Technical Summary
The Delegation Signer (DS) resource record introduced the concept of a
key acting as a secure entry point into a delegation. During
DNS-related key exchanges between the child and parent zone, there is
a need to differentiate secure entry point keys from other public keys
in the DNSKEY resource record set. This differentiation is not for the
DNS protocols per se, but to help in determining what types of keys
need to be generated (e.g., for a DS RR) and how to automate their
generation.
This document defines a flag bit in the DNSKEY RR to indicate KEY RRs
that are used as a secure entry point. The flag bit is intended to
assist in oprational procedures to correctly generate DS resource
records, or to indicate what keys are intended for static
configuration. The flag bit has no semantics in the DNS protocols and
its value results in no special processing by the DNS protocols when
operating on KEY RRs. This document updates RFC 2535 and RFC 3445.
Working Group Summary
The dnsext Working Group came to consensus on this document.
Protocol Quality
This document was reviewed by Thomas Narten for the IESG.
RFC Editor Note:
Please replace Section 6 as follows:
OLD:
6. IANA Considerations
The flag bits in the DNSKEY RR are assigned by IETF consensus and
registered in the DNSKEY Flags registry (created by [4]). This
document assigns the 15th bit in the DNSKEY RR as the Secure Entry
Point (SEP) bit.
NEW:
6. IANA Considerations
IANA has assigned the 15th bit in the DNSKEY Flags Registry (see
Section 4.3 of [4]) as the Secure Entry Point (SEP) bit.