Re: [DNSOP] On Powerbind

[Dick Franks <rwfranks@gmail.com>]

Warren,

Comments in line

On Thu, 16 Apr 2020 at 20:31, Warren Kumari <warren@kumari.net> wrote:
>8

> Just checking - the DNSKEY Flags field is 16 bits, and we have so far burned:
> Bit 15 - SEP
> Bit 7 - Zone key
> Bit 8 - Revoked
> Did I miss any (I wasn't able to find a registry for this)?
>
> If not, we still have 13 bits left, and so using one for this seems ok
> to me, especially if recursives doing something with it is optional...
> (I had mistakenly remembered the Flags as being only 8 bits)
> I'm still not convinced that DNSSEC Transparency will come to pass,
> nor that many zones will use this flag, but I'm now much more sanguine
> about giving it a bit...
>

The lack(?) of a registry is indeed regrettable.

However, there seems to be some historical meaning attached to some of
the other flag bits.

If I look back at Net::DNS::SEC 0.17, bequeathed to me by one Olaf
Kolkman, the DS create() method contains the following mysterious
(perl) lines, for which I can offer no coherent explanation:

    # The key must not be a NULL key.
    if (($keyrr->{"flags"} & hex("0xc000") ) == hex("0xc000") ){
        croak "\nCreating a DS record for a NULL key is illegal";
    }

    # Bit 0 must not be set.
    if (($keyrr->{"flags"}) & hex("0x8000")) {
        croak "\nCreating a DS record for a key with flag bit 0 set ".
            "to 0 is illegal";
    }

    # Bit 6 must be set to 0 bit 7 must be set to 1
    if ( ($keyrr->{"flags"} & hex("0x300")) != hex("0x100")){
        croak "\nCreating a DS record for a key with flags 6 and 7 not set ".
            "0  and 1 respectively is illegal";
    }

which would seem to indicate that some of the other bits were thought
to have some meaning circa 2013.

Perhaps Olaf can shed some light on this topic.


Dick Franks
________________________