[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
DNSKEY flags field
- To: namedroppers@ops.ietf.org
- Subject: DNSKEY flags field
- From: Simon Josefsson <jas@extundo.com>
- Date: Thu, 10 Jun 2004 16:39:22 +0200
- User-agent: Gnus/5.110003 (No Gnus v0.3) Emacs/21.3.50 (gnu/linux)
Hello. I think the flags field of DNSKEY could be improved to
facilitate future revisions. The dnssec-records says in 2.1.1:
Bits 0-6 and 8-14 are reserved: these bits MUST have value 0 upon
creation of the DNSKEY RR, and MUST be ignored upon reception.
Always ignoring unknown bits remove the possibility of using the flags
field as an upgrade path in future revisions of DNSSEC. What do
people think about changing the above to:
Bits 0-6 and 8-14 are reserved: these bits MUST have value 0 upon
creation of the DNSKEY RR, and bits 0-6 MUST be ignored upon
reception, and non-zero values in bits 8-14 MUST cause the DNSKEY
to be considered invalid for purposes of RRSIG validation.
This would allow DNSSECter to use bits 0-6 for non-critical signaling
of new features, and to use bits 8-14 for critical signaling of new
features.
Of course, if after more consideration, it is realized that using the
flags field is not a reliable way to signal features DNSSECter want to
communicate, then EDNS or some other solution can be used instead.
But adopting the above text would make it possible to have this option
open for DNSSECter.
What do you think?
Thanks,
Simon
PS. This message was reposted here because my post to dnssec@cafax.se
appear to have neither arrived, bounced or generated a moderation
notify. If you receive duplicates, I apologize.
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>