Dear dnsop,
We submitted a new version of the "dry-run DNSSEC" draft.
This update addresses the following:
- Explicit section for fallback behavior (when dry-run DNSSEC fails)
- Detailed section for NOERROR reports
- Added more security considerations about error reporting itself and
resolver/validator workload increase requirements.
We asked for a presentation slot in Bangkok for this latest version and
a call for adoption.
We are looking forward for any feedback either here on the mailing list
or in person in Bangkok.
Best regards,
-- Yorgos
-------- Forwarded Message --------
Subject: New Version Notification for
draft-yorgos-dnsop-dry-run-dnssec-03.txt
Date: Mon, 03 Mar 2025 13:02:14 -0800
From: internet-dra...@ietf.org
To: Roy Arends <roy.are...@icann.org>, Willem Toorop
<wil...@nlnetlabs.nl>, Yorgos Thessalonikefs <yor...@nlnetlabs.nl>
A new version of Internet-Draft draft-yorgos-dnsop-dry-run-dnssec-03.txt has
been successfully submitted by Yorgos Thessalonikefs and posted to the
IETF repository.
Name: draft-yorgos-dnsop-dry-run-dnssec
Revision: 03
Title: dry-run DNSSEC
Date: 2025-03-03
Group: Individual Submission
Pages: 14
URL:
https://www.ietf.org/archive/id/draft-yorgos-dnsop-dry-run-dnssec-03.txt
Status: https://datatracker.ietf.org/doc/draft-yorgos-dnsop-dry-run-dnssec/
HTML:
https://www.ietf.org/archive/id/draft-yorgos-dnsop-dry-run-dnssec-03.html
HTMLized:
https://datatracker.ietf.org/doc/html/draft-yorgos-dnsop-dry-run-dnssec
Diff:
https://author-tools.ietf.org/iddiff?url2=draft-yorgos-dnsop-dry-run-dnssec-03
Abstract:
This document describes a method called "dry-run DNSSEC" that allows
for testing DNSSEC deployments without affecting the DNS service in
case of DNSSEC errors. It accomplishes that by introducing new DS
Type Digest Algorithms that when used in a DS record, referred to as
dry-run DS, signal to validating resolvers that dry-run DNSSEC is
used for the zone. DNSSEC errors are then reported with DNS Error
Reporting, but any bogus responses to clients are withheld. Instead,
validating resolvers fallback from dry-run DNSSEC and provide the
response that would have been answered without the presence of a dry-
run DS. A further EDNS option is presented for clients to opt-in for
dry-run DNSSEC errors and allow for end-to-end DNSSEC testing.
The IETF Secretariat
_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org