RFC Errata
RFC 4956, "DNS Security (DNSSEC) Opt-In", July 2007
Source of RFC: dnsext (int)See Also: RFC 4956 w/ inline errata
Errata ID: 1018
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Alfred Hoenes
Date Reported: 2007-08-16
Verifier Name: Brian Haberman
Date Verified: 2012-05-01
(1) typo (technical error) Within Section 4.2.2.2. of RFC 4956, the last sentence of the paragraph on top of page 8 contains a wrong RCODE value. The RFC says: v [...]. In particular, a NOERROR/NODATA | (i.e., RCODE=3, but the answer section is empty) response to a DS query may be proven by an Opt-In flagged covering NSEC record, rather than an NSEC record matching the query name. It should say: v [...]. In particular, a NOERROR/NODATA | (i.e., RCODE=0, but the answer section is empty) response to a DS query may be proven by an Opt-In flagged covering NSEC record, rather than an NSEC record matching the query name. Rationale: See RCODE list in RFC 1035 [1], page 27, and RFC 2181 [8]. (2) missing article Still on page 8, an article is missing in the third bullet in Section 4.2.4 . The RFC says: o sending a NOERROR/NODATA response when query type is DS and the | covering NSEC is tagged as Opt-In, unless NSEC record's owner name matches the query name. ^ It should say: o sending a NOERROR/NODATA response when query type is DS and the | covering NSEC is tagged as Opt-In, unless the NSEC record's owner name matches the query name. ^^^^^ (3) inconsistency There's a small inconsistency in the presentation of DNS querys (and responses) in Section 6. In almost all instances, in that context the text gives domain names with the DNS 'root label', the trailing dot. Yet, in the second line of the first paragraph on page 10, this dot is missing twice. The RFC says: In this example, a query for a signed RRset (e.g., "FIRST- | SECURE.EXAMPLE A") or a secure delegation ("WWW.SECOND-SECURE.EXAMPLE A") will result in a standard DNSSEC response. It should say: In this example, a query for a signed RRset (e.g., "FIRST- | SECURE.EXAMPLE. A") or a secure delegation ("WWW.SECOND- | SECURE.EXAMPLE. A") will result in a standard DNSSEC response. ^ (4) text truncation In Section 9, on top of page 13, the list of acknowledged people apparently has been truncated. The RFC says: v | Mats Kolkman, Edward Lewis, Ted Lindgreen, Rip Loomis, Bill Manning, Dan Massey, Scott Rose, Mike Schiraldi, Jakob Schlyter, Brian Wellington. The -09 draft had the following list: | Mats Dufberg, Miek Gieben, Olafur Gudmudsson, Bob Halley, Olaf Kolkman, Edward Lewis, Ted Lindgreen, Rip Loomis, Bill Manning, Dan Massey, Scott Rose, Mike Schiraldi, Jakob Schlyter, Brian Wellington. AFAICS, most probably the draft was o.k. and the bulk of the first line of that list has been lost in the publication process. (5) references RFC 3655 [3] and RFC 3090 [10] have been incorporated into, and formally been obsoleted by RFC 4033..35 [4][5][6]. IMHO, it is therefore inappropriate to list [3] as a Normative Reference in Section 10.1, and it it of questionable benefit to list both [3] and [10] at all in Section 10. I apologize for not having caught and reported items (1)..(3) and (5) when I once studied the -09 draft version of the document; item (4) is new. I strongly recommend to post an RFC Errata Note covering at least items (1) and (4).