KEY RR now restricted
to DNSSEC protocol only
No Subtyping of KEY RR
All
other protocols (IPSEC, email, etc.) obsolete and must not be used to store key material
All flags bits, except
one, now obsolete
zone key bit (bit 7
backwards compatibility)
Why?
Avoid large keysets,
especially at apex
Avoid subtypes of KEY
RR
Including using
SRV-like naming scheme
Separate
administration of DNSSEC and Application keys