RFC 4034 defines key tag as an identifier with which a DNSKEY RR containing the public key that a validator can use to verify the signature, but over time I have used the terms key tag and key ID interchangeably, without really knowing where they came from.

small poll on the Fediverse

In a small poll on the Fediverse, done mostly jokingly, 35% of those who understood the question answered key ID, and the next morning a question arose:

How come “key tag” didn’t win? Isn’t that the terminology from the RFCs?

It is, but it’s complicated, as section 5.4 shows:

section 5.4 uses both keytag and keyid

I didn’t know the answer. The BIND source code contains roughly 150 mentions of “key tag” and 500 references to “key ID” (with and without a space, and case-insensitive).

I ask Evan, who knows the answer (of course):

the text formatting of DNSKEY records in BIND is based on earlier code that was written for KEY records, five years before 4034. The “key id” string came from there. (Commit 0e93f65e103c, if you’re interested.)

I suspect it was a shortening of “key identifier”, which is used in RFC 2535 in the example SIG records - though, interestingly, that also uses “key tag” in the text.

I don’t know if it was deliberate or an oversight to leave it unchanged for DNSKEY.

Yet another bit of history clarified. Like the semicolon in zone master files.

dnssec :: 18 Nov 2022 :: e-mail