Various combinations of the no-key type value, algorithm byte, protocol byte, and any protocol indicating flags (such as the reserved IPSEC flag) are possible. (Note that the zone flag bit being on or the signatory field being non-zero is effectively a DNS protocol flag on.) The meaning of these combinations is indicated below:
NK = no key type value AL = algorithm byte PR = protocols indicated by protocol byte or protocol flags x represents any valid non-zero value(s). AL PR NK Meaning 0 0 0 Illegal, claims key but has bad algorithm field. 0 0 1 Specifies total lack of security for owner. 0 x 0 Illegal, claims key but has bad algorithm field. 0 x 1 Specified protocols insecure, others may be secure. x 0 0 Useless. Gives key but no protocols to use it. x 0 1 Useless. Denies key but for no protocols. x x 0 Specifies key for protocols and asserts that those protocols are implemented with security. x x 1 Algorithm not understood for protocol. (remember, in reference to the above table, that a protocol byte of 255 means all protocols with protocol byte values assigned)