Re: [DNSOP] Specification of DNSKEY "Private-key-format"

[Evan Hunt <each@isc.org>]

On Thu, Aug 29, 2019 at 07:25:54PM +0530, Mukund Sivaraman wrote:
> I am asking about where this key format is specified - I want to extend
> it.

There's never been a written specification as far as I know, and if there
was one, then it's definitely been obsolete since 2009, because I changed
the format then and I didn't update any specs.

What I can tell you is: the private key file contains a format version
string, "Private-key-format", currently always set to 1.3, and an
algorithm string, "Algorithm".  After that comes a set of private keydata
fields which are specific to the algorithm, and finally a set of *optional*
metadata fields.

Those were introduced in format version 1.3. They include "Created",
"Publish", "Delete", etc, and also a few (such as "RollPeriod") that
were reserved for future use but we'e never gotten around to using them.

If the parser encounters any field that it doesn't recognize, and the key
claims to be version 1.3, then it will reject the key with an error.
However, if Private-key-format is increased to at least 1.4, then the
version 1.3 parser will ignore the unknown fields and just use the ones
that it does understand.  A version number above 2.0 is assumed not to be
backward-compatible, so that key would be rejected always.

We've have had a few conversations at ISC recently about adding some new
fields and increasing the format version to 1.4, so it would probably be
best if we coordinate our changes to ensure that your extensions are
interoperable with ours.

-- 
Evan Hunt -- each@isc.org
Internet Systems Consortium, Inc.