I believe this errata is correct.
On 22-09-2021 16:18, RFC Errata System wrote:
The following errata report has been submitted for RFC6781,
"DNSSEC Operational Practices, Version 2".
--------------------------------------
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6692
--------------------------------------
Type: Technical
Reported by: Jarle Fredrik Greipsland <jarle.greipsl...@norid.no>
Section: Appendix D
Original Text
-------------
------------------------------------------------------------
new DS | pre-publish |
------------------------------------------------------------
Parent:
NS_A NS_A
DS_A DS_B DS_A DS_B
------------------------------------------------------------
Child at A: Child at A: Child at B:
SOA_A0 SOA_A1 SOA_B0
RRSIG_Z_A(SOA) RRSIG_Z_A(SOA) RRSIG_Z_B(SOA)
NS_A NS_A NS_B
RRSIG_Z_A(NS) NS_B RRSIG_Z_B(NS)
RRSIG_Z_A(NS)
DNSKEY_Z_A DNSKEY_Z_A DNSKEY_Z_A
DNSKEY_Z_B DNSKEY_Z_B
DNSKEY_K_A DNSKEY_K_A DNSKEY_K_B
RRSIG_K_A(DNSKEY) RRSIG_K_A(DNSKEY) RRSIG_K_A(DNSKEY)
RRSIG_K_B(DNSKEY) RRSIG_K_B(DNSKEY)
------------------------------------------------------------
Corrected Text
--------------
------------------------------------------------------------
new DS | pre-publish |
------------------------------------------------------------
Parent:
NS_A NS_A
DS_A DS_B DS_A DS_B
------------------------------------------------------------
Child at A: Child at A: Child at B:
SOA_A0 SOA_A1 SOA_B0
RRSIG_Z_A(SOA) RRSIG_Z_A(SOA) RRSIG_Z_B(SOA)
NS_A NS_A NS_B
RRSIG_Z_A(NS) NS_B RRSIG_Z_B(NS)
RRSIG_Z_A(NS)
DNSKEY_Z_A DNSKEY_Z_A DNSKEY_Z_A
DNSKEY_Z_B DNSKEY_Z_B
DNSKEY_K_A DNSKEY_K_A DNSKEY_K_B
RRSIG_K_A(DNSKEY) RRSIG_K_A(DNSKEY) RRSIG_K_B(DNSKEY)
------------------------------------------------------------
Notes
-----
Figure 15 in Appendix D is depicting the phases of a double DS KSK rollover
operator change. One rationale for applying this approach is to avoid the
exchange of signatures (RRSIGs) between operators, and limit exchanges to the
public parts of the ZSKs in use. In the pre-publish phase in the figure, it is
shown that Child A publishes a signature over the DNSKEY RRset generated by
Child B's KSK, and that Child B publishes a signature over the DNSKEY RRset
generated by Child A's KSK. This is contrary to the rationale given for this
method, and also not required, since the pre-published double DS RRs at the
parent zone should enable a validator to validate the signature generated by
any of the two KSKs in use, thus one RRSIG RR for the DNSKEY RRset is
sufficient at each child. Therefore, the RRSIG_K_B(DNSKEY) RR should be
removed from Child A, and the RRSIG_K_A(DNSKEY) should be removed from Child B.
Instructions:
-------------
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party
can log in to change the status and edit the report, if necessary.
--------------------------------------
RFC6781 (draft-ietf-dnsop-rfc4641bis-13)
--------------------------------------
Title : DNSSEC Operational Practices, Version 2
Publication Date : December 2012
Author(s) : O. Kolkman, W. Mekking, R. Gieben
Category : INFORMATIONAL
Source : Domain Name System Operations
Area : Operations and Management
Stream : IETF
Verifying Party : IESG
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
