RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

Found 2 records.

Status: Verified (1)

RFC 7958, "DNSSEC Trust Anchor Publication for the Root Zone", August 2016

Source of RFC: INDEPENDENT

Errata ID: 5932
Status: Verified
Type: Technical
Publication Format(s) : TEXT

Reported By: Paul Hoffman
Date Reported: 2019-12-11
Verifier Name: Adrian Farrel
Date Verified: 2020-01-26

Section 2.1.2 says:

  Note that the KeyDigest element is optional; if it
  is not given, the trust anchor can be used until a KeyDigest element
  covering the same DNSKEY record, but having a validUntil attribute,
  is trusted by the relying party.

It should say:

  Note that the validUntil attribute of the KeyDigest element is
  optional. If the relying party is using a trust anchor that has a
  KeyDigest element that does not have a validUntil attribute, it can
  change to a trust anchor with a KeyDigest element that does have a
  validUntil attribute, as long as that trust anchor's validUntil
  attribute is in the future and the DNSKEY elements of the KeyDigest
  are the same as the previous trust anchor.

Notes:

It is the validUntil attribute that is optional, not the KeyDigest element. Also, it was noted that the sentence did not clearly explain the logic.

Status: Rejected (1)

RFC 7958, "DNSSEC Trust Anchor Publication for the Root Zone", August 2016

Source of RFC: INDEPENDENT

Errata ID: 5910
Status: Rejected
Type: Technical
Publication Format(s) : TEXT

Reported By: John Dickinson
Date Reported: 2019-11-15
Rejected by: Adrian Farrel
Date Rejected: 2019-11-22

Section 2.1.2 says:

The validFrom and validUntil attributes in the KeyDigest element
   specify the range of times that the KeyDigest element can be used as
   a trust anchor.  Note that the KeyDigest element is optional; if it
   is not given, the trust anchor can be used until a KeyDigest element
   covering the same DNSKEY record, but having a validUntil attribute,
   is trusted by the relying party.  Relying parties SHOULD NOT use a
   KeyDigest outside of the time range given in the validFrom and
   validUntil attributes.

It should say:

The validFrom and validUntil attributes in the KeyDigest element
   specify the range of times that the KeyDigest element can be used as
   a trust anchor.  Note that the validUntil element is optional; if it
   is not given, the trust anchor can be used until a KeyDigest element
   covering the same DNSKEY record, but having a validUntil attribute,
   is trusted by the relying party.  Relying parties SHOULD NOT use a
   KeyDigest outside of the time range given in the validFrom and
   validUntil attributes.

Notes:

The text after the ';' is difficult to read. I am not sure what is should say.
--VERIFIER NOTES--
The text does take a little effort to parse, but is correct as written.
It says validUntil is optional:
IF validUntil not given
DO FOREVER
use trust anchor
IF ( (NewKeyDigest covers same DNSKEY record) &&
(NewKeyDigest has a validUntil) &&
(NewKeyDigest is trusted by relying party) )
exit
ENDIF
ENDDO

Report New Errata



Advanced Search