RFC Errata
RFC 7958, "DNSSEC Trust Anchor Publication for the Root Zone", August 2016
Source of RFC: INDEPENDENTSee Also: RFC 7958 w/ inline errata
Errata ID: 5932
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Paul Hoffman
Date Reported: 2019-12-11
Verifier Name: Adrian Farrel
Date Verified: 2020-01-26
Section 2.1.2 says:
Note that the KeyDigest element is optional; if it is not given, the trust anchor can be used until a KeyDigest element covering the same DNSKEY record, but having a validUntil attribute, is trusted by the relying party.
It should say:
Note that the validUntil attribute of the KeyDigest element is optional. If the relying party is using a trust anchor that has a KeyDigest element that does not have a validUntil attribute, it can change to a trust anchor with a KeyDigest element that does have a validUntil attribute, as long as that trust anchor's validUntil attribute is in the future and the DNSKEY elements of the KeyDigest are the same as the previous trust anchor.
Notes:
It is the validUntil attribute that is optional, not the KeyDigest element. Also, it was noted that the sentence did not clearly explain the logic.