|
|
|
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
|
|
0 1 2 3 4 5 6 7 8 9 0 1
2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
flags
|
protocol | algorithm |
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
/
|
|
/
public key
/
|
|
/
/
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
|
|
Flags:
|
|
0
1 2 3 4
5 6 7 8
9 0 1 2
3 4 5
|
|
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
|
|
| A/C | Z |
XT| Z | Z | NAMTYP| Z | Z | Z | Z | SIG |
|
|
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
|
|
|
|
When dealing
with ZONE data NAMTYPE is set to 01.
|
|
If bit 0 and 1
are both 0 then the key can be used for authentication and
confidentiality. DNSSEC
normally sets these two bits to 0.
|
|
|
|
If bit 0 and 1
are set, then there is NO key and the RR stops after the algorithm octet.
|
|
Flags 0XC100 =
49408
|
|
|
|
Protocol: For
DNSSEC the protocol is 3. IPSEC would have 4 in the protocol field.
|
|
|
|
Algorithm: 1 RSA/MD5 [RFC 2537]
|
|
2 Diffie-Hellman
[RFC 2539] - optional, key only
|
|
3
DSA [RFC 2536] Ð Mandatory in implementations
|
|
4
reserved for elliptic curve crypto
|
|
5 RSA/SHA1 [RFC3110] Ð Mandatory in
implementations
|
|
|
|
There are
developments to restrict the use of KEYs to DNSSEC only. So only allow
protocol 3 and drop some of the flags see:
draft-ietf-dnsext--restrict-key-for-dnssec-??.txt
|
256 3 3 (