The IESG has approved the Internet-Draft 'Limiting the Scope of the KEY Resource Record' <draft-ietf-dnsext-restrict-key-for-dnssec-04.txt> as a Proposed Standard. This document is the product of the DNS Extensions Working Group. The IESG contact persons are Erik Nordmark and Thomas Narten. Technical Summary This document limits the Domain Name System KEY resource record to only keys used by the Domain Name System Security Extensions (DNSSEC). The original KEY resource record used sub-typing to store both DNSSEC keys and arbitrary application keys. Storing both DNSSEC and application keys in one record was a mistake. This document removes application keys from the KEY record by redefining the Protocol Octet field in the KEY Resource Record Data. As a result of removing application keys, all but one of the flags in the KEY record become unnecessary and are removed. Three existing application key sub-types are changed to reserved, but the format of the KEY record is not changed. This document updates RFC 2535. Working Group Summary There was WG rough concensus to advance this document; people agree that restricting KEY RR to the DNS keys is the right thing to do. However, some folks see a need to provide a replacement for the application key use of the KEY RR (whether it be APPKEY or something). Since there isn't agreement (see SIKED BoF) what problem something like APPKEY would solve, there isn't a ready replacement for this functionality at this point in time. Thus the WG rough concensus is to restrict-key now and defer the application key discussion. Protocol Quality This specification has been reviewed for the IESG by Erik Nordmark.
