3.1.5.8 Key Version Numbers

The Kerberos V5 protocol specifies key version numbers ([RFC4120] section 5.2.9). Key version numbers are used in the Kerberos V5 protocol to distinguish between different keys in the same domain. KILE key version numbers are encoded and decoded as signed 32-bit integers.

KILE supports key version numbers for read-only domain controllers (RODCs). Each RODC will have a different key version number.<29> This allows the Domain Controller (DC) to distinguish between keys that are issued to different RODCs.

The key version number consists of 32 bits. The first 16 bits, including the most significant bit, are an unsigned 16-bit number that identifies the RODC. The remaining 16 bits are the version number of the key.