3.2 Zone Keys and Update Modes

Zone type keys are automatically authorized to sign anything in their zone, of course, regardless of the value of their signatory field. For zone keys, the signatory field bits have different means than they they do for update keys, as shown below. The signatory field MUST be zero if dynamic update is not supported for a zone and MUST be non-zero if it is.

                     ZONE KEY RR SIGNATORY FIELD BITS


                  0           1           2           3
            +-----------+-----------+-----------+-----------+
            |   mode    |  strong   |  unique   |  general  |
            +-----------+-----------+-----------+-----------+

Bit 0, mode

This bit indicates the update mode for this zone. Zero indicates mode A while a one indicates mode B.

Bit 1, strong update

If nonzero, this indicates that the "strong" key feature described in section 3.1.3 above is implemented and enabled for this secure zone. If zero, the feature is not available. Has no effect if the zone is a mode B secure update zone.

Bit 2, unique name update

If nonzero, this indicates that the "unique name" feature described in section 3.1.3 above is implemented and enabled for this secure zone. If zero, this feature is not available. Has no effect if the zone is a mode B secure update zone.

Bit 3, general

This bit has no special meeting. If dynamic update for a zone is supported and the other bits in the zone key signatory field are zero, it must be a one. The meaning of zone keys where the signatory field has the general bit and one or more other bits on is reserved.

If there are multiple dynamic update KEY RRs for a zone and zone policy is in transition, they might have different non-zero signatory fields. In that case, strong and unique name restrictions must be enforced as long as there is a non-expired zone key being advertised that indicates mode A with the strong or unique name bit on respectively. Mode B updates MUST be supported as long as there is a non-expired zone key that indicates mode B. Mode A updates may be treated as mode B updates at server option if non-expired zone keys indicate that both are supported.

A server that will be executing update operations on a zone, that is, the primary master server, MUST not advertize a zone key that will attract requests for a mode or features that it can not support.