Dear dnsop,

We submitted a new version of the "dry-run DNSSEC" draft.
This update addresses the following:
- Explicit section for fallback behavior (when dry-run DNSSEC fails)
- Detailed section for NOERROR reports
- Added more security considerations about error reporting itself and
  resolver/validator workload increase requirements.

We asked for a presentation slot in Bangkok for this latest version and a call for adoption.

We are looking forward for any feedback either here on the mailing list or in person in Bangkok.

Best regards,
-- Yorgos


-------- Forwarded Message --------
Subject: New Version Notification for draft-yorgos-dnsop-dry-run-dnssec-03.txt
Date: Mon, 03 Mar 2025 13:02:14 -0800
From: internet-dra...@ietf.org
To: Roy Arends <roy.are...@icann.org>, Willem Toorop <wil...@nlnetlabs.nl>, Yorgos Thessalonikefs <yor...@nlnetlabs.nl>

A new version of Internet-Draft draft-yorgos-dnsop-dry-run-dnssec-03.txt has
been successfully submitted by Yorgos Thessalonikefs and posted to the
IETF repository.

Name:     draft-yorgos-dnsop-dry-run-dnssec
Revision: 03
Title:    dry-run DNSSEC
Date:     2025-03-03
Group:    Individual Submission
Pages:    14
URL: https://www.ietf.org/archive/id/draft-yorgos-dnsop-dry-run-dnssec-03.txt
Status: https://datatracker.ietf.org/doc/draft-yorgos-dnsop-dry-run-dnssec/
HTML: https://www.ietf.org/archive/id/draft-yorgos-dnsop-dry-run-dnssec-03.html HTMLized: https://datatracker.ietf.org/doc/html/draft-yorgos-dnsop-dry-run-dnssec Diff: https://author-tools.ietf.org/iddiff?url2=draft-yorgos-dnsop-dry-run-dnssec-03

Abstract:

    This document describes a method called "dry-run DNSSEC" that allows
    for testing DNSSEC deployments without affecting the DNS service in
    case of DNSSEC errors.  It accomplishes that by introducing new DS
    Type Digest Algorithms that when used in a DS record, referred to as
    dry-run DS, signal to validating resolvers that dry-run DNSSEC is
    used for the zone.  DNSSEC errors are then reported with DNS Error
    Reporting, but any bogus responses to clients are withheld.  Instead,
    validating resolvers fallback from dry-run DNSSEC and provide the
    response that would have been answered without the presence of a dry-
    run DS.  A further EDNS option is presented for clients to opt-in for
    dry-run DNSSEC errors and allow for end-to-end DNSSEC testing.



The IETF Secretariat



_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org

Reply via email to