1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
	0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	|             flags             |    protocol   |   algorithm   |
	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	|                                                               /
	/                          public key                           /
	/                                                               /
	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
	Flags:
	0   1   2   3   4   5   6   7   8   9   0   1   2   3   4   5
	+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
	|  A/C  | Z | XT| Z | Z | NAMTYP| Z | Z | Z | Z |      SIG      |
	+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
	When dealing with ZONE data NAMTYPE is set to 01.
	If bit 0 and 1 are both 0 then the key can be used for authentication and confidentiality.  DNSSEC normally sets these two bits to 0.
	If bit 0 and 1 are set, then there is NO key and the RR stops after the algorithm octet.
	Flags 0XC100 = 49408
	Protocol: For DNSSEC the protocol is 3. IPSEC would have 4 in the protocol field.
	Algorithm:   1     RSA/MD5 [RFC 2537]
	2     Diffie-Hellman [RFC 2539] - optional, key only
	3     DSA [RFC 2536] Ð Mandatory in implementations
	4     reserved for elliptic curve crypto
	5     RSA/SHA1 [RFC3110] Ð Mandatory in implementations
	There are developments to restrict the use of KEYs to DNSSEC only. So only allow protocol 3 and drop some of the flags see: draft-ietf-dnsext--restrict-key-for-dnssec-??.txt