RFC Errata

Errata Search

Source of RFC  
Summary Table Full Records

RFC 7958, "DNSSEC Trust Anchor Publication for the Root Zone", August 2016

See Also: RFC 7958 w/ inline errata

Errata ID: 5932
Status: Verified
Type: Technical
Publication Format(s) : TEXT

Reported By: Paul Hoffman
Date Reported: 2019-12-11
Verifier Name: Adrian Farrel
Date Verified: 2020-01-26

Section 2.1.2 says:

  Note that the KeyDigest element is optional; if it
  is not given, the trust anchor can be used until a KeyDigest element
  covering the same DNSKEY record, but having a validUntil attribute,
  is trusted by the relying party.

It should say:

  Note that the validUntil attribute of the KeyDigest element is
  optional. If the relying party is using a trust anchor that has a
  KeyDigest element that does not have a validUntil attribute, it can
  change to a trust anchor with a KeyDigest element that does have a
  validUntil attribute, as long as that trust anchor's validUntil
  attribute is in the future and the DNSKEY elements of the KeyDigest
  are the same as the previous trust anchor.


It is the validUntil attribute that is optional, not the KeyDigest element. Also, it was noted that the sentence did not clearly explain the logic.

Report New Errata

Advanced Search