RFC Errata
RFC 6781, "DNSSEC Operational Practices, Version 2", December 2012
Source of RFC: dnsop (ops)
Errata ID: 5276
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT
Reported By: Matthijs Mekking
Date Reported: 2018-03-06
Held for Document Update by: Warren Kumari (Ops AD)
Date Held: 2018-10-02
Section 4.1.4 says:
---------------------------------------------------------------- new DS DNSKEY removal RRSIGs removal ---------------------------------------------------------------- Parent: SOA_1 -------------------------------------------------------> RRSIG_par(SOA) ----------------------------------------------> DS_K_2 ------------------------------------------------------> RRSIG_par(DS_K_2) -------------------------------------------> Child: -------------------> SOA_3 SOA_4 -------------------> RRSIG_Z_10(SOA) -------------------> RRSIG_Z_11(SOA) RRSIG_Z_11(SOA) -------------------> -------------------> DNSKEY_K_2 DNSKEY_K_2 -------------------> -------------------> DNSKEY_Z_11 DNSKEY_Z_11 -------------------> -------------------> RRSIG_K_2(DNSKEY) RRSIG_K_2(DNSKEY) ---------------------------------------------------------------- Figure 8: Stages of Deployment during an Algorithm Rollover
It should say:
---------------------------------------------------------------- new DS DNSKEY removal RRSIGs removal ---------------------------------------------------------------- Parent: SOA_1 -------------------------------------------------------> RRSIG_par(SOA) ----------------------------------------------> DS_K_2 ------------------------------------------------------> RRSIG_par(DS_K_2) -------------------------------------------> Child: -------------------> SOA_3 SOA_4 -------------------> RRSIG_Z_10(SOA) -------------------> RRSIG_Z_11(SOA) RRSIG_Z_11(SOA) -------------------> -------------------> DNSKEY_K_2 DNSKEY_K_2 -------------------> -------------------> DNSKEY_Z_11 DNSKEY_Z_11 -------------------> RRSIG_K_1(DNSKEY) -------------------> RRSIG_K_2(DNSKEY) RRSIG_K_2(DNSKEY) ---------------------------------------------------------------- Figure 8: Stages of Deployment during an Algorithm Rollover
Notes:
This is about Figure 8 on page 30.
The figure should have the signature of the old KSK, called RRSIG_K_1(DNSKEY) in the "DNSKEY removal" step.
Because a conservative validator may have the DNSKEY RRset cached that includes DNSKEY_K_1, DNSKEY_K_2, DNSKEY_Z_1, and DNSKEY_Z_2.