RFC Errata
Found 2 records.
Status: Verified (1)
RFC 7958, "DNSSEC Trust Anchor Publication for the Root Zone", August 2016
Source of RFC: INDEPENDENT
Errata ID: 5932
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Paul Hoffman
Date Reported: 2019-12-11
Verifier Name: Adrian Farrel
Date Verified: 2020-01-26
Section 2.1.2 says:
Note that the KeyDigest element is optional; if it is not given, the trust anchor can be used until a KeyDigest element covering the same DNSKEY record, but having a validUntil attribute, is trusted by the relying party.
It should say:
Note that the validUntil attribute of the KeyDigest element is optional. If the relying party is using a trust anchor that has a KeyDigest element that does not have a validUntil attribute, it can change to a trust anchor with a KeyDigest element that does have a validUntil attribute, as long as that trust anchor's validUntil attribute is in the future and the DNSKEY elements of the KeyDigest are the same as the previous trust anchor.
Notes:
It is the validUntil attribute that is optional, not the KeyDigest element. Also, it was noted that the sentence did not clearly explain the logic.
Status: Rejected (1)
RFC 7958, "DNSSEC Trust Anchor Publication for the Root Zone", August 2016
Source of RFC: INDEPENDENT
Errata ID: 5910
Status: Rejected
Type: Technical
Publication Format(s) : TEXT
Reported By: John Dickinson
Date Reported: 2019-11-15
Rejected by: Adrian Farrel
Date Rejected: 2019-11-22
Section 2.1.2 says:
The validFrom and validUntil attributes in the KeyDigest element specify the range of times that the KeyDigest element can be used as a trust anchor. Note that the KeyDigest element is optional; if it is not given, the trust anchor can be used until a KeyDigest element covering the same DNSKEY record, but having a validUntil attribute, is trusted by the relying party. Relying parties SHOULD NOT use a KeyDigest outside of the time range given in the validFrom and validUntil attributes.
It should say:
The validFrom and validUntil attributes in the KeyDigest element specify the range of times that the KeyDigest element can be used as a trust anchor. Note that the validUntil element is optional; if it is not given, the trust anchor can be used until a KeyDigest element covering the same DNSKEY record, but having a validUntil attribute, is trusted by the relying party. Relying parties SHOULD NOT use a KeyDigest outside of the time range given in the validFrom and validUntil attributes.
Notes:
The text after the ';' is difficult to read. I am not sure what is should say.
--VERIFIER NOTES--
The text does take a little effort to parse, but is correct as written.
It says validUntil is optional:
IF validUntil not given
DO FOREVER
use trust anchor
IF ( (NewKeyDigest covers same DNSKEY record) &&
(NewKeyDigest has a validUntil) &&
(NewKeyDigest is trusted by relying party) )
exit
ENDIF
ENDDO