Domain Name System KEY (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag
draft-ietf-dnsext-keyrr-key-signing-flag-12

[Ballot comment]
In section 2, the document says:  "The SEP bit (TBD) ..."  The bit position of the SEP flag bit has been set, so I do not understand the "TBD."

[Ballot discuss]
The document fails to distinguish public keys and private keys.  This is prevalent throughout the document.  For example:
 
    One key is used to sign just the zone's KEY
    resource record (RR) set and is the key
    referenced by a DS RR at the parent or
    configured statically in a resolver.

The first half of the sentence is referring to the private key that is used to sign the RR set, and the second have of the sentence is referring to the public key that is used to validate the signature on the RR set.  People who are very familiar with public key cryptography may not get confused, but I believe that many implementors will be mislead.

It is interesting to note that the 'KSK' and 'ZSK' labels are being applied to the public keys, which are used for signature validation, not the private keys, which are used for signing.

[Ballot discuss]
Minor, but important.  The draft says:

IANA Considerations:  "IANA considerations:  The flag bits  in the KEY RR are assigned by
  IETF consensus. There is no action on IANA."

IANA does maintain a registry, at: http://www.iana.org/assignments/dns-key-rr, so there
should be an IANA action of recording this value at the registry

[Ballot comment]
"Once this label was applied, it
  had the side effect of removing the temptation to have a KSK flag bit
  and a ZSK flag bit, setting on needing just one bit.)"  is a little clumsy;
how about:  "Once this label was applied, it had the side effect of removing
the temptation to have both a KSK flag bit and a ZSK flag bit"