Internet-Draft draft-ietf-dnsop-dry-run-dnssec-00.txt is now available. It is
a work item of the Domain Name System Operations (DNSOP) WG of the IETF.
Title: dry-run DNSSEC
Authors: Yorgos Thessalonikefs
Willem Toorop
Roy Arends
Name: draft-ietf-dnsop-dry-run-dnssec-00.txt
Pages: 14
Dates: 2025-12-19
Abstract:
This document describes a method called "dry-run DNSSEC" that allows
for testing DNSSEC deployments without affecting the DNS service in
case of DNSSEC errors. It accomplishes that by introducing new DS
Type Digest Algorithms that when used in every record of a DS RRset,
referred to as dry-run DS, signal to validating resolvers that dry-
run DNSSEC is used for the zone. DNSSEC errors are then reported
with DNS Error Reporting, but any bogus responses to clients are
withheld. Instead, validating resolvers fallback from dry-run DNSSEC
and provide the response that would have been answered without the
presence of the dry-run DS. A further EDNS option is presented for
clients to opt-in for dry-run DNSSEC errors and allow for end-to-end
DNSSEC testing.
The IETF datatracker status page for this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-dnsop-dry-run-dnssec/
There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-ietf-dnsop-dry-run-dnssec-00.html
Internet-Drafts are also available by rsync at:
rsync.ietf.org::internet-drafts
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
