RFC Errata
RFC 6840, "Clarifications and Implementation Notes for DNS Security (DNSSEC)", February 2013
Note: This RFC has been updated by RFC 8749
Source of RFC: dnsext (int)
Errata ID: 4191
Status: Rejected
Type: Editorial
Publication Format(s) : TEXT
Reported By: Edward Lewis
Date Reported: 2014-12-02
Rejected by: Brian Haberman
Date Rejected: 2015-01-12
Section 5.11 says:
... A signed zone MUST include a DNSKEY for each algorithm present in the zone's DS RRset and expected trust anchors for the zone. The zone MUST also be signed with each algorithm (though not each key) present in the DNSKEY RRset.
It should say:
A signed zone MUST include a DNSKEY for each algorithm present in the zone's DS RRset and expected trust anchors for the zone. Each authoritative RRset in the zone MUST be signed with each algorithm (though not each key) present in the DNSKEY RRset.
Notes:
Zones aren't signed (per se), the data sets within them are. But not cut point (NS) and glue.
--VERIFIER NOTES--
This erratum is being rejected as the nomenclature being updated is understood within the community and is used in other DNSSEC specifications.