RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

Found 1 record.

Status: Rejected (1)

RFC 7958, "DNSSEC Trust Anchor Publication for the Root Zone", August 2016

Source of RFC: INDEPENDENT

Errata ID: 5910
Status: Rejected
Type: Technical
Publication Format(s) : TEXT

Reported By: John Dickinson
Date Reported: 2019-11-15
Rejected by: Adrian Farrel
Date Rejected: 2019-11-22

Section 2.1.2 says:

The validFrom and validUntil attributes in the KeyDigest element
   specify the range of times that the KeyDigest element can be used as
   a trust anchor.  Note that the KeyDigest element is optional; if it
   is not given, the trust anchor can be used until a KeyDigest element
   covering the same DNSKEY record, but having a validUntil attribute,
   is trusted by the relying party.  Relying parties SHOULD NOT use a
   KeyDigest outside of the time range given in the validFrom and
   validUntil attributes.

It should say:

The validFrom and validUntil attributes in the KeyDigest element
   specify the range of times that the KeyDigest element can be used as
   a trust anchor.  Note that the validUntil element is optional; if it
   is not given, the trust anchor can be used until a KeyDigest element
   covering the same DNSKEY record, but having a validUntil attribute,
   is trusted by the relying party.  Relying parties SHOULD NOT use a
   KeyDigest outside of the time range given in the validFrom and
   validUntil attributes.

Notes:

The text after the ';' is difficult to read. I am not sure what is should say.
--VERIFIER NOTES--
The text does take a little effort to parse, but is correct as written.
It says validUntil is optional:
IF validUntil not given
DO FOREVER
use trust anchor
IF ( (NewKeyDigest covers same DNSKEY record) &&
(NewKeyDigest has a validUntil) &&
(NewKeyDigest is trusted by relying party) )
exit
ENDIF
ENDDO

Report New Errata