Domain Name System KEY (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag
Draft of message to be sent after approval:
From: The IESG <firstname.lastname@example.org> To: IETF-Announce <email@example.com> Cc: Internet Architecture Board <firstname.lastname@example.org>, RFC Editor <email@example.com>, dnsext mailing list <firstname.lastname@example.org>, dnsext chair <email@example.com> Subject: Protocol Action: 'KEY RR Secure Entry Point Flag' to Proposed Standard The IESG has approved the following document: - 'KEY RR Secure Entry Point Flag ' <draft-ietf-dnsext-keyrr-key-signing-flag-13.txt> as a Proposed Standard This document is the product of the DNS Extensions Working Group. The IESG contact persons are Thomas Narten and Mark Townsley. A URL of this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-dnsext-keyrr-key-signing-flag-13.txt
Technical Summary The Delegation Signer (DS) resource record introduced the concept of a key acting as a secure entry point into a delegation. During DNS-related key exchanges between the child and parent zone, there is a need to differentiate secure entry point keys from other public keys in the DNSKEY resource record set. This differentiation is not for the DNS protocols per se, but to help in determining what types of keys need to be generated (e.g., for a DS RR) and how to automate their generation. This document defines a flag bit in the DNSKEY RR to indicate KEY RRs that are used as a secure entry point. The flag bit is intended to assist in oprational procedures to correctly generate DS resource records, or to indicate what keys are intended for static configuration. The flag bit has no semantics in the DNS protocols and its value results in no special processing by the DNS protocols when operating on KEY RRs. This document updates RFC 2535 and RFC 3445. Working Group Summary The dnsext Working Group came to consensus on this document. Protocol Quality This document was reviewed by Thomas Narten for the IESG. RFC Editor Note: Please replace Section 6 as follows: OLD: 6. IANA Considerations The flag bits in the DNSKEY RR are assigned by IETF consensus and registered in the DNSKEY Flags registry (created by ). This document assigns the 15th bit in the DNSKEY RR as the Secure Entry Point (SEP) bit. NEW: 6. IANA Considerations IANA has assigned the 15th bit in the DNSKEY Flags Registry (see Section 4.3 of ) as the Secure Entry Point (SEP) bit.