3.2 Object Types, DNS Names, and Keys

The public key in a KEY RR belongs to the object named in the owner name.

This DNS name may refer to up to three different categories of things. For example, dee.cybercash.com could be (1) a zone, (2) a host or other end entity , and (3) the mapping into a DNS name of the user or account dee@cybercash.com. Thus, there are flags, as described below, in the KEY RR to indicate with which of these roles the owner name and public key are associated. Note that an appropriate zone KEY RR MUST occur at the apex node of a secure zone and at every leaf node which is a delegation point (and thus the same owner name as the apex of a subzone) within a secure zone.

Although the same name can be used for up to all three of these categories, such overloading of a name is discouraged. It is also possible to use the same key for different things with the same name or even different names, but this is strongly discouraged. In particular, the use of a zone key as a non-zone key will usually require that the corresponding private key be kept on line and thereby become more vulnerable.

In addition to the name type bits, there are additional flag bits including the "type" field, "experimental" bit, "signatory" field, etc., as described below.