RFC Errata
RFC 4641, "DNSSEC Operational Practices", September 2006
Note: This RFC has been obsoleted by RFC 6781
Source of RFC: dnsop (ops)See Also: RFC 4641 w/ inline errata
Errata ID: 790
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Alfred Hoenes
Date Reported: 2006-10-13
Verifier Name: Olaf Kolkman
Date Verified: 2006-12-01
Section 4.2.1.2 says:
Double signature ZSK rollover involves three stages as follows: ---------------------------------------------------------------- initial new DNSKEY DNSKEY removal ---------------------------------------------------------------- SOA0 SOA1 SOA2 RRSIG10(SOA0) RRSIG10(SOA1) RRSIG11(SOA2) RRSIG11(SOA1) DNSKEY1 DNSKEY1 DNSKEY1 DNSKEY10 DNSKEY10 DNSKEY11 DNSKEY11 RRSIG1(DNSKEY) RRSIG1(DNSKEY) RRSIG1(DNSKEY) RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG11(DNSKEY) RRSIG11(DNSKEY) ---------------------------------------------------------------- Double Signature Zone Signing Key Rollover
It should say:
Double signature ZSK rollover involves three stages as follows: ---------------------------------------------------------------- initial new DNSKEY DNSKEY removal ---------------------------------------------------------------- SOA0 SOA1 SOA2 RRSIG10(SOA0) RRSIG10(SOA1) RRSIG11(SOA2) | RRSIG11(SOA1) DNSKEY1 DNSKEY1 DNSKEY1 DNSKEY10 DNSKEY10 DNSKEY11 | DNSKEY11 RRSIG1(DNSKEY) RRSIG1(DNSKEY) RRSIG1(DNSKEY) RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG11(DNSKEY) | RRSIG11(DNSKEY) ---------------------------------------------------------------- Double Signature Zone Signing Key Rollover
Notes:
The mis-alignment of the indicated 3 lines breaks the
intended presentation of the procedure; cf. subsequent RFC text.
The initial report was corrected by Yue Luo 2007-11-16 so that "RRSIG11" in the last row is in "New DNSKEY" stage instead of "initial" stage.