RFC Errata
RFC 7958, "DNSSEC Trust Anchor Publication for the Root Zone", August 2016
Source of RFC: INDEPENDENT
Errata ID: 5910
Status: Rejected
Type: Technical
Publication Format(s) : TEXT
Reported By: John Dickinson
Date Reported: 2019-11-15
Rejected by: Adrian Farrel
Date Rejected: 2019-11-22
Section 2.1.2 says:
The validFrom and validUntil attributes in the KeyDigest element specify the range of times that the KeyDigest element can be used as a trust anchor. Note that the KeyDigest element is optional; if it is not given, the trust anchor can be used until a KeyDigest element covering the same DNSKEY record, but having a validUntil attribute, is trusted by the relying party. Relying parties SHOULD NOT use a KeyDigest outside of the time range given in the validFrom and validUntil attributes.
It should say:
The validFrom and validUntil attributes in the KeyDigest element specify the range of times that the KeyDigest element can be used as a trust anchor. Note that the validUntil element is optional; if it is not given, the trust anchor can be used until a KeyDigest element covering the same DNSKEY record, but having a validUntil attribute, is trusted by the relying party. Relying parties SHOULD NOT use a KeyDigest outside of the time range given in the validFrom and validUntil attributes.
Notes:
The text after the ';' is difficult to read. I am not sure what is should say.
--VERIFIER NOTES--
The text does take a little effort to parse, but is correct as written.
It says validUntil is optional:
IF validUntil not given
DO FOREVER
use trust anchor
IF ( (NewKeyDigest covers same DNSKEY record) &&
(NewKeyDigest has a validUntil) &&
(NewKeyDigest is trusted by relying party) )
exit
ENDIF
ENDDO