Re: evaluation: draft-ietf-dnsext-keyrr-key-signing-flag

[Rob Austein <sra@hactrn.net>]

At Wed, 01 Oct 2003 22:54:31 -0400, Steven M. Bellovin wrote:
> 
> It defines values for that bit, but doesn't seem to associate any 
> behavior with either possible value.

it's a hint that the zone apex zone dnskey rrs (sic) with this bit set
are the ones for which the zone admin wants the parent to generate ds
rrs.  there are two cases in which this might be useful:

a) parent is some kind of registry, parent and child have arranged
   some kind of channel security (eg, tsig), parent picks up the
   child's keys with a qtype=dnskey query.  oops, that got the whole
   apex dnskey rrset, so having a bit that lets the parent sort out
   which ones the child wants signed is useful.

b) parent and child are signed by the same entity, zone signing
   software again wants to know which dnskey rrs from the child need
   to generate ds rrs in the parent.

note that in both cases there's external context which it may not make
sense for us to standardize.  presumably this is what you're noticing
by its absence.  there's a reason why it's only a hint.

and of course there's:

c) it may be useful as an indication of what the zone admin intended
   when one is trying to debug something twisted.

wg seemed to feel that the bit was probably useful, and the repeated
statements that it is never used in the rrsig verification process in
any way are intended to make sure that it's harmless as far as dnssec
proper goes.