2.2.6.1.2 KeySignScope

The KeySignScope enumeration defines the scope of the key in a signed zone. It SHOULD<46> be used to indicate different signing and publishing scopes of the key.

 typedef enum _KeySignScope
 {
     SIGN_SCOPE_DEFAULT,
     SIGN_SCOPE_DNSKEY_ONLY,
     SIGN_SCOPE_ALL_RECORDS,
     SIGN_SCOPE_ADD_ONLY,
     SIGN_SCOPE_DO_NOT_PUBLISH,
     SIGN_SCOPE_REVOKED
 } KeySignScope;

SIGN_SCOPE_DEFAULT: The key is used for its default purpose: If the signing key descriptor's fIsKSK field is set to 0x00000001, the key is used to sign only DNSKEY records in the zone. If the signing key descriptor's fIsKSK field is set to 0x00000000, the key is used to sign all records in the zone.

SIGN_SCOPE_DNSKEY_ONLY: The key is used to sign only DNSKEY records in the zone.

SIGN_SCOPE_ALL_RECORDS: The key is used to sign all records in the zone.

SIGN_SCOPE_ADD_ONLY: The key is published as a DNSKEY in the zone, but it is not used to sign any records.

SIGN_SCOPE_DO_NOT_PUBLISH: The key is not published to the zone and is not used to sign any records.

SIGN_SCOPE_REVOKED: The key is published as a DNSKEY in the zone with its Revoked bit ([RFC5011] section 2.1) set. It is used to sign DNSKEY records.