The DS record doesn’t have a flag field. If you want to add flags or otherwise extend DS records it requires new DS algorithms that encode the flags/extensions inside the digest field. Its incrementally doable and has implications for all future DS algorithms. That said this proposal doesn’t include such a change.
> On 15 Apr 2020, at 10:30, Paul Vixie <[email protected]> wrote: > > a bit in the parent (DS RRset) to say this delegation point is itself > delegation-only would be more interesting. perhaps a way to assure compliance > with a contract, thus preventing any ambiguity along the lines of > "sitefinder". > > but a bit in the apex (DNSKEY RRset) is still interesting, as a declaration > of > intent, which is easily monitored to find out if that intent changes, and to > allow widespread alarms if that intent isn't lived. one can imagine breakins > at the registry or registrar which would have the power to insert new > children > but not the power to change the apex DNSKEY. > > a mature system would explicitly support this kind of live second-set-of-eyes. > > vixie > > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
