dry-run DNSSEC
draft-yorgos-dnsop-dry-run-dnssec-02
Document | Type |
Expired Internet-Draft
(individual)
Expired & archived
|
|
---|---|---|---|
Authors | Yorgos Thessalonikefs , Willem Toorop , Roy Arends | ||
Last updated | 2025-01-09 (Latest revision 2024-07-08) | ||
RFC stream | (None) | ||
Intended RFC status | (None) | ||
Formats | |||
Additional resources |
GitHub Repository
|
||
Stream | Stream state | (No stream defined) | |
Consensus boilerplate | Unknown | ||
RFC Editor Note | (None) | ||
IESG | IESG state | Expired | |
Telechat date | (None) | ||
Responsible AD | (None) | ||
Send notices to | (None) |
This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:
Abstract
This document describes a method called "dry-run DNSSEC" that allows for testing DNSSEC deployments without affecting the DNS service in case of DNSSEC errors. It accomplishes that by introducing new DS Type Digest Algorithms that when used in a DS record, referred to as dry-run DS, signal to validating resolvers that dry-run DNSSEC is used for the zone. DNSSEC errors are then reported with DNS Error Reporting, but any bogus responses to clients are withheld. Instead, validating resolvers fallback from dry-run DNSSEC and provide the response that would have been answered without the presence of a dry- run DS. A further EDNS option is presented for clients to opt-in for dry-run DNSSEC errors and allow for end-to-end DNSSEC testing.
Authors
Yorgos Thessalonikefs
Willem Toorop
Roy Arends
(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)