Protocol-wise (in terms of RFC403X validation), SEP has no value.

I used to think of KSKs as signing the DNSKEY set, and ZSKs signing all.
I have since been convinced otherwise and now think of it like this;
they are independent properties.

A key can be a KSK (it signs the DNSKEY set), a ZSK (it signs every
RRset except DNSKEY), none (it's published but not actually used), or
both (it signs all rrsets).

Due to that section you previously mentioned, for every algorithm that
you have one or more keys in, you must have at least one that is a KSK
and one that is a ZSK, but this may be the same key. And if you have one
or more KSKs that are not ZSKs, you don't need your ZSK(s) to be KSKs
too (in fact having them not be saves packet space).

The SEP bit should only (but does not have to) be set on keys that have
the KSK property, it can be used by automation tools (either signers to
decide which keys to use for what, or pullers to decide which should be
seen as anchors or DS sources). If none of the tools use it (a lot do
though), it should be safe to set it to 0.

Jelte

Yes, you may use it this way. But 3757 is quite clear that there is
no in-protocol consequence of the SEP bit. Moreover, 4035 ?5 makes
perfectly clear what the criteria are for validation, and the SEP bit
is not among them.
You got it via the trust-anchor-getting mechanism. 4035, ?5:

To use DNSSEC RRs for authentication, a security-aware resolver
requires configured knowledge of at least one authenticated DNSKEY or
DS RR. The process for obtaining and authenticating this initial
trust anchor is achieved via some external mechanism. For example, a
resolver could use some off-line authenticated exchange to obtain a
zone's DNSKEY RR or to obtain a DS RR that identifies and
authenticates a zone's DNSKEY RR. The remainder of this section
assumes that the resolver has somehow obtained an initial set of
trust anchors.
Right. And 4035 also explains what the restriction is there. The
DNSKEY RR has to have the Zone Key Flag set, but it doesn't need to
have the SEP bit.
Oh, I think I may have misunderstood you. Of course an administrative
tool could refuse to sign a zone with a key that didn't have the SEP
bit set. IMO this would be a mistake, because I don't really believe
that every zone ought to _have_ different KSKs and ZSKs.
The problem here is that many people seem to have developed the
unfortunate belief that SEP == KSK and nothing else. I don't want to
reinforce that.
The problem here is that you couldn't use a special trust-anchor-only
signer for particular cases. I think that might be bad too. Also,
one mode of signing is that you sign with the new key and only then
send the DS along, because maybe the parent wants to check to see
whether the DS actually corresponds to some key you have in your zone.

A