2.3.2.19 msDNS-SigningKeyDescriptors

The msDNS-SigningKeyDescriptors attribute is used to store the zone's signing key descriptor list. Each value of this attribute represents a single signing key descriptor and MUST be formatted as follows.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

Version

fIsKsk

Guid (16 bytes)

...

...

pwszKeyStorageProvider (variable)

...

bSigningAlgorithm

dwKeyLength

dwInitialRolloverOffset

dwDNSKEYSignatureValidityPeriod

dwDSSignatureValidityPeriod

dwStandardSignatureValidityPeriod

dwRolloverType

dwRolloverPeriod

dwNextRolloverAction

ftLastRolloverTime

...

ftNextRolloverTime

...

dwState

dwCurrentRolloverStatus

dwCurrentRollState

fManualTrigger

dwPreRollEventFired

ftNextKeyGenerationTime

...

RevokedOrSwappedRecordCount

FinalRecordCount

pwszActiveKey (variable)

...

ActiveKeyScope

pwszStandbyKey (variable)

...

StandbyKeyScope

pwszNextKey (variable)

...

NextKeyScope

RevokedOrSwappedDnskeys (variable)

...

FinalDnskeys (variable)

...

Version (4 bytes): This value MUST be 0x00000001.

fIsKsk (4 bytes): The value of this field MUST correspond to the value from the DNS_RPC_SKD (section 2.2.6.2.1) structure for this signing key descriptor.

Guid (16 bytes): The value of this field MUST correspond to the value from the DNS_RPC_SKD (section 2.2.6.2.1) structure for this signing key descriptor.

pwszKeyStorageProvider (variable): The value of this field MUST correspond to the value from the DNS_RPC_SKD (section 2.2.6.2.1) structure for this signing key descriptor.

bSigningAlgorithm (4 bytes): The value of this field MUST correspond to the value from the DNS_RPC_SKD (section 2.2.6.2.1) structure for this signing key descriptor.

dwKeyLength (4 bytes): The value of this field MUST correspond to the value from the DNS_RPC_SKD (section 2.2.6.2.1) structure for this signing key descriptor.

dwInitialRolloverOffset (4 bytes): The value of this field MUST correspond to the value from the DNS_RPC_SKD (section 2.2.6.2.1) structure for this signing key descriptor.

dwDNSKEYSignatureValidityPeriod (4 bytes): The value of this field MUST correspond to the value from the DNS_RPC_SKD (section 2.2.6.2.1) structure for this signing key descriptor.

dwDSSignatureValidityPeriod (4 bytes): The value of this field MUST correspond to the value from the DNS_RPC_SKD (section 2.2.6.2.1) structure for this signing key descriptor.

dwStandardSignatureValidityPeriod (4 bytes): The value of this field MUST correspond to the value from the DNS_RPC_SKD (section 2.2.6.2.1) structure for this signing key descriptor.

dwRolloverType (4 bytes): The value of this field MUST correspond to the value from the DNS_RPC_SKD (section 2.2.6.2.1) structure for this signing key descriptor.

dwRolloverPeriod (4 bytes): The value of this field MUST correspond to the value from the DNS_RPC_SKD (section 2.2.6.2.1) structure for this signing key descriptor.

dwNextRolloverAction (4 bytes): The value of this field MUST correspond to the value from the DNS_RPC_SKD (section 2.2.6.2.1) structure for this signing key descriptor.

ftLastRolloverTime (8 bytes): This value MUST correspond to the value of ftLastRolloverTime from the DNS_RPC_SKD_STATE (section 2.2.6.2.3) structure for this signing descriptor.

ftNextRolloverTime (8 bytes): This value MUST correspond to the value of ftNextRolloverTime from the DNS_RPC_SKD_STATE (section 2.2.6.2.3) structure for this signing descriptor.

dwState (4 bytes): This value MUST correspond to the value of dwState from the DNS_RPC_SKD_STATE (section 2.2.6.2.3) structure for this signing descriptor.

dwCurrentRolloverStatus (4 bytes): This value MUST correspond to the value of dwCurrentRolloverStatus from the DNS_RPC_SKD_STATE (section 2.2.6.2.3) structure for this signing descriptor.

dwCurrentRollState (4 bytes): This value corresponds to the next step in a signing key descriptor's rollover process and MUST be set to one of the following values.

Value

Meaning

DNS_SKD_ROLL_STATE_NOT_STARTED

0x00000000

The signing key descriptor is not currently in the process of rolling over keys.

DNS_SKD_ROLL_STATE_ZSK_SWAP

0x00000001

The next step for a signing key descriptor whose fIsKSK field is 0x00000000 is to move into the "new RRSIGs" phase of the pre-publish key rollover, as described in [RFC4641] section 4.2.1.1.

DNS_SKD_ROLL_STATE_ZSK_FINISH

0x00000002

The next step for a signing key descriptor whose fIsKSK field is 0x00000000 is to move into the "DNSKEY removal" phase of the pre-publish key rollover, as described in [RFC4641] section 4.2.1.1.

DNS_SKD_ROLL_STATE_KSK_DS_WAIT

0x00000003

The next step for a signing key descriptor whose fIsKSK field is 0x00000001 is to wait for the "DS change" step of the "Key Signing Key Rollovers" process, as described in [RFC4641] section 4.2.2.

DNS_SKD_ROLL_STATE_KSK_REVOKE

0x00000004

The next step for a signing key descriptor whose fIsKSK field is 0x00000001 is to revoke a key according to [RFC5011] section 6.3 or 6.5.

DNS_SKD_ROLL_STATE_KSK_FINISH

0x00000005

The next step for a signing key descriptor whose fIsKSK field is 0x00000001 is to move into the "DNSKEY removal" phase of the "Key Signing Key Rollovers" process, as described in [RFC4641] section 4.2.2.

fManualTrigger (4 bytes): This value MUST be set to 0x00000001 in response to a successful ZonePerformKeyRollover operation on a signing key descriptor. When the SKD completes its rollover, this value MUST be set to 0x00000000.

dwPreRollEventFired (4 bytes): This value MUST be set to 0x00000001 when 90 percent of the dwRolloverPeriod for a signing key descriptor whose fIsKSK flag is 0x00000001 has elapsed. It MUST be set to 0x00000002 when 95 percent of this rollover period has elapsed, and it MUST be set to 0x00000003 when there is less than 1 day remaining before such a signing key descriptor begins its key rollover process. Otherwise, this value MUST be 0x00000000.

ftNextKeyGenerationTime (8 bytes): This value represents the time at which the most recent value of the pwszNextKey field of a signing key descriptor whose fIsKSK flag is 0x00000000 was generated.

RevokedOrSwappedRecordCount (4 bytes): This value MUST indicate the number of values present in the list of records in the RevokedOrSwappedDnskeys field.

FinalRecordCount (4 bytes): This value MUST indicate the number of values present in the list of records in the FinalRecordCount field.

pwszActiveKey (variable): This value MUST correspond to the value of pwszActiveKey from the DNS_RPC_SKD_STATE (section 2.2.6.2.3) structure for this signing descriptor.

ActiveKeyScope (4 bytes): This value corresponds to the signing scope of pwszActiveKey and MUST be set to one of the following values.

Value

Meaning

DNS_SIGN_SCOPE_DEFAULT

0x00000000

The key is used for its default purpose: If the signing key descriptor's fIsKSK field is set to 0x00000001, the key is used to sign only DNSKEY records in the zone. If the signing key descriptor's fIsKSK field is set to 0x00000000, the key is used to sign all records in the zone.

DNS_SIGN_SCOPE_DNSKEY_ONLY

0x00000001

The key is used to sign only DNSKEY records in the zone.

DNS_SIGN_SCOPE_ALL_RECORDS

0x00000002

The key is used to sign all records in the zone.

DNS_SIGN_SCOPE_ADD_ONLY

0x00000003

The key is published as a DNSKEY in the zone, but it is not used to sign any records.

DNS_SIGN_SCOPE_DO_NOT_PUBLISH

0x00000004

The key is not published to the zone and is not used to sign any records.

DNS_SIGN_SCOPE_REVOKED

0x00000005

The key is published as a DNSKEY in the zone with its "Revoked" bit ([RFC5011] section 2.1) set. It is used to sign DNSKEY records.

pwszStandbyKey (variable): This value MUST correspond to the value of pwszStandbyKey from the DNS_RPC_SKD_STATE (section 2.2.6.2.3) structure for this signing descriptor.

StandbyKeyScope (4 bytes): This value corresponds to the signing scope of pwszActiveKey and MUST be set to one of the values previously described for "ActiveKeyScope".

pwszNextKey (variable): This value MUST correspond to the value of pwszNextKey from the DNS_RPC_SKD_STATE (section 2.2.6.2.3) structure for this signing descriptor.

NextKeyScope (4 bytes): This value corresponds to the signing scope of pwszNextKey and MUST be set to one of the values previously described for "ActiveKeyScope".

RevokedOrSwappedDnskeys (variable): This field MUST contain a variable number of DNS records in the same format as the dnsRecord attribute (section 2.3.2.2). The number of records in this list is specified by RevokedOrSwappedRecordCount. If RevokedOrSwappedRecordCount is zero, the length of this field MUST be 0 bytes. The DNS records in this field correspond to a precomputed list of DNSKEY and associated RRSIG records that are published to the zone as the SKD transitions into DNS_SKD_STATUS_ZSK_WAITING_FOR_MAXZONE_TTL status if the signing key descriptor's fIsKSK field is set to 0x00000000, and as the SKD transitions into DKS_SKD_STATUS_KSK_WAITING_FOR_5011_REMOVE_HOLD_DOWN if the signing key descriptor's fIsKSK field is set to 0x00000001.

FinalDnskeys (variable): This field MUST contain a number of DNS records in the same format as the dnsRecord attribute (section 2.3.2.2). The number of records in this list is specified by FinalRecordCount. If FinalRecordCount is zero, the length of this field MUST be 0 bytes. The DNS records in this field correspond to a precomputed list of DNSKEY and associated RRSIG records that are published to the zone as the signing key descriptor's key rollover process concludes.