Hi,
On 27/11/2025 13:19, Peter Thomassen via Datatracker wrote:
Subject: Call for adoption: draft-yorgos-dnsop-dry-run-dnssec-04 (Ends
2025-12-11)
This message starts a 2-week Call for Adoption for this document.
Abstract:
This document describes a method called "dry-run DNSSEC" that allows
for testing DNSSEC deployments without affecting the DNS service in
case of DNSSEC errors. It accomplishes that by introducing new DS
Type Digest Algorithms that when used in every record of a DS RRset,
referred to as dry-run DS, signal to validating resolvers that dry-
run DNSSEC is used for the zone. DNSSEC errors are then reported
with DNS Error Reporting, but any bogus responses to clients are
withheld. Instead, validating resolvers fallback from dry-run DNSSEC
and provide the response that would have been answered without the
presence of the dry-run DS. A further EDNS option is presented for
clients to opt-in for dry-run DNSSEC errors and allow for end-to-end
DNSSEC testing.
Thanks Philip, Tim and Johan for your time and support for the document.
As one of the authors, there is no reason for me to state my obvious
support. However, I would like to share my thoughts on why I believe
this is useful for adoption.
It can give operators confidence when initial signing their zone.
By leveraging the power of RFC 9567 (DNS Error Reporting), dry-run
DNSSEC can help them discover, pinpoint and solve real world operational
issues before fully committing to a DNSSEC signed zone.
As you may remember from the IETF 124 session, I have already started
working on an implementation for Unbound during the hackathon and it
looks quite promising.
I hope the working group will support adoption and help offer dry-run
DNSSEC to operators.
Best regards,
-- Yorgos
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
