> On Sep 27, 2019, at 7:32 PM, [email protected] wrote:
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-extended-error-10
Perhaps at my instigation the descriptions for:
3.8. Extended DNS Error Code 7 - Signature Expired
and 3.9. Extended DNS Error Code 8 - Signature Not Yet Valid
were changed in version 10 to read, respectively:
... but all the signatures in an RRset in the validation chain were
expired.
... but all the signatures received were not yet valid.
But I guess it is also possible in pathological cases, that both
might apply. Specifically, when none of the RRSIGs are extant, with
at least one expired, and the rest (at least one) not yet valid.
FWIW, the language could be amended to accommodate this possibility:
... but no signatures are presently valid and some (often all) are
expired.
... but no signatures are presently valid and some are not yet valid.
Which raises another question: Can an OPT RR legitimately carry more than one
EDE
option, and thereby communicate multiple errors? Such as perhaps the above
hypothetical with some RRSIGs expired, and some not yet vlid.
--
Viktor.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
