Re: [DNSOP] On Powerbind

Fri, 17 Apr 2020 02:28:27 -0700
Looking for this: https://www.iana.org/assignments/dnskey-flags/dnskey-flags.xhtml ? 



—Olaf


PS. Haven’t looked at this code for over a decade. That last croak, 
Postel principle violation?


On 16 Apr 2020, at 23:08, Dick Franks wrote:


Warren,

Comments in line

On Thu, 16 Apr 2020 at 20:31, Warren Kumari <war...@kumari.net> wrote:

8



Just checking - the DNSKEY Flags field is 16 bits, and we have so far 
burned:

Bit 15 - SEP
Bit 7 - Zone key
Bit 8 - Revoked
Did I miss any (I wasn't able to find a registry for this)?


If not, we still have 13 bits left, and so using one for this seems 
ok
to me, especially if recursives doing something with it is 
optional...

(I had mistakenly remembered the Flags as being only 8 bits)
I'm still not convinced that DNSSEC Transparency will come to pass,

nor that many zones will use this flag, but I'm now much more 
sanguine

about giving it a bit...



The lack(?) of a registry is indeed regrettable.

However, there seems to be some historical meaning attached to some of
the other flag bits.

If I look back at Net::DNS::SEC 0.17, bequeathed to me by one Olaf
Kolkman, the DS create() method contains the following mysterious
(perl) lines, for which I can offer no coherent explanation:

    # The key must not be a NULL key.
    if (($keyrr->{"flags"} & hex("0xc000") ) == hex("0xc000") ){
        croak "\nCreating a DS record for a NULL key is illegal";
    }

    # Bit 0 must not be set.
    if (($keyrr->{"flags"}) & hex("0x8000")) {
        croak "\nCreating a DS record for a key with flag bit 0 set ".
            "to 0 is illegal";
    }

    # Bit 6 must be set to 0 bit 7 must be set to 1
    if ( ($keyrr->{"flags"} & hex("0x300")) != hex("0x100")){

        croak "\nCreating a DS record for a key with flags 6 and 7 not 
set ".

            "0  and 1 respectively is illegal";
    }

which would seem to indicate that some of the other bits were thought
to have some meaning circa 2013.

Perhaps Olaf can shed some light on this topic.


Dick Franks
________________________




- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Olaf M. Kolkman                                     Tweets as: @kolkman
Principal - Internet Technology, Policy, and Advocacy
Internet Society                        https://www.internetsociety.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop






















					Reply via email to