Hi Peter and Matthijs, We have deleted this report as requested by Peter. If any further errata apply to Figure 8, please submit another errata report.
Thank you. RFC Editor/mf On Mar 5, 2018, at 11:08 AM, Peter J. Philipp <rfcedi...@centroid.eu> wrote: > Hi, > > I sent rfc-editor something on saturday that I wanted to retract this > errata. I guess it didn't make it through. So I want to apologize to > all for wasting their time. In discussion on #dns at freenode yesterday > with a guy named "hawk" it became apparent to me that I was in error. > > Sorry, > > -peter > > > On 03/05/18 09:39, Matthijs Mekking wrote: >> All, >> >> I think this errata is incorrect: For an algorithm rollover it is >> intended that at the "DNSKEY removal" step, the DNSKEYs are removed >> from the zone, but the signatures stay. This is to play nicely with >> conservative validators: >> >> The conservative approach interprets this section very strictly, >> meaning that it expects that every RRset has a valid signature for >> every algorithm signaled by the zone apex DNSKEY RRset, including >> RRsets in caches. >> >> However, looking into this errata I do think there is an error in >> Figure 8 in section 4.1.4: >> >> The figure should have the signature of the old KSK, called >> RRSIG_K_1(DNSKEY) in the "DNSKEY removal" step. >> >> Because a conservative validator may have the DNSKEY RRset cached that >> includes DNSKEY_K_1, DNSKEY_K_2, DNSKEY_Z_1, and DNSKEY_Z_2. >> >> >> Regarding the notes on this errata: >> >>> because: I just don't think you can sign a zone without the >>> corresponding ZSK's. >> >> It is certainly possible to sign zones and not publish the >> corresponding DNSKEY. >> >> Best regards, >> Matthijs >> >> >> On 03-03-18 15:03, RFC Errata System wrote: >>> The following errata report has been submitted for RFC6781, >>> "DNSSEC Operational Practices, Version 2". >>> >>> -------------------------------------- >>> You may review the report below and at: >>> http://www.rfc-editor.org/errata/eid5273 >>> >>> -------------------------------------- >>> Type: Technical >>> Reported by: Peter J. Philipp <rfcedi...@centroid.eu> >>> >>> Section: 4.1.4 >>> >>> Original Text >>> ------------- >>> Figure 8 on page 30. >>> >>> Corrected Text >>> -------------- >>> The figure should have the second ZSK DNSKEY, called DNSKEY_Z_10 under >>> DNSKEY removal because SOA_3 is doubly signed. >>> >>> or >>> >>> The figure should not have the second RRSIG for SOA_3 that is derived >>> from DNSKEY_Z_10. >>> >>> because: I just don't think you can sign a zone without the >>> corresponding ZSK's. >> >> >> >>> >>> >>> Notes >>> ----- >>> It looks wrong to me. A small technicality. I'll let the authors >>> decide if it's really wrong. >>> >>> Instructions: >>> ------------- >>> This erratum is currently posted as "Reported". If necessary, please >>> use "Reply All" to discuss whether it should be verified or >>> rejected. When a decision is reached, the verifying party >>> can log in to change the status and edit the report, if necessary. >>> >>> -------------------------------------- >>> RFC6781 (draft-ietf-dnsop-rfc4641bis-13) >>> -------------------------------------- >>> Title : DNSSEC Operational Practices, Version 2 >>> Publication Date : December 2012 >>> Author(s) : O. Kolkman, W. Mekking, R. Gieben >>> Category : INFORMATIONAL >>> Source : Domain Name System Operations >>> Area : Operations and Management >>> Stream : IETF >>> Verifying Party : IESG >>> >>> _______________________________________________ >>> DNSOP mailing list >>> DNSOP@ietf.org >>> https://www.ietf.org/mailman/listinfo/dnsop >>> > _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
