xref: /netbsd-src/external/mpl/dhcp/bind/dist/lib/dns/result.c (revision 2f62cc9c12bc202c40224f32c879f81443fee079) 
1 /*	$NetBSD: result.c,v 1.1 2024/02/18 20:57:33 christos Exp $	*/
2 
3 /*
4  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
5  *
6  * SPDX-License-Identifier: MPL-2.0
7  *
8  * This Source Code Form is subject to the terms of the Mozilla Public
9  * License, v. 2.0. If a copy of the MPL was not distributed with this
10  * file, you can obtain one at https://mozilla.org/MPL/2.0/.
11  *
12  * See the COPYRIGHT file distributed with this work for additional
13  * information regarding copyright ownership.
14  */
15 
16 /*! \file */
17 
18 #include <isc/once.h>
19 #include <isc/util.h>
20 
21 #include <dns/lib.h>
22 #include <dns/result.h>
23 
24 static const char *text[DNS_R_NRESULTS] = {
25 	"label too long", /*%< 0 DNS_R_LABELTOOLONG */
26 	"bad escape",	  /*%< 1 DNS_R_BADESCAPE */
27 	/*!
28 	 * Note that DNS_R_BADBITSTRING and DNS_R_BITSTRINGTOOLONG are
29 	 * deprecated.
30 	 */
31 	"bad bitstring",      /*%< 2 DNS_R_BADBITSTRING */
32 	"bitstring too long", /*%< 3 DNS_R_BITSTRINGTOOLONG */
33 	"empty label",	      /*%< 4 DNS_R_EMPTYLABEL */
34 
35 	"bad dotted quad",		    /*%< 5 DNS_R_BADDOTTEDQUAD */
36 	"invalid NS owner name (wildcard)", /*%< 6 DNS_R_INVALIDNS */
37 	"unknown class/type",		    /*%< 7 DNS_R_UNKNOWN */
38 	"bad label type",		    /*%< 8 DNS_R_BADLABELTYPE */
39 	"bad compression pointer",	    /*%< 9 DNS_R_BADPOINTER */
40 
41 	"too many hops",		      /*%< 10 DNS_R_TOOMANYHOPS */
42 	"disallowed (by application policy)", /*%< 11 DNS_R_DISALLOWED */
43 	"extra input text",		      /*%< 12 DNS_R_EXTRATOKEN */
44 	"extra input data",		      /*%< 13 DNS_R_EXTRADATA */
45 	"text too long",		      /*%< 14 DNS_R_TEXTTOOLONG */
46 
47 	"not at top of zone", /*%< 15 DNS_R_NOTZONETOP */
48 	"syntax error",	      /*%< 16 DNS_R_SYNTAX */
49 	"bad checksum",	      /*%< 17 DNS_R_BADCKSUM */
50 	"bad IPv6 address",   /*%< 18 DNS_R_BADAAAA */
51 	"no owner",	      /*%< 19 DNS_R_NOOWNER */
52 
53 	"no ttl",	 /*%< 20 DNS_R_NOTTL */
54 	"bad class",	 /*%< 21 DNS_R_BADCLASS */
55 	"name too long", /*%< 22 DNS_R_NAMETOOLONG */
56 	"partial match", /*%< 23 DNS_R_PARTIALMATCH */
57 	"new origin",	 /*%< 24 DNS_R_NEWORIGIN */
58 
59 	"unchanged",			   /*%< 25 DNS_R_UNCHANGED */
60 	"bad ttl",			   /*%< 26 DNS_R_BADTTL */
61 	"more data needed/to be rendered", /*%< 27 DNS_R_NOREDATA */
62 	"continue",			   /*%< 28 DNS_R_CONTINUE */
63 	"delegation",			   /*%< 29 DNS_R_DELEGATION */
64 
65 	"glue",		/*%< 30 DNS_R_GLUE */
66 	"dname",	/*%< 31 DNS_R_DNAME */
67 	"cname",	/*%< 32 DNS_R_CNAME */
68 	"bad database", /*%< 33 DNS_R_BADDB */
69 	"zonecut",	/*%< 34 DNS_R_ZONECUT */
70 
71 	"bad zone",		/*%< 35 DNS_R_BADZONE */
72 	"more data",		/*%< 36 DNS_R_MOREDATA */
73 	"up to date",		/*%< 37 DNS_R_UPTODATE */
74 	"tsig verify failure",	/*%< 38 DNS_R_TSIGVERIFYFAILURE */
75 	"tsig indicates error", /*%< 39 DNS_R_TSIGERRORSET */
76 
77 	"RRSIG failed to verify",	       /*%< 40 DNS_R_SIGINVALID */
78 	"RRSIG has expired",		       /*%< 41 DNS_R_SIGEXPIRED */
79 	"RRSIG validity period has not begun", /*%< 42 DNS_R_SIGFUTURE */
80 	"key is unauthorized to sign data",    /*%< 43 DNS_R_KEYUNAUTHORIZED */
81 	"invalid time",			       /*%< 44 DNS_R_INVALIDTIME */
82 
83 	"expected a TSIG or SIG(0)",	   /*%< 45 DNS_R_EXPECTEDTSIG */
84 	"did not expect a TSIG or SIG(0)", /*%< 46 DNS_R_UNEXPECTEDTSIG */
85 	"TKEY is unacceptable",		   /*%< 47 DNS_R_INVALIDTKEY */
86 	"hint",				   /*%< 48 DNS_R_HINT */
87 	"drop",				   /*%< 49 DNS_R_DROP */
88 
89 	"zone not loaded",  /*%< 50 DNS_R_NOTLOADED */
90 	"ncache nxdomain",  /*%< 51 DNS_R_NCACHENXDOMAIN */
91 	"ncache nxrrset",   /*%< 52 DNS_R_NCACHENXRRSET */
92 	"wait",		    /*%< 53 DNS_R_WAIT */
93 	"not verified yet", /*%< 54 DNS_R_NOTVERIFIEDYET */
94 
95 	"no identity",	  /*%< 55 DNS_R_NOIDENTITY */
96 	"no journal",	  /*%< 56 DNS_R_NOJOURNAL */
97 	"alias",	  /*%< 57 DNS_R_ALIAS */
98 	"use TCP",	  /*%< 58 DNS_R_USETCP */
99 	"no valid RRSIG", /*%< 59 DNS_R_NOVALIDSIG */
100 
101 	"no valid NSEC",		/*%< 60 DNS_R_NOVALIDNSEC */
102 	"insecurity proof failed",	/*%< 61 DNS_R_NOTINSECURE */
103 	"unknown service",		/*%< 62 DNS_R_UNKNOWNSERVICE */
104 	"recoverable error occurred",	/*%< 63 DNS_R_RECOVERABLE */
105 	"unknown opt attribute record", /*%< 64 DNS_R_UNKNOWNOPT */
106 
107 	"unexpected message id", /*%< 65 DNS_R_UNEXPECTEDID */
108 	"seen include file",	 /*%< 66 DNS_R_SEENINCLUDE */
109 	"not exact",		 /*%< 67 DNS_R_NOTEXACT */
110 	"address blackholed",	 /*%< 68 DNS_R_BLACKHOLED */
111 	"bad algorithm",	 /*%< 69 DNS_R_BADALG */
112 
113 	"invalid use of a meta type",	  /*%< 70 DNS_R_METATYPE */
114 	"CNAME and other data",		  /*%< 71 DNS_R_CNAMEANDOTHER */
115 	"multiple RRs of singleton type", /*%< 72 DNS_R_SINGLETON */
116 	"hint nxrrset",			  /*%< 73 DNS_R_HINTNXRRSET */
117 	"no master file configured",	  /*%< 74 DNS_R_NOMASTERFILE */
118 
119 	"unknown protocol",	     /*%< 75 DNS_R_UNKNOWNPROTO */
120 	"clocks are unsynchronized", /*%< 76 DNS_R_CLOCKSKEW */
121 	"IXFR failed",		     /*%< 77 DNS_R_BADIXFR */
122 	"not authoritative",	     /*%< 78 DNS_R_NOTAUTHORITATIVE */
123 	"no valid KEY",		     /*%< 79 DNS_R_NOVALIDKEY */
124 
125 	"obsolete",	       /*%< 80 DNS_R_OBSOLETE */
126 	"already frozen",      /*%< 81 DNS_R_FROZEN */
127 	"unknown flag",	       /*%< 82 DNS_R_UNKNOWNFLAG */
128 	"expected a response", /*%< 83 DNS_R_EXPECTEDRESPONSE */
129 	"no valid DS",	       /*%< 84 DNS_R_NOVALIDDS */
130 
131 	"NS is an address",	  /*%< 85 DNS_R_NSISADDRESS */
132 	"received FORMERR",	  /*%< 86 DNS_R_REMOTEFORMERR */
133 	"truncated TCP response", /*%< 87 DNS_R_TRUNCATEDTCP */
134 	"lame server detected",	  /*%< 88 DNS_R_LAME */
135 	"unexpected RCODE",	  /*%< 89 DNS_R_UNEXPECTEDRCODE */
136 
137 	"unexpected OPCODE", /*%< 90 DNS_R_UNEXPECTEDOPCODE */
138 	"chase DS servers",  /*%< 91 DNS_R_CHASEDSSERVERS */
139 	"empty name",	     /*%< 92 DNS_R_EMPTYNAME */
140 	"empty wild",	     /*%< 93 DNS_R_EMPTYWILD */
141 	"bad bitmap",	     /*%< 94 DNS_R_BADBITMAP */
142 
143 	"from wildcard",		/*%< 95 DNS_R_FROMWILDCARD */
144 	"bad owner name (check-names)", /*%< 96 DNS_R_BADOWNERNAME */
145 	"bad name (check-names)",	/*%< 97 DNS_R_BADNAME */
146 	"dynamic zone",			/*%< 98 DNS_R_DYNAMIC */
147 	"unknown command",		/*%< 99 DNS_R_UNKNOWNCOMMAND */
148 
149 	"must-be-secure",		       /*%< 100 DNS_R_MUSTBESECURE */
150 	"covering NSEC record returned",       /*%< 101 DNS_R_COVERINGNSEC */
151 	"MX is an address",		       /*%< 102 DNS_R_MXISADDRESS */
152 	"duplicate query",		       /*%< 103 DNS_R_DUPLICATE */
153 	"invalid NSEC3 owner name (wildcard)", /*%< 104 DNS_R_INVALIDNSEC3 */
154 
155 	"not master",	      /*%< 105 DNS_R_NOTMASTER */
156 	"broken trust chain", /*%< 106 DNS_R_BROKENCHAIN */
157 	"expired",	      /*%< 107 DNS_R_EXPIRED */
158 	"not dynamic",	      /*%< 108 DNS_R_NOTDYNAMIC */
159 	"bad EUI",	      /*%< 109 DNS_R_BADEUI */
160 
161 	"covered by negative trust anchor", /*%< 110 DNS_R_NTACOVERED */
162 	"bad CDS",			    /*%< 111 DNS_R_BADCDS */
163 	"bad CDNSKEY",			    /*%< 112 DNS_R_BADCDNSKEY */
164 	"malformed OPT option",		    /*%< 113 DNS_R_OPTERR */
165 	"malformed DNSTAP data",	    /*%< 114 DNS_R_BADDNSTAP */
166 
167 	"TSIG in wrong location",   /*%< 115 DNS_R_BADTSIG */
168 	"SIG(0) in wrong location", /*%< 116 DNS_R_BADSIG0 */
169 	"too many records",	    /*%< 117 DNS_R_TOOMANYRECORDS */
170 	"verify failure",	    /*%< 118 DNS_R_VERIFYFAILURE */
171 	"at top of zone",	    /*%< 119 DNS_R_ATZONETOP */
172 
173 	"no matching key found",	 /*%< 120 DNS_R_NOKEYMATCH */
174 	"too many keys matching",	 /*%< 121 DNS_R_TOOMANYKEYS */
175 	"key is not actively signing",	 /*%< 122 DNS_R_KEYNOTACTIVE */
176 	"NSEC3 iterations out of range", /*%< 123 DNS_R_NSEC3ITERRANGE */
177 	"NSEC3 salt length too high",	 /*%< 124 DNS_R_NSEC3SALTRANGE */
178 
179 	"cannot use NSEC3 with key algorithm", /*%< 125 DNS_R_NSEC3BADALG */
180 	"NSEC3 resalt",			       /*%< 126 DNS_R_NSEC3RESALT */
181 	"inconsistent resource record",	       /*%< 127 DNS_R_INCONSISTENTRR */
182 };
183 
184 static const char *ids[DNS_R_NRESULTS] = {
185 	"DNS_R_LABELTOOLONG",
186 	"DNS_R_BADESCAPE",
187 	/*!
188 	 * Note that DNS_R_BADBITSTRING and DNS_R_BITSTRINGTOOLONG are
189 	 * deprecated.
190 	 */
191 	"DNS_R_BADBITSTRING",
192 	"DNS_R_BITSTRINGTOOLONG",
193 	"DNS_R_EMPTYLABEL",
194 	"DNS_R_BADDOTTEDQUAD",
195 	"DNS_R_INVALIDNS",
196 	"DNS_R_UNKNOWN",
197 	"DNS_R_BADLABELTYPE",
198 	"DNS_R_BADPOINTER",
199 	"DNS_R_TOOMANYHOPS",
200 	"DNS_R_DISALLOWED",
201 	"DNS_R_EXTRATOKEN",
202 	"DNS_R_EXTRADATA",
203 	"DNS_R_TEXTTOOLONG",
204 	"DNS_R_NOTZONETOP",
205 	"DNS_R_SYNTAX",
206 	"DNS_R_BADCKSUM",
207 	"DNS_R_BADAAAA",
208 	"DNS_R_NOOWNER",
209 	"DNS_R_NOTTL",
210 	"DNS_R_BADCLASS",
211 	"DNS_R_NAMETOOLONG",
212 	"DNS_R_PARTIALMATCH",
213 	"DNS_R_NEWORIGIN",
214 	"DNS_R_UNCHANGED",
215 	"DNS_R_BADTTL",
216 	"DNS_R_NOREDATA",
217 	"DNS_R_CONTINUE",
218 	"DNS_R_DELEGATION",
219 	"DNS_R_GLUE",
220 	"DNS_R_DNAME",
221 	"DNS_R_CNAME",
222 	"DNS_R_BADDB",
223 	"DNS_R_ZONECUT",
224 	"DNS_R_BADZONE",
225 	"DNS_R_MOREDATA",
226 	"DNS_R_UPTODATE",
227 	"DNS_R_TSIGVERIFYFAILURE",
228 	"DNS_R_TSIGERRORSET",
229 	"DNS_R_SIGINVALID",
230 	"DNS_R_SIGEXPIRED",
231 	"DNS_R_SIGFUTURE",
232 	"DNS_R_KEYUNAUTHORIZED",
233 	"DNS_R_INVALIDTIME",
234 	"DNS_R_EXPECTEDTSIG",
235 	"DNS_R_UNEXPECTEDTSIG",
236 	"DNS_R_INVALIDTKEY",
237 	"DNS_R_HINT",
238 	"DNS_R_DROP",
239 	"DNS_R_NOTLOADED",
240 	"DNS_R_NCACHENXDOMAIN",
241 	"DNS_R_NCACHENXRRSET",
242 	"DNS_R_WAIT",
243 	"DNS_R_NOTVERIFIEDYET",
244 	"DNS_R_NOIDENTITY",
245 	"DNS_R_NOJOURNAL",
246 	"DNS_R_ALIAS",
247 	"DNS_R_USETCP",
248 	"DNS_R_NOVALIDSIG",
249 	"DNS_R_NOVALIDNSEC",
250 	"DNS_R_NOTINSECURE",
251 	"DNS_R_UNKNOWNSERVICE",
252 	"DNS_R_RECOVERABLE",
253 	"DNS_R_UNKNOWNOPT",
254 	"DNS_R_UNEXPECTEDID",
255 	"DNS_R_SEENINCLUDE",
256 	"DNS_R_NOTEXACT",
257 	"DNS_R_BLACKHOLED",
258 	"DNS_R_BADALG",
259 	"DNS_R_METATYPE",
260 	"DNS_R_CNAMEANDOTHER",
261 	"DNS_R_SINGLETON",
262 	"DNS_R_HINTNXRRSET",
263 	"DNS_R_NOMASTERFILE",
264 	"DNS_R_UNKNOWNPROTO",
265 	"DNS_R_CLOCKSKEW",
266 	"DNS_R_BADIXFR",
267 	"DNS_R_NOTAUTHORITATIVE",
268 	"DNS_R_NOVALIDKEY",
269 	"DNS_R_OBSOLETE",
270 	"DNS_R_FROZEN",
271 	"DNS_R_UNKNOWNFLAG",
272 	"DNS_R_EXPECTEDRESPONSE",
273 	"DNS_R_NOVALIDDS",
274 	"DNS_R_NSISADDRESS",
275 	"DNS_R_REMOTEFORMERR",
276 	"DNS_R_TRUNCATEDTCP",
277 	"DNS_R_LAME",
278 	"DNS_R_UNEXPECTEDRCODE",
279 	"DNS_R_UNEXPECTEDOPCODE",
280 	"DNS_R_CHASEDSSERVERS",
281 	"DNS_R_EMPTYNAME",
282 	"DNS_R_EMPTYWILD",
283 	"DNS_R_BADBITMAP",
284 	"DNS_R_FROMWILDCARD",
285 	"DNS_R_BADOWNERNAME",
286 	"DNS_R_BADNAME",
287 	"DNS_R_DYNAMIC",
288 	"DNS_R_UNKNOWNCOMMAND",
289 	"DNS_R_MUSTBESECURE",
290 	"DNS_R_COVERINGNSEC",
291 	"DNS_R_MXISADDRESS",
292 	"DNS_R_DUPLICATE",
293 	"DNS_R_INVALIDNSEC3",
294 	"DNS_R_NOTMASTER",
295 	"DNS_R_BROKENCHAIN",
296 	"DNS_R_EXPIRED",
297 	"DNS_R_NOTDYNAMIC",
298 	"DNS_R_BADEUI",
299 	"DNS_R_NTACOVERED",
300 	"DNS_R_BADCDS",
301 	"DNS_R_BADCDNSKEY",
302 	"DNS_R_OPTERR",
303 	"DNS_R_BADDNSTAP",
304 	"DNS_R_BADTSIG",
305 	"DNS_R_BADSIG0",
306 	"DNS_R_TOOMANYRECORDS",
307 	"DNS_R_VERIFYFAILURE",
308 	"DNS_R_ATZONETOP",
309 	"DNS_R_NOKEYMATCH",
310 	"DNS_R_TOOMANYKEYS",
311 	"DNS_R_KEYNOTACTIVE",
312 	"DNS_R_NSEC3ITERRANGE",
313 	"DNS_R_NSEC3SALTRANGE",
314 	"DNS_R_NSEC3BADALG",
315 	"DNS_R_NSEC3RESALT",
316 	"DNS_R_INCONSISTENTRR",
317 };
318 
319 static const char *rcode_text[DNS_R_NRCODERESULTS] = {
320 	"NOERROR",  /*%< 0 DNS_R_NOERROR */
321 	"FORMERR",  /*%< 1 DNS_R_FORMERR */
322 	"SERVFAIL", /*%< 2 DNS_R_SERVFAIL */
323 	"NXDOMAIN", /*%< 3 DNS_R_NXDOMAIN */
324 	"NOTIMP",   /*%< 4 DNS_R_NOTIMP */
325 
326 	"REFUSED",  /*%< 5 DNS_R_REFUSED */
327 	"YXDOMAIN", /*%< 6 DNS_R_YXDOMAIN */
328 	"YXRRSET",  /*%< 7 DNS_R_YXRRSET */
329 	"NXRRSET",  /*%< 8 DNS_R_NXRRSET */
330 	"NOTAUTH",  /*%< 9 DNS_R_NOTAUTH */
331 
332 	"NOTZONE",    /*%< 10 DNS_R_NOTZONE */
333 	"<rcode 11>", /*%< 11 DNS_R_RCODE11 */
334 	"<rcode 12>", /*%< 12 DNS_R_RCODE12 */
335 	"<rcode 13>", /*%< 13 DNS_R_RCODE13 */
336 	"<rcode 14>", /*%< 14 DNS_R_RCODE14 */
337 
338 	"<rcode 15>", /*%< 15 DNS_R_RCODE15 */
339 	"BADVERS",    /*%< 16 DNS_R_BADVERS */
340 };
341 
342 static const char *rcode_ids[DNS_R_NRCODERESULTS] = {
343 	"DNS_R_NOERROR", "DNS_R_FORMERR", "DNS_R_SERVFAIL", "DNS_R_NXDOMAIN",
344 	"DNS_R_NOTIMP",	 "DNS_R_REFUSED", "DNS_R_YXDOMAIN", "DNS_R_YXRRSET",
345 	"DNS_R_NXRRSET", "DNS_R_NOTAUTH", "DNS_R_NOTZONE",  "DNS_R_RCODE11",
346 	"RNS_R_RCODE12", "DNS_R_RCODE13", "DNS_R_RCODE14",  "DNS_R_RCODE15",
347 	"DNS_R_BADVERS",
348 };
349 
350 #define DNS_RESULT_RESULTSET	  2
351 #define DNS_RESULT_RCODERESULTSET 3
352 
353 static isc_once_t once = ISC_ONCE_INIT;
354 
355 static void
356 initialize_action(void) {
357 	isc_result_t result;
358 
359 	result = isc_result_register(ISC_RESULTCLASS_DNS, DNS_R_NRESULTS, text,
360 				     DNS_RESULT_RESULTSET);
361 	if (result == ISC_R_SUCCESS) {
362 		result = isc_result_register(ISC_RESULTCLASS_DNSRCODE,
363 					     DNS_R_NRCODERESULTS, rcode_text,
364 					     DNS_RESULT_RCODERESULTSET);
365 	}
366 	if (result != ISC_R_SUCCESS) {
367 		UNEXPECTED_ERROR(__FILE__, __LINE__,
368 				 "isc_result_register() failed: %u", result);
369 	}
370 
371 	result = isc_result_registerids(ISC_RESULTCLASS_DNS, DNS_R_NRESULTS,
372 					ids, DNS_RESULT_RESULTSET);
373 	if (result == ISC_R_SUCCESS) {
374 		result = isc_result_registerids(ISC_RESULTCLASS_DNSRCODE,
375 						DNS_R_NRCODERESULTS, rcode_ids,
376 						DNS_RESULT_RCODERESULTSET);
377 	}
378 	if (result != ISC_R_SUCCESS) {
379 		UNEXPECTED_ERROR(__FILE__, __LINE__,
380 				 "isc_result_registerids() failed: %u", result);
381 	}
382 }
383 
384 static void
385 initialize(void) {
386 	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
387 }
388 
389 const char *
390 dns_result_totext(isc_result_t result) {
391 	initialize();
392 
393 	return (isc_result_totext(result));
394 }
395 
396 void
397 dns_result_register(void) {
398 	initialize();
399 }
400 
401 dns_rcode_t
402 dns_result_torcode(isc_result_t result) {
403 	dns_rcode_t rcode = dns_rcode_servfail;
404 
405 	if (DNS_RESULT_ISRCODE(result)) {
406 		/*
407 		 * Rcodes can't be bigger than 12 bits, which is why we
408 		 * AND with 0xFFF instead of 0xFFFF.
409 		 */
410 		return ((dns_rcode_t)((result)&0xFFF));
411 	}
412 
413 	/*
414 	 * Try to supply an appropriate rcode.
415 	 */
416 	switch (result) {
417 	case ISC_R_SUCCESS:
418 		rcode = dns_rcode_noerror;
419 		break;
420 	case ISC_R_BADBASE64:
421 	case ISC_R_RANGE:
422 	case ISC_R_UNEXPECTEDEND:
423 	case DNS_R_BADAAAA:
424 	/* case DNS_R_BADBITSTRING: deprecated */
425 	case DNS_R_BADCKSUM:
426 	case DNS_R_BADCLASS:
427 	case DNS_R_BADLABELTYPE:
428 	case DNS_R_BADPOINTER:
429 	case DNS_R_BADTTL:
430 	case DNS_R_BADZONE:
431 	/* case DNS_R_BITSTRINGTOOLONG: deprecated */
432 	case DNS_R_EXTRADATA:
433 	case DNS_R_LABELTOOLONG:
434 	case DNS_R_NOREDATA:
435 	case DNS_R_SYNTAX:
436 	case DNS_R_TEXTTOOLONG:
437 	case DNS_R_TOOMANYHOPS:
438 	case DNS_R_TSIGERRORSET:
439 	case DNS_R_UNKNOWN:
440 	case DNS_R_NAMETOOLONG:
441 	case DNS_R_OPTERR:
442 		rcode = dns_rcode_formerr;
443 		break;
444 	case DNS_R_DISALLOWED:
445 		rcode = dns_rcode_refused;
446 		break;
447 	case DNS_R_TSIGVERIFYFAILURE:
448 	case DNS_R_CLOCKSKEW:
449 		rcode = dns_rcode_notauth;
450 		break;
451 	default:
452 		rcode = dns_rcode_servfail;
453 	}
454 
455 	return (rcode);
456 }
457