$\mathsf{KDF^{Sapling}}$ as defined in § 5.4.5.4 and $\mathsf{KDF^{Orchard}}$ as defined in § 5.4.5.6 return a BLAKE2b-256 output which has type $\mathbb{B}^{{\kern-0.05em\tiny\mathbb{Y}}[32]}$. This is inconsistent with the definition $\mathsf{Sym.}\mathbf{K} := \mathbb{B}^{[256]}$ in § 5.4.3. In practice, even though RFC 7539 describes AEAD_CHACHA20_POLY1305 (section 2.8) as having a "256-bit key", and ChaCha20 (section 2.3) as having a "256-bit key, treated as a concatenation of eight 32-bit little-endian integers", there is no need to consider bit ordering and implementations do not: they use 32-byte keys.
