Skip to main content

dry-run DNSSEC

Document Type Expired Internet-Draft (individual)
Expired & archived
Authors Yorgos Thessalonikefs , Willem Toorop , Roy Arends
Last updated 2023-01-12 (Latest revision 2022-07-11)
RFC stream (None)
Intended RFC status (None)
Additional resources GitHub Repository
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


This document describes a method called "dry-run DNSSEC" that allows for testing DNSSEC deployments without affecting the DNS service in case of DNSSEC errors. It accomplishes that by introducing a new DS Type Digest Algorithm that signals validating resolvers that dry-run DNSSEC is used for the zone. DNSSEC errors are then reported with DNS Error Reporting, but any bogus responses to clients are withheld. Instead, validating resolvers fallback from dry-run DNSSEC and provide the response that would have been answered without the presence of a dry-run DS. A further option is presented for clients to opt-in for dry-run DNSSEC errors and allow for end-to-end DNSSEC testing.


Yorgos Thessalonikefs
Willem Toorop
Roy Arends

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)