@techreport{yorgos-dnsop-dry-run-dnssec-01,
    number =    {draft-yorgos-dnsop-dry-run-dnssec-01},
    type =      {Internet-Draft},
    institution =   {Internet Engineering Task Force},
    publisher = {Internet Engineering Task Force},
    note =      {Work in Progress},
    url =       {https://datatracker.ietf.org/doc/draft-yorgos-dnsop-dry-run-dnssec/01/},
    author =    {Yorgos Thessalonikefs and Willem Toorop and Roy Arends},
    title =     {{dry-run DNSSEC}},
    pagetotal = 12,
    year =      2022,
    month =     jul,
    day =       11,
    abstract =  {This document describes a method called "dry-run DNSSEC" that allows for testing DNSSEC deployments without affecting the DNS service in case of DNSSEC errors. It accomplishes that by introducing a new DS Type Digest Algorithm that signals validating resolvers that dry-run DNSSEC is used for the zone. DNSSEC errors are then reported with DNS Error Reporting, but any bogus responses to clients are withheld. Instead, validating resolvers fallback from dry-run DNSSEC and provide the response that would have been answered without the presence of a dry-run DS. A further option is presented for clients to opt-in for dry-run DNSSEC errors and allow for end-to-end DNSSEC testing.},
}