Warren,
Comments in line
On Thu, 16 Apr 2020 at 20:31, Warren Kumari <war...@kumari.net> wrote:
>8
> Just checking - the DNSKEY Flags field is 16 bits, and we have so far burned:
> Bit 15 - SEP
> Bit 7 - Zone key
> Bit 8 - Revoked
> Did I miss any (I wasn't able to find a registry for this)?
>
> If not, we still have 13 bits left, and so using one for this seems ok
> to me, especially if recursives doing something with it is optional...
> (I had mistakenly remembered the Flags as being only 8 bits)
> I'm still not convinced that DNSSEC Transparency will come to pass,
> nor that many zones will use this flag, but I'm now much more sanguine
> about giving it a bit...
>
The lack(?) of a registry is indeed regrettable.
However, there seems to be some historical meaning attached to some of
the other flag bits.
If I look back at Net::DNS::SEC 0.17, bequeathed to me by one Olaf
Kolkman, the DS create() method contains the following mysterious
(perl) lines, for which I can offer no coherent explanation:
# The key must not be a NULL key.
if (($keyrr->{"flags"} & hex("0xc000") ) == hex("0xc000") ){
croak "\nCreating a DS record for a NULL key is illegal";
}
# Bit 0 must not be set.
if (($keyrr->{"flags"}) & hex("0x8000")) {
croak "\nCreating a DS record for a key with flag bit 0 set ".
"to 0 is illegal";
}
# Bit 6 must be set to 0 bit 7 must be set to 1
if ( ($keyrr->{"flags"} & hex("0x300")) != hex("0x100")){
croak "\nCreating a DS record for a key with flags 6 and 7 not set ".
"0 and 1 respectively is illegal";
}
which would seem to indicate that some of the other bits were thought
to have some meaning circa 2013.
Perhaps Olaf can shed some light on this topic.
Dick Franks
________________________
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
