Hi, > Subject: Call for adoption: draft-yorgos-dnsop-dry-run-dnssec-04 (Ends > 2025-12-11) > > This message starts a 2-week Call for Adoption for this document. > > Abstract: > This document describes a method called "dry-run DNSSEC" that allows > for testing DNSSEC deployments without affecting the DNS service in > case of DNSSEC errors. It accomplishes that by introducing new DS > Type Digest Algorithms that when used in every record of a DS RRset, > referred to as dry-run DS, signal to validating resolvers that dry- > run DNSSEC is used for the zone. DNSSEC errors are then reported > with DNS Error Reporting, but any bogus responses to clients are > withheld. Instead, validating resolvers fallback from dry-run DNSSEC > and provide the response that would have been answered without the > presence of the dry-run DS. A further EDNS option is presented for > clients to opt-in for dry-run DNSSEC errors and allow for end-to-end > DNSSEC testing.
I support adoption of this draft. Johan
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
