Two boot file directives are added as described in this section.
The format for a boot file directive to configure a starting zone key is as follows:
pubkey name flags protocol algorithm key-data
for a public key. "name" is the owner name (if the line is translated into a KEY RR). Flags indicates the type of key and is the same as the flag octet in the KEY RR. Protocol and algorithm also have the same meaning as they do in the KEY RR. The material after the algorithm is algorithm dependent and, for private algorithms (algorithm 254), starts with the algorithm's identifying OID and its length. If the "no key" type value is set in flags or the algorithm is specified as 253, then the key-data after algorithm is null. When present the key-data is treated as an octet stream and encoded in base 64 (see Appendix).
A file of keys for cross certification or other purposes can be configured though the keyfile directive as follows:
The file looks like a master file except that it can only contain KEY and SIG RRs with the SIGs signed under a key configured with the pubkey directive.
While it might seem logical for everyone to start with the key for the root zone, this has problems. The logistics of updating every DNS resolver in the world when the root key changes would be excessive. It may be some time before there even is a root key. Furthermore, many organizations will explicitly wish their "interior" DNS implementations to completely trust only their own zone. Such interior resolvers can then go through the organization's zone servers to access data outsize the organization's domain and should only be configured with the key forthe organization's DNS apex.