It is anticipated that some keys stored in DNS will be used in conjunction with Internet protocols other than DNS (keys with zone bit or signatory field non-zero) and IPSEC/email (keys with IPSEC and/or email bit set). The protocol octet is provided to indicate that a key is valid for such use and, for end entity keys or the host part of user keys, that the secure version of that protocol is implemented on that entity or host.
Values between 1 and 191 decimal inclusive are available for assignment by IANA for such protocols. The 63 values between 192 and 254 inclusive will not be assigned to a specific protocol and are available for experimental use under bilateral agreement. Value 0 indicates, for a particular key, that it is not valid for any particular additional protocol beyond those indicated in the flag field. And value 255 indicates that the key is valid for all assigned protocols (those in the 1 to 191 range).
It is intended that new uses of DNS stored keys would initially be implemented, and operational experience gained, using the experimental range of the protocol octet. If demand for widespread deployment for the indefinite future warrants, a value in the assigned range would then be designated for the protocol. Finally, (1) should the protocol become so widespread in conjunction with other protocols and with which it shares key values that duplicate RRs are a serious burden and (2) should the protocol provide substantial facilities not available in any protocol for which a flags field bit has been allocated, then one of the remaining flag field bits may be allocated to the protocol. When such a bit has been allocated, a key can be simultaneously indicated as valid for that protocol and the entity or host can be simultaneously flagged as implementing the secure version of that protocol, along with other protocols for which flag field bits have been assigned.