The DS record doesn’t have a flag field. If you want to add flags or otherwise extend DS records it requires new DS algorithms that encode the flags/extensions inside the digest field. Its incrementally doable and has implications for all future DS algorithms. That said this proposal doesn’t include such a change.
> On 15 Apr 2020, at 10:30, Paul Vixie <p...@redbarn.org> wrote: > > a bit in the parent (DS RRset) to say this delegation point is itself > delegation-only would be more interesting. perhaps a way to assure compliance > with a contract, thus preventing any ambiguity along the lines of > "sitefinder". > > but a bit in the apex (DNSKEY RRset) is still interesting, as a declaration > of > intent, which is easily monitored to find out if that intent changes, and to > allow widespread alarms if that intent isn't lived. one can imagine breakins > at the registry or registrar which would have the power to insert new > children > but not the power to change the apex DNSKEY. > > a mature system would explicitly support this kind of live second-set-of-eyes. > > vixie > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
