From 7eda1aba760a538a2f9ea3fd2c47cfa81e6fac73 Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Fri, 26 Aug 2022 14:39:11 +0000
Subject: [PATCH] Document RPZ Extended DNS Error (EDE) code configuration
 option

Add information about the 'ede' option for response policy zones.
---
 doc/arm/reference.rst | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index e031d6f36a..3b64f07bb4 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -5374,6 +5374,35 @@ with this zone file:
    example.com                 CNAME   rpz-tcp-only.
    *.example.com               CNAME   rpz-tcp-only.
 
+Response policy zones can be configured to set an Extended DNS Error (EDE) code
+on the responses which have been modified by the response policy:
+
+::
+
+       response-policy { zone "badlist" ede filtered; };
+
+The following settings are supported for the ``ede`` option:
+
+``none``
+   No Extended DNS Error code is set (default).
+
+``forged``
+   Extended DNS Error code 4 - Forged Answer.
+
+``blocked``
+   Extended DNS Error code 15 - Blocked.
+
+``censored``
+   Extended DNS Error code 16 - Censored.
+
+``filtered``
+   Extended DNS Error code 17 - Filtered.
+
+``prohibited``
+   Extended DNS Error code 18 - Prohibited.
+
+See :rfc:`8914` for more information about the Extended DNS Error codes.
+
 RPZ can affect server performance. Each configured response policy zone
 requires the server to perform one to four additional database lookups
 before a query can be answered. For example, a DNS server with four