|
|
|
|
|
KEY RR now restricted to DNSSEC protocol only |
|
No Subtyping of KEY RR |
|
All other protocols (IPSEC, email, etc.)
obsolete and must not be used to store key material |
|
All flags bits, except one, now obsolete |
|
“zone key” bit (bit 7 – backwards compatibility) |
|
Why? |
|
Avoid large keysets, especially at apex |
|
Avoid subtypes of KEY RR |
|
Including using SRV-like naming scheme |
|
Separate administration of DNSSEC and
Application keys |