {`
`47`	`50`	`assertTrue(response.getHeader().getFlag(Flags.AD), "AD flag must be set");`
`48`	`51`	`assertEquals(Rcode.NXDOMAIN, response.getRcode());`
`49`	`52`	`assertNull(getReason(response));`
	`53`	`+ assertEquals(-1, getEdeReason(response));`
`50`	`54`	`}`
`51`	`55`
`52`	`56`	`@Test`
`@@ -61,6 +65,7 @@ void testDNameDirectQueryIsValid() throws IOException {`
`61`	`65`	`assertEquals(Name.fromString("ingotronic.ch."), r.getTarget());`
`62`	`66`	`}`
`63`	`67`	`}`
	`68`	`+ assertEquals(-1, getEdeReason(response));`
`64`	`69`	`}`
`65`	`70`
`66`	`71`	`@Test`
`@@ -74,6 +79,7 @@ void testDNameWithFakedCnameIsInvalid() throws IOException {`
`74`	`79`	`assertFalse(response.getHeader().getFlag(Flags.AD), "AD flag must not be set");`
`75`	`80`	`assertEquals(Rcode.SERVFAIL, response.getRcode());`
`76`	`81`	`assertEquals("failed.synthesize.nomatch:www.isc.org.:www.ingotronic.ch.", getReason(response));`
	`82`	`+ assertEquals(ExtendedErrorCodeOption.DNSSEC_BOGUS, getEdeReason(response));`
`77`	`83`	`}`
`78`	`84`
`79`	`85`	`@Test`
`@@ -92,6 +98,7 @@ void testDNameWithNoCnameIsValid() throws IOException {`
`92`	`98`	`Record[] results = l.run();`
`93`	`99`	`assertNotNull(results);`
`94`	`100`	`assertTrue(results.length >= 1);`
	`101`	`+ assertEquals(-1, getEdeReason(response));`
`95`	`102`	`}`
`96`	`103`
`97`	`104`	`@Test`
`@@ -105,6 +112,7 @@ void testDNameWithMultipleCnamesIsInvalid() throws IOException {`
`105`	`112`	`assertFalse(response.getHeader().getFlag(Flags.AD), "AD flag must not be set");`
`106`	`113`	`assertEquals(Rcode.SERVFAIL, response.getRcode());`
`107`	`114`	`assertEquals("failed.synthesize.multiple", getReason(response));`
	`115`	`+ assertEquals(ExtendedErrorCodeOption.DNSSEC_BOGUS, getEdeReason(response));`
`108`	`116`	`}`
`109`	`117`
`110`	`118`	`@Test`
`@@ -122,6 +130,7 @@ void testDNameWithTooLongCnameIsInvalid() throws IOException {`
`122`	`130`	`assertFalse(response.getHeader().getFlag(Flags.AD), "AD flag must not be set");`
`123`	`131`	`assertEquals(Rcode.SERVFAIL, response.getRcode());`
`124`	`132`	`assertEquals("failed.synthesize.toolong", getReason(response));`
	`133`	`+ assertEquals(ExtendedErrorCodeOption.DNSSEC_BOGUS, getEdeReason(response));`
`125`	`134`	`}`
`126`	`135`
`127`	`136`	`@Test`
`@@ -154,6 +163,7 @@ void testDNameInNsecIsUnderstood_Rfc6672_5_3_4_1() throws IOException {`
`154`	`163`	`assertFalse(response.getHeader().getFlag(Flags.AD), "AD flag must not be set");`
`155`	`164`	`assertEquals(Rcode.SERVFAIL, response.getRcode());`
`156`	`165`	`assertEquals("failed.nxdomain.exists:www.alias.ingotronic.ch.", getReason(response));`
	`166`	`+ assertEquals(ExtendedErrorCodeOption.DNSSEC_BOGUS, getEdeReason(response));`
`157`	`167`	`}`
`158`	`168`
`159`	`169`	`@Test`
`@@ -162,6 +172,7 @@ void testDNameToExternal() throws IOException {`
`162`	`172`	`assertTrue(response.getHeader().getFlag(Flags.AD), "AD flag must be set");`
`163`	`173`	`assertEquals(Rcode.NOERROR, response.getRcode());`
`164`	`174`	`assertNull(getReason(response));`
	`175`	`+ assertEquals(-1, getEdeReason(response));`
`165`	`176`	`}`
`166`	`177`
`167`	`178`	`@Test`
`@@ -170,5 +181,6 @@ void testDNameChain() throws IOException {`
`170`	`181`	`assertTrue(response.getHeader().getFlag(Flags.AD), "AD flag must be set");`
`171`	`182`	`assertEquals(Rcode.NOERROR, response.getRcode());`
`172`	`183`	`assertNull(getReason(response));`
	`184`	`+ assertEquals(-1, getEdeReason(response));`
`173`	`185`	`}`
`174`	`186`	`}`