The following errata report has been held for document update for RFC6781, "DNSSEC Operational Practices, Version 2".
-------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata/eid5276 -------------------------------------- Status: Held for Document Update Type: Technical Reported by: Matthijs Mekking <matth...@pletterpet.nl> Date Reported: 2018-03-06 Held by: Warren Kumari (Ops AD) (IESG) Section: 4.1.4 Original Text ------------- ---------------------------------------------------------------- new DS DNSKEY removal RRSIGs removal ---------------------------------------------------------------- Parent: SOA_1 -------------------------------------------------------> RRSIG_par(SOA) ----------------------------------------------> DS_K_2 ------------------------------------------------------> RRSIG_par(DS_K_2) -------------------------------------------> Child: -------------------> SOA_3 SOA_4 -------------------> RRSIG_Z_10(SOA) -------------------> RRSIG_Z_11(SOA) RRSIG_Z_11(SOA) -------------------> -------------------> DNSKEY_K_2 DNSKEY_K_2 -------------------> -------------------> DNSKEY_Z_11 DNSKEY_Z_11 -------------------> -------------------> RRSIG_K_2(DNSKEY) RRSIG_K_2(DNSKEY) ---------------------------------------------------------------- Figure 8: Stages of Deployment during an Algorithm Rollover Corrected Text -------------- ---------------------------------------------------------------- new DS DNSKEY removal RRSIGs removal ---------------------------------------------------------------- Parent: SOA_1 -------------------------------------------------------> RRSIG_par(SOA) ----------------------------------------------> DS_K_2 ------------------------------------------------------> RRSIG_par(DS_K_2) -------------------------------------------> Child: -------------------> SOA_3 SOA_4 -------------------> RRSIG_Z_10(SOA) -------------------> RRSIG_Z_11(SOA) RRSIG_Z_11(SOA) -------------------> -------------------> DNSKEY_K_2 DNSKEY_K_2 -------------------> -------------------> DNSKEY_Z_11 DNSKEY_Z_11 -------------------> RRSIG_K_1(DNSKEY) -------------------> RRSIG_K_2(DNSKEY) RRSIG_K_2(DNSKEY) ---------------------------------------------------------------- Figure 8: Stages of Deployment during an Algorithm Rollover Notes ----- This is about Figure 8 on page 30. The figure should have the signature of the old KSK, called RRSIG_K_1(DNSKEY) in the "DNSKEY removal" step. Because a conservative validator may have the DNSKEY RRset cached that includes DNSKEY_K_1, DNSKEY_K_2, DNSKEY_Z_1, and DNSKEY_Z_2. -------------------------------------- RFC6781 (draft-ietf-dnsop-rfc4641bis-13) -------------------------------------- Title : DNSSEC Operational Practices, Version 2 Publication Date : December 2012 Author(s) : O. Kolkman, W. Mekking, R. Gieben Category : INFORMATIONAL Source : Domain Name System Operations Area : Operations and Management Stream : IETF Verifying Party : IESG _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
