RFC 7958, "DNSSEC Trust Anchor Publication for the Root Zone", August 2016Source of RFC: INDEPENDENT
See Also: RFC 7958w/ inline errata
Errata ID: 5932
Publication Format(s) : TEXT
Reported By: Paul Hoffman
Date Reported: 2019-12-11
Verifier Name: Adrian Farrel
Date Verified: 2020-01-26
Section 2.1.2 says:
Note that the KeyDigest element is optional; if it is not given, the trust anchor can be used until a KeyDigest element covering the same DNSKEY record, but having a validUntil attribute, is trusted by the relying party.
It should say:
Note that the validUntil attribute of the KeyDigest element is optional. If the relying party is using a trust anchor that has a KeyDigest element that does not have a validUntil attribute, it can change to a trust anchor with a KeyDigest element that does have a validUntil attribute, as long as that trust anchor's validUntil attribute is in the future and the DNSKEY elements of the KeyDigest are the same as the previous trust anchor.
It is the validUntil attribute that is optional, not the KeyDigest element. Also, it was noted that the sentence did not clearly explain the logic.